In her State of the Union, the President of the European Commission called for additional efforts to shape the digital transformation, because “digital technology makes the difference between success and failure”. A related theme in the policy of the European Commission remains cyber security, which is reflected in the many initiatives in this area. In national policy too, we see that both themes are receiving plenty of attention. Cybersecurity is also a theme in IT case law, which is reflected in rulings on the responsibility for back-ups. What is noticeable in IT case law over the past year is that the duty of care was less dominant and that in several cases the explanation of the agreement was invoked. These and other developments can be read in this annual update.
In March 2021, the European Commission (also “Commission”) presented the Digital Compass. It presented a vision, goals and trajectories for a successful digital transformation of the European Union by 2030. Published in September 2021, the policy programme aims to ensure that the EU meets its goals and targets in terms of the digital transformation of society and the economy. The Commission proposal is currently under discussion in the Council of Ministers (also ‘Council’).
As part of the funding for the digital transformation, the Digital Europe programme has made available €7.59 billion for the years 2021-2027. Click here for more information, including what kind of projects can be considered for funding. Digital Europe was created to ensure that research results in digital technologies are actually turned into products on the market. This programme is part of the EU‘s long-term budget (MFF).
Digital Services Act & Digital Markets Act
The Council of Ministers has now agreed on the text of the Digital Services Act and the Digital Markets Act. The Digital Services Act provides a framework of tiered responsibilities for online services such as intermediaries, hosting services and online platforms. It clarifies the responsibilities of these parties towards professional buyers and consumers and improves the fight against illegal content. The Digital Markets Act introduces obligations for the ten to fifteen largest online platforms operating globally with a gatekeeper function. The text of the regulations will now be negotiated with the European Parliament and the European Commission. The aim is to reach a final agreement in 2022.
On 22 March 2021, the Council adopted conclusions on the cyber security strategy presented in 2020. The Council stresses in the conclusions that cybersecurity is essential for building a resilient, green and digital Europe. In the conclusions, the Council points to a number of areas for action in the coming years, such as plans for a network of operational security centres to monitor and anticipate attacks on networks, the establishment of a joint cyber-security unit and the development of strong encryption. An action plan will have to ensure that the conclusions are implemented.
With the proposal for a Digital Operational Resilience Act, the European Commission wants to create a regulatory framework to increase the digital resilience of the financial sector and thus prevent and limit cyber threats. DORA imposes requirements on financial organisations with regard to IT risk management, IT incidents, periodic testing of digital resilience and the management of risks when outsourcing to (critical) third parties. DORA will apply to banks and insurers, but also to ICT suppliers of financial companies. The AFM expects the Regulation to enter into force at the earliest at the end of 2022. According to the proposal for the Regulation, the Regulation will apply 12 months after its entry into force. For background information, click here.
In December 2021, the Council agreed on a position on replacing the NIS Directive (implemented in the Network and Information Systems Security Act on 9 November 2018) with Directive NIS2. The NIS Directive obliges providers of essential services (AEDs) and digital service providers to take appropriate and proportionate technical and organisational measures in the field of cybersecurity. They are also subject to an obligation to report incidents that have a significant impact on their services. However, the NIS Guideline was no longer considered up to date due to a changing way of dealing with cyber threats and the digital transformation of society. The new NIS Directive2 aims to eliminate, through minimum regulations, the differences between the rules and approaches to cyber security in the various member states. Security obligations of companies will be strengthened and supervisory measures for national authorities will be reinforced. In addition, the proposed NIS2 Directive introduces a “size cap” rule, whereas under the NIS Directive Member States would have to decide for themselves which entities meet the criteria of a provider of essential services. This fact sheet on the website of the European Commission provides a useful overview of the differences between the Directives.
Furthermore, work is being done on the development of European cybersecurity certification schemes. It is expected that the cybersecurity certification scheme for security elements of ICT products will be ready in the first half of 2022. The certification scheme for cloud services will then follow in the second half of 2022. In addition, the European Cybersecurity Agency (ENISA) is starting to develop a cybersecurity certification scheme for 5G network equipment. European cybersecurity certification schemes for Internet of Things devices and automated industrial control systems have also been announced.
In the context of strengthening the security of the Internet and other critical network and information systems, the establishment of the EU Centre of Excellence for Cybersecurity (ECCC) has received the green light from the Council. The centre of excellence in Bucharest will bring together research, technology and industrial development investments in the area of cybersecurity and will cooperate closely with ENISA. The Council also adopted conclusions on the establishment of a joint cyber-unit, including in the context of crisis management in response to the increasing number of serious cyber incidents. Such a cyber-unit would take the form of a platform aimed at filling the gaps in existing cooperation between EU bodies and national authorities. See also here.
On 29 October 2021, rules were published to increase the cyber security of all wireless devices connected to the Internet. These include routers, security cameras, smart thermostats, refrigerators, lights and doorbells. One of the requirements is that consumers must first set a strong password themselves before putting the smart device into operation, instead of a weak default password being sufficient. The smart devices must also be able to be updated regularly and easily. Products that do not meet the minimum requirements by mid-2024 will be banned.
Microsoft will invest in a cloud for European companies and governments, where all data will be stored on servers within European borders.
Parliamentary questions have recently been put to the Commission in the context of Project Gaia-X, the cloud computing initiative initiated by the French and German governments.
Open Source Software
A study has been commissioned by the Commission on the impact of open source software and hardware on technological independence, competitiveness and innovation in the EU economy. In line with the open source strategy presented in 2020, the Commission will also make its software open source when there are potential benefits for citizens, businesses or governments.
Sale of goods and delivery of digital services and digital content
The expected entry into force of the Dutch Implementation Act on the Sale of Goods and Provision of Digital Services was 1 January 2022, but the bill is still pending before Parliament. The bill aims to implement the European Directives on the Sale of Goods and the Provision of Digital Services and Digital Content. These Directives are based on maximum harmonisation of consumer sales law. An important innovation compared to current consumer procurement law is that consumers will be entitled to (security) updates for digital content (e.g. games, applications), digital services (e.g. streaming), and goods with a digital element (e.g. a smart TV) for as long as they can reasonably expect them.
On 26 April 2021, State Secretary Keijzer sent an update of the Dutch digitisation strategy to Parliament. This edition focuses on a review of three years of digitisation policy, but with a look to the digital future. It mentions, among other things, the creation of a permanent Parliamentary Committee on Digital Affairs and the strengthening of cooperation with coalitions such as the AI Coalition, the Alliance for Digital Society and the Data Sharing Coalition. For the year 2021, the focus is on AI, data, digital skills, digital connectivity and digital resilience. A foresight study of the most important trends and developments in digitisation towards 2030 has also been drawn up. Significant trends include the fact that in the coming years, artificial intelligence will increasingly act autonomously, also in the case of more complex tasks, and that more and more virtual worlds will be created, as a result of which entertainment, work and education will move to virtual reality. At the same time, the trends point out that this dependence on technological systems and their developers makes us vulnerable both in trade disputes and to cyber-espionage.
The ACM has investigated the IP Interconnection market. This study showed that the Netherlands has a good digital infrastructure, that there is good supervision and that there is competition. However, the ACM did indicate that large parties are increasingly connecting directly with each other, often on a closed basis. Smaller parties are more dependent on so-called Internet exchanges, intermediaries and paid contracts. The above-mentioned Dutch Digitisation Strategy refers to a corona-stress test of the World Economic Forum, which shows that the Netherlands (together with the Scandinavian countries) belongs to the select group of countries that are best able to transform themselves out of the corona-stress.
On 30 November 2021, Minister Blok informed the Parliament in a letter about the progress of the Roadmap for Digitally Safe Hardware and Software. This Roadmap forms part of the government-wide approach to digital safety in the Netherlands Cyber Security Agenda (NCSA) and consists of a combination of European and national measures. In his letter to theParliament, the Minister refers, among other things, to the Cyber Security Regulation Implementation Act. The bill is being debated in the Parliament. On the basis of this Act, the Telecom Agency has been designated as the supervisory authority. The Minister indicates that the Online Trust Coalition has published a white paper describing a number of actions that contribute to demonstrating the reliability and safety of cloud services. The White Paper presents three pillars: intrinsic reliability of cloud services based on harmonised standards, the provision of assurance by means of an independently issued assurance statement, and unambiguous and harmonised reporting on this. These pillars will be included in the Dutch contribution to the development of the aforementioned European cybersecurity certification scheme for cloud services. Furthermore, the risk classification is available on the website of the Digital Trust Center. This is intended to provide entrepreneurs with an insight into their risk profile and the corresponding measures. The Minister also points out that a certification scheme for pen testing has been published on the website of the Centre for Crime Prevention. Another relevant theme in the Parliamentary Letter is the Cybersecurity Government Procurement Requirements instrument. With this instrument, clients can formulate specific security requirements for IT purchases and ‑tenders. These requirements can be included in the contract with the supplier. This instrument now consists of ten procurement segments, including cloud services and server platforms.
On 2 8June 2021, Minister Grapperhaus published a letter to the Parliament concerning the approach to cybercrime. In this letter, the increase in the number of registrations of computer hacking is shown in figures, among other things. The Minister also indicates that the police now work with a nationwide approach, consisting of the Team High Tech Crime (THTC) and ten cyber crime teams in the regional units. The Minister also referred to the extensive international police operation Ladybird, which took down the complex network of servers behind the aggressive Emotet malware. The malware infected the systems of over one million victims worldwide. Two of the three main servers were found to be in the Netherlands. Prevention in the sense of cyber resilience of citizens, companies and institutions is also discussed in the Letter from Parliament. This Letter also refers to the Cyber Security Assessment Netherlands 2021 as drawn up by the National Coordinator for Counterterrorism and Security (NCTV), which document can be found here. The Minister also discusses the content of this report in a parliamentary letter on the Dutch Cyber Security Agenda. In response to parliamentary questions, Minister Grapperhaus also indicated that he is investigating the possibility of prohibiting insurers from reimbursing ransoms paid to cybercriminals after a ransomware attack.
Last year we wrote about the (amended) Zerodays bill, which aims to provide a legally secure assessment framework for all Zerodays discovered, purchased or otherwise obtained by the government. Zerodays are errors in software that are unknown to the maker of the software and that can be used to hack the systems on which this software is installed. On 9 February 2021, the vote on the bill was again postponed.
The ACM has announced that it will investigate whether the market for Cloud Services works well for people and businesses in the Netherlands. Cloud services are on the list of core platform services in the draft Digital Markets Act of the European Commission. The ACM indicates that it is therefore possible that Cloud services provided by companies designated as gatekeepers will eventually fall under the scope of this Act.
National Growth Fund
The National Growth Fund was launched in 2020. This fund means that for the period 2021-2026, the government will make €20 billion available for projects in the field of knowledge development, research and innovation and infrastructure. Funding will be provided for, among others, AiNed (artificial intelligence), QuantumDeltaNL (quantum technology for secure networks and communication), two education projects and Health-RI (national health data infrastructure). In order to anchor the objective and functioning of the National Growth Fund and to lay down the criteria for a contribution, a National Growth Fund Bill has been submitted to the House of Representatives.
Duty of care
As already mentioned in the introduction, the duty of care was less present in the published case law last year.
A judgment in which the duty of care was also central concerned the installation of a back-up system. According to the North Holland District Court, an unexplained duty of care did not provide sufficient basis for the proposition that the back-up system also had to be maintained by the IT supplier. Also, the IT supplier could not be expected to adjust the installed backup system on its own initiative when its customer switched to another software programme. However, the IT supplier had to point out to the customer and/or the new IT supplier, as soon as it became aware that the customer was switching to another software programme, that there was no backup link for the new software programme.
In preliminary relief proceedings concerning the relocation of a data centre, the duty of care was invoked indirectly. The customer argued that an IT supplier has a special duty, partly because of the scope of services and the customer’s dependence on the data centre, to prevent the realisation of the risks of a relocation. The customer therefore demanded, inter alia, a tangible relocation plan. The court did not explicitly address the duty of care argument, but considered that the IT supplier had taken a careful approach because it had hired a specialised senior project manager, followed a step-by-step plan and had set up a project team for the relocation. As there was no contractual or legal obligation to prepare a relocation plan either, the customer’s claims were rejected.
An IT supplier who created a link with the accounting software used by his customer was not held liable for the damage caused by overwriting data from the accounting software when using the link. The problem lay not in the link, but in the processing of the linked data in the accounting program. The Arnhem-Leeuwarden Court of Appeal ruled that the customer was responsible for its own bookkeeping and that it should have made a back-up of it to prevent damage. The possible breach of an information and warning obligation by the IT supplier did not weigh sufficiently in this case, partly in view of the circumstances of the case.
Explanation of the agreement
Judgments in which the courts fell back on the interpretation of the contract for both the existence of obligations and the question of whether there was a shortcoming were all the more numerous last year.
On the basis of an extensive explanation of the SLA agreed between the parties, the Arnhem-Leeuwarden Court of Appeal came to the conclusion that the parties had not agreed any concrete standard regarding the degree of availability of the digital working environment. One of the factors that played a role was that the customer had opted for the lowest possible service level. This did not alter the fact that the IT supplier had included in the offer that the systems had to be able to offer a guaranteed continuity. According to the Court of Appeal, these were clearly recruiting texts. A professional party may not simply connect the expectation to this that – based on what was ultimately agreed in the SLA – they would have virtually failure-free access.
The court in preliminary relief proceedings in Overijssel ruled that it could not be established in preliminary relief proceedings what exactly the parties had agreed on regarding invoicing, because there was only a verbal agreement. However, the court in preliminary relief proceedings was of the opinion that because of the dependence on the services of the IT supplier, it had to continue the service provision (for the time being). The IT supplier had to receive reasonable compensation for this. The monthly fee sufficiently substantiated by the IT supplier was not sufficiently refuted by the customer and, partly in view of the billing history, did not seem unreasonable to the court in preliminary relief proceedings.
In a dispute about the functioning or non-functioning of printed circuit boards, it was also unclear what the parties had agreed. However, before proceeding to an explanation of the agreements, the Court of Appeal of Den Bosch saw reason to appoint an expert to assess whether the printed circuit boards function. The Court of Appeal did make an initial move concerning the circumstances it considers relevant for the interpretation of the contracts, namely that there are two professional parties, that it concerns a redesign contract (further development of an existing product) and also that the text of the contract was drawn up by the IT supplier. It remains to be seen what the Court of Appeal will do with this.
The Court of Appeal in Arnhem-Leeuwarden ruled that the IT supplier had performed an agreement to build a funnel. It could not be established from the various agreements that the IT supplier had to carry out the work stated by the client.
In summary proceedings concerning the unbundling of a cooperation agreement, the IT supplier argued that the contractual aftercare obligation did not apply because it was included in the article headed ‘dissolution’, while the agreement had ended because its term had expired. The Amsterdam Court of Appeal also interpreted the provision in the light of earlier agreements between the parties. These agreements had in certain respects retained their validity because they built on each other and the latest agreement referred back to these earlier agreements. It followed from those agreements, read in conjunction with the last agreement, that the after-sales service obligation applied to all cases in which the agreement ended. A different interpretation would also lead to the curious result that the IT supplier would be subject to an aftercare obligation in the event of a failing counterparty, but not if the contract ends without the other party having failed, according to the Court of Appeal.
The Rotterdam District Court ruled that, despite the fact that the requirement of writing in the declaration of intent had not been met, an agreement had come into existence between the parties. The parties had executed the completed but unsigned agreement and had also agreed with each other about those arrangements. The parties had therefore tacitly disregarded the requirement of being in writing.
The Amsterdam District Court supplemented the termination agreement concluded between the parties with regard to the financial settlement, because the parties had not reached agreement on this. Within this framework, the court adhered to Section 7:411 of the Dutch Civil Code (DCC) concerning a reasonable wage. The circumstances that weighed in were the work already carried out and the advantage the client had thereof. The court considered that this advantage was only limited. The outcome was that the client had to compensate in any case the value that the work represented according to his own statements and in addition one third of the amount that remained after that.
The notice period of an agreement under which an IT consultant was to be seconded to a third party was determined by the Amsterdam Court of Appeal by means of a reasonable interpretation of the agreement in the light of the other provisions of the agreement and application of Section 7:411 of the DCC (concerning a reasonable wage when the assignment is terminated).
The District Court of Amsterdam held that a “desired result” of gaining six new customers in 2019 is not an obligation to achieve a certain result. According to the customer, this was the case because of the provision in the general terms and conditions that “the Agreement is in the nature of an obligation to perform to the best of one’s ability, unless and insofar as a result has been expressly promised in the written Agreement and the result in question has also been described with sufficient certainty in the Agreement“. The court did not go along with this. Furthermore, the court indicated that whether or not a result or effort commitment has been met does not automatically mean that the claimant would be released from her payment obligation.
This year again, there were various rulings which focused on the importance of and responsibility for backups in the event of a ransomware attack. Some of these were already discussed in the context of the duty of care. There we already saw that the responsibility for back-ups was not always placed solely on the IT supplier.
In the case of a hack that took place after the SLA with the IT supplier had ended, but before the SLA with the new IT supplier had started, the Amsterdam Court of Appeal divided the liability for the damage between the IT supplier and its former customer. The Court of Appeal ruled that a recent full back-up should have been present on the expiry date of the SLA, or at least it should have been possible to reconstruct it. However, the customer would also have suffered damage if a full back-up had been present on the expiry date of the SLA, because the hack took place “in between SLAs”. For this reason, the court ordered 2/3 of the damage suffered by the customer to be borne by the customer itself.
According to the Rotterdam District Court, the responsibility for the “24/7 monitoring of servers, backups and network” also included the files containing custom-made software developed by a third party. A separate folder (SQLBackup) had been created for backing up these files. The IT supplier included this folder in the daily backup, but after a ransomware attack, it appeared that the files containing the customised software had been lost. The IT supplier argued that this was because the third party had not written the new, modified files to the SQL backup folder. The court ordered an expert opinion, among other things because of the question of whether the IT supplier could assume that the SQL backup folder had been filled by the third party.
The judgment of the Subdistrict Court of Rotterdam is somewhat different. The Subdistrict Court ruled that the responsibility of the web host for the accessibility of the claimant’s website also includes the prevention of exposure to digital infringements on that accessibility caused by third parties.
Duty to complain
Not an IT dispute, but relevant for the IT practice is that the Supreme Court has ruled that article 6:89 DCC on the obligation to complain does not apply if the performance has not taken place at all. The party that has effected a performance must be able to count on the creditor examining with due notice whether the performance corresponds to the obligation and, if not, informing him thereof with due notice. The purport of article 6:89 DCC therefore opposes application if the performance has not been carried out. It was interesting that the plaintiff had not argued in the factual instances that Section 6:89 of the DCC did not apply. The court of its own motion was obliged to apply the correct legal rule (Article 25 Rv), according to the interesting conclusion of the P-G.
A customer that was intensively involved in the work and had a certain degree of control over it, could and should have intervened if it believed that the IT supplier was not fulfilling its obligations or was working outside the scope of the contract (invoicing too many hours). The North Holland district court also took into account that it was a project based on post-calculation and that the customer, as “product owner“, was responsible for the progress, scope and costs. Interestingly, the court attributed an important role to the app conversations between the customer and the IT supplier. These played a role in the question of whether the customer had been declared in default and also in the question of whether or not the customer had agreed to certain work.
According to the Amsterdam Court of Appeal, a fatal term can also cover a certain period of time. The Court of Appeal ruled that moving a deadline that was a fatal deadline in consultation did not deprive it of its fatal character, but “only extended the fatal deadline“. According to the court, the fatal character of the deadline was evident from the documents and statements made at the hearing, because it followed that the software would go live on 1 January 2018. In view of this, the IT supplier should have explained its argument that it was not in default by the expiry of this date. The postponement of the deadline (“muddling through”) therefore had no consequences for the customer in this case.
The Rotterdam District Court found that a customer had not explained in a sufficiently concrete manner why a list of imperfections and next steps, without granting a final deadline for performance, would make it impossible to expect the customer to continue with the project and to dissolve the contract without notice of default.
The Supreme Court has ruled that Alert’s cassation complaints against the judgments of the Court of Appeal of Den Bosch of 3 November 2015 and 17 December 2019 cannot lead to the annulment of those judgments. Attorney General Wissink also concluded that the cassation appeal should be dismissed. The P-G addressed Alert’s cassation complaints regarding the nature of the time limits and whether exceeding them could constitute a breach of a material obligation. The considerations regarding anticipatory breach are also interesting.
An IT supplier was allowed to dissolve the contract for the development of three websites because the customer did not provide any content for the websites. The purchaser’s defence that no contract had been formed, inter alia, because there was no signed offer, did not hold. The Subdistrict Court of North Holland deduced the existence of the agreement from the conduct and statements of the parties. It was undisputed that ninety percent of the agreed work had already been carried out. The customer was therefore ordered to pay for that work (value payment within the framework of undoing obligations).
The court in Overijssel ruled that only wanting to provide a team of five consultants, while the customer was only obliged to purchase one consultant, was a sufficiently serious breach of contract to justify dissolution of the agreement. However, the court could not follow the customer in its view that, apart from reimbursement of paid invoices (minus a value compensation for services that could not be undone), it had suffered damage. The damage would be in the form of loss of man-hours, loss of profit and legal fees, but with these brief assertions the customer has not met its burden of proof, however limited it may be for a referral to the state proceedings for damages.
The District Court of Overijssel pointed out the importance of substantiating the causal connection between the errors in the software and the alleged damage. This was particularly relevant in this dispute because the progress of the project had (also) been affected by various other problems.
The cancellation of a cooperation by a reseller, after which it offered its own, similar software tool to joint customers, cost it dearly. It concerned an Information Security Management System sold by the reseller to various municipalities, with fixed-term contracts. At some point the reseller terminated the cooperation with the IT supplier and offered the ISMS tool, which he had developed himself, to the municipalities. Several municipalities chose the reseller’s tool. The IT supplier took the position that the reseller had to fulfil its payment obligations towards the IT supplier under the fixed-term contracts with the municipalities. The court agreed with the IT supplier regarding the payment obligations in respect of the contractual years already commenced. The fact that the municipalities themselves had chosen the ISMS tool of the reseller and were also allowed to do so on the basis of the general terms and conditions of the reseller, could not stand in the way of this. The reseller had given the municipalities an optional choice for reasons of his own, which should remain at his own expense and risk.
Software copyright – contract law
The Amsterdam Court of Appeal ruled in summary proceedings that neither party had been able to make plausible its interpretation of the exclusivity provision regarding the development of software for a medical instrument. However, it was up to the claimant, who argued that the defendant was infringing the exclusivity provision, to make it plausible that she could claim the exclusivity. As the plaintiff failed to do so, the claims of the plaintiff were (as yet) dismissed.
According to the Court of Justice, under Article 4 of the Directive on the legal protection of computer programs, decompilation of software also falls within the reserved acts of the rightholder of a computer program. However, the Court considers that decompilation may also be permitted under the general exception to the reserved acts in Article 5 of the Directive. Software may also be decompiled to correct errors that affect the functioning of the software. However, this is only permitted if such decompilation is necessary to correct those errors and, where appropriate, in compliance with the agreement concluded between the parties. The Court of Appeal thus follows the AG’s conclusion.