2026 is shaping up to be a significant year for employment and business regulation in the Netherlands. Four significant pieces of legislation are either coming into force or reaching critical implementation milestones over the next 12–18 months. Each one carries real obligations, and in some cases, penalties for those who are unprepared.
In this article, we’ll provide a practical overview of these regulatory changes you need to understand.
The EU Pay Transparency Directive
The EU Pay Transparency Directive has been on the horizon for a while, but by 7 June 2026, the Directive must be converted into Dutch legislation. The Dutch government has already signalled it will miss this deadline, aiming instead for 1 January 2027, but that does not mean employers can afford to wait. From the June deadline, employees may still claim equal pay rights, and the European Commission has made clear that postponement of implementation is not acceptable.
What does it mean in practice?
For all employers (regardless of size):
- Job vacancies must include the starting salary or salary range, determined by objective and gender-neutral criteria.
- Employers may no longer ask candidates about their current or previous salary.
- All job titles and vacancy texts must be gender-neutral.
- Employees have the right to request information about their individual pay level and the average pay for comparable roles, broken down by gender. Employers must respond within two months.
- Pay secrecy clauses in employment contracts will be prohibited. Employees have the right to discuss their remuneration with colleagues.
- Pay structures, job evaluation systems, and progression criteria must be objective, transparent and gender-neutral.
For employers with 100 or more employees:
- Reporting obligations on gender pay gaps will apply, though the timeline has shifted due to the Dutch delay. Employers with 150 or more employees will need to report on pay data from the 2027 calendar year.
- The works council (ondernemingsraad) must be consulted on pay structures and job evaluation systems, and must be informed of pay gap reports.
Enforcement and penalties
If an employer fails to meet transparency obligations, the burden of proof in legal proceedings shifts to the employer. They must demonstrate that no pay discrimination occurred. The Dutch Labour Inspectorate can impose fines of up to €10,300 per violation. Employees who have suffered pay discrimination are entitled to claim full back pay, including bonuses and benefits.
What should employers do now?
- Audit current pay structures to identify unjustified pay differentials between men and women.
- Review job evaluation systems to ensure they are objective and gender-neutral.
- Update recruitment processes: remove salary history questions and begin including salary ranges in job postings.
- Prepare to inform employees of their right to request pay information, and build internal processes to respond within the two-month deadline.
- Engage with the works council early, particularly if changes to pay structures or job evaluation systems are required.
- Review employment contracts to identify and remove pay secrecy clauses.
The EU Artificial Intelligence Act
The EU AI Act is the world’s first comprehensive legal framework governing artificial intelligence. It entered into force on 1 August 2024 and is being rolled out in phases. It operates on a risk-based model: the higher the risk an AI system poses to fundamental rights, the stricter the obligations on those who develop or use it.
The AI Act does not require national transposition – it applies directly across all EU member states, including the Netherlands, as a directly applicable regulation.
Key milestones
The AI Act has already introduced key obligations, with more coming into force on 2 August 2026:
- 2 February 2025: Prohibited AI systems banned across the EU; AI literacy obligations for staff came into effect.
- 2 August 2025: Rules for providers of general-purpose AI models (large language models and similar) entered into force.
- 2 August 2026: Full obligations for high-risk AI systems come into effect, including those used in employment and HR contexts. Transparency obligations for certain AI systems also apply from this date.
- 2 August 2027: High-risk AI embedded in existing safety-critical products (medical devices, machinery etc.) must comply.
Why does this matter for HR and employers?
Many AI systems used in human resources are likely to qualify as high-risk systems under the AI Act. This includes:
- Automated CV screening and applicant ranking tools.
- Algorithms that determine bonuses, promotions or salary progression.
- AI-driven workforce scheduling systems.
- Tools used in performance management or disciplinary decisions.
- Any AI system that affects the employment conditions or career prospects of workers or applicants.
Furthermore, some AI systems in the workplace are outright prohibited, including systems that recognise emotions at work, and systems designed to infer sensitive personal characteristics (such as race, sexual orientation or political beliefs) from biometric data.
Obligations for employers using high-risk AI
- Human oversight: AI may never be the only decision-maker. A human must always be able to intervene, override or explain any AI-driven decision, for example, if an algorithm rejects a job applicant.
- Transparency: Affected employees and applicants must be informed which AI systems are in use, for what purpose, and how to raise a complaint. Data protection law (GDPR) also applies.
- Traceability and logging: Employers must be able to demonstrate how AI-driven decisions were reached, including the inputs used and outputs generated.
- Bias monitoring: Employers must identify and take steps to address bias in AI systems on an ongoing basis, not as a one-off exercise.
- AI literacy: Staff using high-risk AI systems must be adequately trained to review, understand, and, where necessary, correct AI-driven decisions.
- Works council involvement: Employers must inform and consult employee representatives before deploying high-risk AI in the workplace.
- Registration: Public authorities must register their deployment of high-risk AI systems in the EU database from 2 August 2026.
What should employers do now?
- Map all AI tools currently in use across the business – particularly in HR, recruitment and performance management – and assess whether they qualify as high-risk.
- Identify any AI systems that may be prohibited and take immediate steps to remove them.
- Ensure all staff interacting with AI systems receive appropriate training and understand the AI literacy requirements already in force.
- Engage with the works council in advance of deploying any new AI systems.
- Build logging and documentation processes to demonstrate compliance.
The Dutch Cybersecurity Act (Cyberbeveiligingswet) and the EU Cyber Resilience Act
There are two pieces of cybersecurity legislation that employers in the Netherlands need to be aware of in 2026, each with a different scope and timeline.
The Dutch Cybersecurity Act (Cyberbeveiligingswet or Cbw)
The Cbw is the Dutch national implementation of the EU’s NIS2 Directive, which took effect at the EU level in October 2024. The Cbw is expected to come into force in the second quarter of 2026.
Who does the Cbw apply to?
The Cbw primarily targets organisations operating in critical and important sectors — areas where a cyberattack could cause significant harm to society or the economy. These include:
- Energy, water and transport infrastructure.
- Healthcare, financial services and banking.
- Digital infrastructure and ICT service providers.
- Public administration and postal services.
Importantly, suppliers to organisations in these sectors, including IT service providers, software vendors and outsourcing partners, may also fall within scope. Under the Cbw, covered organisations must be able to demonstrate that their supply chain is cybersecure.
Key obligations under the Cbw
- Register as a regulated entity with the National Cyber Security Centre (NCSC).
- Conduct cybersecurity risk assessments and implement proportionate security measures, including across the supply chain.
- Report significant cybersecurity incidents to the NCSC within 24 hours of detection.
- Comply with sector-specific oversight by regulators such as the Rijksinspectie Digitale Infrastructuur (RDI) for IT companies.
- Engage the works council where cybersecurity measures affect how employee personal data is collected, stored or monitored.
The EU Cyber Resilience Act (CRA)
The CRA entered into force on 10 December 2024 and introduces mandatory cybersecurity requirements for products with digital elements placed on the EU market, including software, hardware, apps and connected devices. It is directly applicable across all EU member states without requiring national transposition.
The CRA is being phased in and the key milestones are:
- 11 June 2026: The framework for notified bodies begins operating under CRA rules.
- 11 September 2026: Manufacturers must begin actively reporting exploited vulnerabilities and severe cybersecurity incidents.
- 11 December 2027: All core CRA product requirements become fully enforceable.
Who is affected by the CRA?
The CRA applies to manufacturers, importers and distributors of products with digital elements. That is any hardware or software product with the capacity to connect to a network or another device. This covers an enormous range of products, from enterprise software and cloud solutions to routers, IoT devices and smart office equipment.
If your organisation develops, imports or resells any such products for the EU market, the CRA applies to you. If you are a business user of such products, you will benefit from the enhanced security obligations placed on suppliers.
Key obligations for manufacturers
- Security by design: Products must be developed with cybersecurity built in throughout the design, development and maintenance lifecycle.
- Vulnerability management: Manufacturers must handle and disclose vulnerabilities actively throughout the product’s life.
- CE marking: Products must bear CE marking to indicate compliance, with some categories requiring third-party conformity assessments.
- Incident reporting: From 11 September 2026, manufacturers must notify relevant authorities of actively exploited vulnerabilities and severe incidents.
What should employers do now?
- Assess whether your organisation falls within the scope of the Cbw (critical sector or supplier to a critical sector) and begin preparing for registration and compliance.
- If you manufacture, import or sell products with digital elements, map your CRA obligations and prepare documentation for conformity assessments.
- Review supplier contracts to incorporate CRA compliance obligations and conduct supply chain due diligence.
- Establish or update incident response and vulnerability management processes to meet the September 2026 reporting deadline.
- Engage the works council where cybersecurity measures will affect employee data or working practices.
The WTTA: New licensing rules for temporary agencies
The WTTA, the Provision of Personnel Admission Act, is a Dutch legislation that introduces a mandatory licensing regime for all companies that supply temporary workers to other organisations. The WTTA enters into force on 1 January 2027, with enforcement by the Labour Inspectorate beginning on 1 January 2028.
The legislation responds to longstanding and well-documented abuses in the temporary employment sector, including underpayment, excessive working hours, unsafe living conditions for migrant workers and unfair competition between compliant and non-compliant agencies. The WTTA affects not only temp agencies themselves but also the businesses that hire workers through them.
Importantly, the obligation applies to foreign agencies too: any organisation based outside the Netherlands that supplies workers to Dutch businesses must also obtain authorisation. The only exemptions are internal secondments within the same corporate group.
From 1 January 2027, only authorised suppliers will be permitted to supply workers. Authorisation is granted and overseen by the newly established Nederlandse Autoriteit Uitleenmarkt (NAU — Dutch Labour Market Authority). Authorised agencies will be listed in a public register.
- Registration in the Dutch Trade Register (KvK) as a company engaged in providing personnel.
- Submission of a Certificate of Conduct for Legal Entities (VOG RP) — or, for foreign companies, an equivalent proof of good standing.
- Payment of a financial deposit of €100,000 upon authorisation (or €50,000 for provisional authorisation).
- An inspection report from an accredited inspection body confirming compliance with the WTTA’s standards framework (normenkader).
- Demonstration of compliance with wage obligations: workers supplied must receive pay comparable to equivalent employees at the client organisation (loonverhoudingsvoorschrift).
- Proper administration of workers’ identity documents and verification of their right to work in the Netherlands.
- Written information obligations to workers, including contract details and their legal rights.
Authorisation is granted for a period of four years, with periodic inspections throughout.
The critical registration window
To make use of the transitional provisions, which allow agencies to continue operating while their application is being processed, agencies must register with the NAU between 1 November 2026 and 31 December 2026, and then submit their full application for authorisation between 1 May 2027 and 30 June 2027.
Agencies that hold a valid SNA certificate (from the Stichting Normering Arbeid — the Labour Standards Foundation) at the time of first application are not required to submit an inspection report with their initial application. This transitional benefit is only available to agencies that register within the November–December 2026 window.
Businesses that work with temporary agencies
The WTTA places significant obligations not just on agencies but also on the businesses that hire from them. From 1 January 2028 (when enforcement begins), client businesses may only engage workers from suppliers that appear in the NAU public register. Working with an unlicensed supplier exposes both the agency and the client business to fines.
Summary: Key dates at a glance
| Date | Legislation | Key Milestone |
| 7 June 2026 | Pay Transparency Directive | EU deadline for transposition (NL targeting Jan 2027 — EC has rejected delay) |
| 2 August 2026 | EU AI Act | High-risk AI system obligations and transparency rules take effect |
| 11 September 2026 | EU Cyber Resilience Act | Mandatory vulnerability and incident reporting begins for manufacturers |
| 1 Nov–31 Dec 2026 | WTTA | Registration window opens for temp agencies wishing to use transitional provisions |
| 1 January 2027 | WTTA / Pay Transparency | WTTA enters into force; Dutch Pay Transparency implementation targeted |
| 1 May–30 Jun 2027 | WTTA | Full authorisation applications due to NAU (for agencies registered in 2026) |
| 7 June 2027 | Pay Transparency Directive | First gender pay gap reports due for employers with 150+ employees |
| 1 January 2028 | WTTA | Labour Inspectorate begins enforcement; client businesses must only use registered agencies |
Looking across all four of these developments, a pattern emerges: greater transparency, stronger accountability, and more formal documentation of compliance. Whether that is publishing salary ranges in job adverts, logging the use of an AI screening tool, demonstrating cybersecurity governance to a client, or obtaining a licence to operate as a staffing agency, the regulatory direction is consistent.
The organisations that will navigate this period most successfully are those that start now rather than waiting for final implementation dates or enforcement guidance.
If you have questions about how any of these changes affect your hiring processes, workforce structure, or use of recruitment partners in the Netherlands, we are happy to help you think it through.
