A possible Dutch scope change makes specialist pay a question of role, risk, and evidence.
Late in the afternoon, a small regulated fintech is trying to close a hiring gap. The candidate is not a banker. She is a cyber and outsourcing specialist, exactly the kind of person the firm needs for DORA work, incident routines, supplier control, and resilience testing. The founder feels the business need. The HR lead feels the salary tension. Payroll wants to know what kind of payment is being promised.
The signal has to become readable
That is where the Dutch bonus-cap discussion now lands. Not in a newspaper row about banker pay, but at a small table with an offer letter, a role description, a cash forecast, and one hard question: is this person inside the stricter risk perimeter, and what does that mean for pay?
Where the law starts
The current legal starting point is still strict. Article 1:121 of the Wft contains the Dutch financial-sector cap that generally limits variable remuneration to 20 percent of fixed annual pay for financial undertakings with their seat in the Netherlands. DNB says the Dutch cap applies to all employees of the undertaking, not only to identified staff. AFM goes further still, and looks at natural persons working for or under the undertaking’s responsibility, including agency workers and freelancers.
The possible reform sits in the legislative track around the Wet chartaal betalingsverkeer. This is not a clean return to bonus freedom. The policy background is narrower. The government has already said Dutch rules are stricter than the common European framework, especially because the Dutch cap reaches broadly across staff and generally sits at 20 percent rather than 100 percent. It also names recruitment and retention pressure for specialist roles, including IT, compliance, and risk.
One part of that background matters for smaller employers. The rules for financial-sector directors, including top bankers, are not the area of relaxation. That shifts the real question. It is no longer just how much can be paid. It is whether a role belongs inside or outside a tighter remuneration boundary.
Why the role matters
That is a sharper HR question than it first sounds. Under the Rbb 2021, identified staff include people whose work can materially affect the risk profile of the institution. That can cover management body members, senior management, control-function managers, material business-unit managers, and certain high-remuneration staff. A modest job title does not settle the issue. Authority, reporting line, pay level, system access, client exposure, and control responsibility can matter more.
What the signal changes
The labour market is cooler than it was, but it is not loose. CBS counted 378,000 open vacancies at the end of the first quarter of 2026, and 91 vacancies per 100 unemployed people. In financial services, CBS counted 7,500 open vacancies, down from 8,200 in the previous quarter. That does not isolate cyber, compliance, or risk roles, but it matches what many regulated firms feel: a general cooling still leaves some specialist seats hard to fill.
Pay pressure has a fixed-cost side as well. CBS reported that collectively agreed hourly wages, including special remuneration, rose 4.5 percent year on year in the first quarter of 2026. In financial services, collectively agreed wages rose 5.1 percent and contractual labour costs rose 5.0 percent. A small firm may not sit inside every collective agreement line, but the market hears those numbers anyway. Candidates use them. Recruiters use them. Staff compare against them.
Cash on the payroll
The Wbfo evaluation gives the more concrete lesson. After CRD IV and Wbfo were introduced, the analysis found lower variable remuneration and higher fixed remuneration in bonus-cap sectors compared with comparable financial sectors without the cap. That is more than a pay statistic. It is a cash-flow warning. When a bonus limit pushes a scarce-role offer into fixed salary, monthly payroll rises before revenue has proved it can carry the hire.
That is why the offer letter at the fintech table cannot be only a commercial document. If variable pay is used, AFM says at least 50 percent must depend on non-financial criteria. Conduct, client interest, control quality, resilience, compliance, and cooperation with supervision cannot sit there as decorative language. They have to shape the pay design.
Retention pay needs its own discipline. Article 1:122 Wft leaves room for higher variable remuneration in specific retention situations, but only under statutory conditions and with prior written supervisory consent. Article 1:124 Wft generally prohibits guaranteed variable remuneration, with a narrow exception linked to starting work under the undertaking’s responsibility. Those borders matter because contract language, payroll coding, and board language must all describe the same thing.
DORA and the pay file
DORA makes the tension more visible. Since 17 January 2025, it has applied to the financial sector and covers ICT risk management, ICT incidents, resilience testing, third-party ICT outsourcing risk, and cyber-threat information sharing. Those obligations do not execute themselves. If the people who can build and maintain that work are scarce, remuneration design becomes part of workforce planning. It also becomes part of risk planning.
What founders should check
Pay transparency adds a second layer. The Dutch implementation bill was submitted to the Tweede Kamer on 21 May 2026, with an intended entry date of 1 January 2027 if Parliament agrees. The proposal requires employers to use an objective system for job evaluation and classification. Employers above certain size thresholds will later have reporting duties on pay differences.
For many micro and small firms, the reporting thresholds may feel distant. The discipline is not distant. If a regulated financial undertaking wants to treat a scarce specialist differently, it needs a clear reason that can survive more than one conversation. That reason should be visible in the job description, the risk assessment, the remuneration decision, the payroll coding, and the explanation given later to staff or supervisors.
Back at the founder’s table, the clean move is not panic and not delay for its own sake. It is to slow the offer by one step. Name the role properly. Decide whether the person can materially affect the risk profile. Separate fixed salary, variable pay, allowances, sign-on elements, and retention promises. Check whether the non-financial criteria are real enough to govern behaviour.
That is not bureaucracy. It is how a small regulated employer protects its hiring room. A weak pay record can produce the worst combination: higher fixed costs, an unhappy candidate process, unclear classification, and a remuneration story that cannot be retold under supervision.
The Dutch bonus-cap reform signal is best read as a responsibility shift. It may create room for some specialist pay decisions, but room is not the same as freedom. In a tight skill market, the firms that gain most will not be the loudest payers. They will be the employers who know which roles carry risk, why the pay shape fits the role, and whether the monthly payroll can live with the promise after the excitement of the hire has passed.
Sources
Referenced in the article
Column | Ledger & Tax
The Invoice You Didn’t Request Is the Control Gap You Can’t Defend
Paying suppliers before receiving proper invoices creates documentation gaps.
Column | Governance
The ZuivelNL Ruling Puts Transparency Inside Daily Governance
A binding promise to ACM is not a press line, but a discipline for boards, invoices.
Column | Human Resources
When a WhatsApp Message Becomes a €30,000 Mistake
A Dutch bakery-café owner fired an employee via WhatsApp over scheduling.
The Polder is written for readers who need the Dutch business environment translated into practical meaning. Corrections, source policy and editorial accountability are part of the publication record.
