Netherlands: €1.5M fine for failure to comply with Dutch lawful intercept obligations

After already imposing a similar fine in 2024, in October 2025 the Dutch Authority for Digital Infrastructure (“RDI”) imposed a fine of €1.5M on one of the three mobile network operators in the Netherlands for breaches of legal requirements related to the security of the lawful intercept (“LI”) system. Under Chapter 13 of the Dutch Telecommunications Act (“DTA”), providers of public electronic communication services and networks must ensure that their services and networks are capable of being intercepted. Operators need to comply with authorised orders to intercept communications whilst keeping such data confidential. At the same time the law requires operators to keep data secure against unauthorised access.

The Dutch Authority for Digital Infrastructure finds security breaches

The RDI concluded that the LI system had several security shortcomings. Firstly, a security plan was completely missing and prepared only after the regulator requested it (despite Dutch law requiring such a plan).

Secondly, staff screening was inadequate: the required job descriptions and certificates of good conduct were missing for personnel working with interception requests, confidentiality agreements with those employees were absent, and staff not authorised to process LI data had access to it. Furthermore, the authority found that the digital access security of the LI systems was inadequate. As a result, suppliers had digital access to the tapping system, which meant that these suppliers could potentially gain access to state secrets or criminal information.

Finally, the RDI found failures in the security of automated information systems. According to the RDI, for a period of more than nine years, there was a very high risk of unauthorised (supplier) access to LI data, as a large number of unauthorised persons had access to the operator's systems and that employees actually made use of this access. Furthermore, the RDI found that standard passwords could be used, and that deliberately unencrypted tap lists were present on this system, which made the likelihood of unauthorised (supplier) access very high and increased the seriousness of the violation for the RDI.

Comparison decisions

In last year’s decision, the RDI fined another mobile network operator for five breaches of the Dutch LI legislation. However, in this recent decision, the RDI found three breaches of the applicable Dutch legislation:

• Failure to comply with the requirement for a security plan,
• Failures with regard to personnel who may or may not have access to LI data, and
• Failures in the security of automated information systems.

For two of these breaches, the RDI found an increased degree of culpability.

Implications for companies offering ECS/ECN

These enforcement actions showcase the importance of compliance with telecommunications legislation and specifically the obligations related to lawful intercept. The Dutch authority has demonstrated willingness to impose substantial penalties for companies obliged to provide LI. Compliance with the obligations must be continuous, with regular audits of security plans, personnel screening, and technical safeguards.