Blog

Netherlands SMS Compliance: ACM Rules, Opt-In, and GDPR Guide

Written by Insights by Telerivet | May 27, 2026

The Netherlands made a deliberate choice in 2021 that most EU markets have not made. Where most countries operating under the ePrivacy Directive chose to maintain a national do-not-call registry alongside opt-out rights, the Netherlands abolished its Bel-me-niet Register entirely and replaced its opt-out telemarketing model with a mandatory opt-in. For SMS marketing, explicit consent has long been the standard under GDPR and the Dutch Telecommunications Act. The registry is gone, and the obligation to document consent before sending applies regardless of channel.

Business SMS in the Netherlands is governed by the Dutch Telecommunications Act (Article 11.7), enforced by the Authority for Consumers and Markets (ACM), and by GDPR, enforced by the Dutch Data Protection Authority (AP). Explicit consent is required for all marketing communications. The broader Dutch regulatory direction is toward stricter consent requirements across all direct marketing channels, and ACM enforcement posture is among the most active in the EU. Two-way SMS is supported across Dutch networks. Alphanumeric sender IDs do not require pre-registration. WhatsApp reaches around 70% of Dutch internet users and is the most widely used messaging platform in the country.

The Netherlands sits in a group of EU member states, alongside Germany, that apply ePrivacy in a way that goes beyond the common minimum. For organizations already operating under UK PECR or French CPCE, the Dutch framework feels familiar in structure but is now stricter than France and approaching Germany's level on the consent question.

The regulatory framework: ACM and the Dutch Telecommunications Act

The Authority for Consumers and Markets (ACM) is the primary enforcement body for telecommunications in the Netherlands. The ACM enforces Article 11.7 of the Dutch Telecommunications Act, which implements the ePrivacy Directive and requires explicit opt-in consent for marketing communications by electronic means, including SMS. The AP (Autoriteit Persoonsgegevens) enforces GDPR for the personal data dimension of the same programs.

The ACM's enforcement posture is active. The Dutch approach of replacing the national registry with a universal opt-in requirement shifted enforcement from checking whether numbers appear on a list to verifying whether documented consent exists for each contact. Organizations purchasing marketing lists, or acquiring contact data through third parties, face particular scrutiny because the validity of the consents in those lists cannot be assumed and must be independently verifiable.

The ACM can impose substantial administrative fines, including turnover-based penalties in serious cases. The July 2025 ACM telemarketing rules update strengthened the enforcement framework with increased penalties. These are meaningful consequences for any organization running high-volume campaigns in the Netherlands.

Opt-out keywords in Dutch should be supported alongside English: STOP and STOPPEN, HELP and HULP. Processing opt-out requests as quickly as practical, ideally within 24 hours, is considered good operational practice. Sending hours: promotional SMS is generally expected to be sent between 8 AM and 9 PM CET/CEST, and Dutch public holidays and quiet hours should be accounted for in campaign scheduling.

The Dutch enforcement posture and what it means for SMS programs

The Netherlands takes a direct enforcement approach to consent in direct marketing. The abolition of the Bel-me-niet Register in 2021 was a deliberate policy choice to move away from an opt-out model toward universal opt-in, and ACM has since enforced accordingly. Organizations purchasing marketing lists, or acquiring contact data through third parties, face particular scrutiny because the validity of the consents in those lists cannot be assumed and must be independently verifiable.

The soft opt-in for SMS and digital direct marketing allows contacting existing customers for similar products or services without fresh explicit consent, provided the customer was informed at collection and has an easy opt-out. This mechanism remains available for SMS marketing to existing customers in the Netherlands. Where it is relied upon, documentation of the existing relationship, the collection moment, and the prior notification is the practical compliance requirement.

For B2B programs reaching professional contacts in the Netherlands, the legitimate interests basis under GDPR Article 6(1)(f) may remain available where the GDPR balancing test can be satisfied and the communication is genuinely relevant to the recipient's professional role. The Dutch regulatory direction is toward stricter enforcement standards across all direct marketing channels, and ACM is an active regulator.

Sender ID and the carrier landscape

The Netherlands is one of the more permissive markets in the series on the technical side. Alphanumeric sender IDs are supported and do not require pre-registration with carriers or the ACM. The sender ID can display up to 11 characters of brand name in the recipient's sender field. This is a meaningful contrast to markets like India, Vietnam, Bangladesh, and Australia, where pre-registration processes and formal carrier approval are required before a branded sender name can be used.

Three operators dominate the Dutch market. KPN remains the largest operator. Odido, formerly T-Mobile Netherlands, holds a substantial second position. VodafoneZiggo holds approximately 20 to 28%. Tele2 Netherlands accounts for the remainder. For most programs, the major three carriers cover the vast majority of Dutch mobile subscribers.

Two-way SMS is fully supported across Dutch networks, which makes reply-based workflows, acknowledgment capture, survey response systems, and opt-out via STOP all technically functional. Unlike Bangladesh, Thailand, and Vietnam where A2P two-way SMS is unavailable, the Netherlands supports the full range of interactive program design.

The research and data collection context

The Netherlands has a well-developed research, data collection, and survey sector, with universities, international research organizations, panel survey companies, and development sector organizations running longitudinal programs that require reliable participant communication. For organizations collecting data from Dutch participants through SMS-based surveys, check-ins, and research programs, the Telecommunications Act's consent requirements apply alongside GDPR's research provisions.

GDPR contains specific provisions relating to scientific research that may provide additional flexibility depending on the lawful basis being relied upon. Research programs may be able to rely on public interest or scientific research as a lawful basis for processing contact data in ways that go beyond what marketing programs can claim, depending on the nature and purpose of the research. Organizations running academic or research programs in the Netherlands should confirm the appropriate lawful basis with their data protection officer rather than defaulting to marketing consent requirements.

For research programs that do require SMS-based participant communication, the operational architecture is the same as in other markets: explicit consent from participants at enrollment, clear disclosure of what communications they will receive, a functional opt-out mechanism, and consent records maintained for the duration of the program. The Netherlands' support for two-way SMS makes participant check-ins, survey responses, and interactive research workflows fully functional.

WhatsApp and the Dutch channel reality

WhatsApp reaches around 70% of Dutch internet users, making it one of the higher-penetration WhatsApp markets in Europe. For most Dutch consumer-facing programs, WhatsApp Business API is the companion channel where rich messaging, customer service conversations, and interactive communication can take place alongside SMS for guaranteed delivery of transactional messages.

The Netherlands illustrates an important shift taking place across Europe. The technical side of SMS has become relatively straightforward: two-way messaging works, branded sender IDs work, and carrier restrictions are comparatively light. The complexity has moved almost entirely into consent governance: how consent is collected, documented, retained, and demonstrated months or years later if challenged. That is the design discipline that separates programs which hold up from those that do not.

The Dutch market is sophisticated in its channel expectations. Recipients who have opted into WhatsApp business communications generally expect richer, more conversational interactions than they receive through SMS. Programs that use WhatsApp for notification-only sends without enabling genuine interaction may see lower engagement than programs designed around the channel's conversational capabilities.

For operational programs where the audience may not be on WhatsApp or where guaranteed delivery is more important than rich formatting, SMS remains the reliable baseline. The combination of no pre-registration requirement for sender IDs and full two-way support makes the Dutch SMS environment technically straightforward to operate in, with the compliance complexity focused on consent documentation rather than carrier or registration architecture.

Netherlands in the European program context

For organizations running programs across multiple European markets, the Netherlands fits into a post-UK cluster alongside Germany and France. All three share a GDPR foundation and an ePrivacy implementation that requires opt-in for marketing. The Netherlands is now stricter than France on the B2C soft opt-in question. Germany's Abmahnung risk adds a competitor enforcement dimension the Netherlands does not have. France's 06/07 number restriction and Sunday prohibition add operational constraints the Netherlands does not share.

BYOC architecture for a multi-European program means the consent records and suppression lists for Dutch contacts travel with the organization above the KPN, Odido, and VodafoneZiggo carrier layer, portable alongside the German, French, and UK compliance configurations without requiring separate data systems for each market.

Frequently asked questions

Does the Netherlands have a national do-not-call registry I need to check? No. The Bel-me-niet Register was abolished on July 1, 2021. The Netherlands replaced the registry with a mandatory opt-in requirement for telemarketing, and explicit consent under GDPR and the Dutch Telecommunications Act governs SMS marketing. There is no longer a registry to check: documented opt-in consent is required for every marketing contact.

Does the soft opt-in apply to SMS marketing in the Netherlands? Yes, for SMS to existing customers the soft opt-in mechanism remains available provided specific conditions are met: the customer's contact details were obtained during a prior transaction, the marketing relates to similar products or services, the customer was clearly informed at collection that their details might be used for marketing, and they have not objected. Documentation of each condition is the practical compliance requirement. The Dutch regulatory direction is toward stricter consent standards overall, and ACM enforcement is active, so maintaining clear consent records is the best operational posture regardless of which basis is relied upon.

Do I need to pre-register a sender ID in the Netherlands? No. The Netherlands does not require pre-registration of alphanumeric sender IDs with carriers or the ACM. Sender IDs can display up to 11 characters and do not need formal approval before use. This is more permissive than India, Vietnam, Bangladesh, Australia, and several other markets covered in this series.

Is two-way SMS available in the Netherlands? Yes. Full two-way SMS is supported across Dutch networks. Reply-based opt-outs, survey responses, acknowledgment logging, and interactive workflows are all technically functional. Opt-out keywords should be supported in both Dutch and English: STOP and STOPPEN, HELP and HULP.

This article provides general operational information and should not be considered legal advice. Organizations should consult qualified legal or data protection professionals regarding their specific compliance obligations under Dutch telecommunications and data protection law.

Talk to our team about building a compliance-ready messaging program for the Netherlands and across your European markets from one platform.