The Dutch SMB's Guide to EU-Compliant Business Automation

The Netherlands is one of the most digitally advanced business environments in Europe. A recent study found that 95% of Dutch organizations are running AI programs, and the Dutch government has invested EUR 276 million in AI development. Dutch businesses don't need convincing that automation matters — they're already doing it.

The harder question is: where does your data go when you automate?

The sovereignty problem you might be ignoring

Most SaaS tools used by European businesses are headquartered in the United States and hosted on US-owned cloud infrastructure — primarily AWS, Google Cloud, or Azure. This creates a legal conflict that many businesses underestimate.

The US CLOUD Act (2018) gives US law enforcement the right to demand data from any US company, regardless of where that data is physically stored. If your business data sits on AWS eu-west-1 in Frankfurt, it's still subject to US jurisdiction because Amazon is a US company.

After the Schrems II ruling invalidated the EU-US Privacy Shield, the legal basis for transatlantic data transfers became uncertain. The current EU-US Data Privacy Framework provides some relief, but it's already facing legal challenges. Building your business infrastructure on US-owned platforms means accepting ongoing regulatory uncertainty.

What GDPR actually requires for business data

GDPR doesn't prohibit using US-based tools outright. But it imposes strict requirements that many tools fail to meet in practice:

• Data Processing Agreements (DPA). Any tool that processes personal data on your behalf needs a signed DPA that specifies what data is processed, where, and how. Check if your current tools have one. Many don't.
• Right to deletion. If a customer or employee requests data deletion, you need to delete their data from every system — including your automation tool, your database, your backups. Can you actually do that across five different SaaS tools?
• Right to export. Data subjects can request a copy of their data in a portable format. If your data is locked into a tool with no export API, you have a compliance gap.
• Audit trail. You need to demonstrate that data processing is lawful and documented. Spreadsheets with no change history don't qualify. Neither do automation tools that don't log their actions.

Most automation tools fail the sovereignty test

Run this checklist against your current toolstack:

1. Where is the company headquartered? (US company = US CLOUD Act jurisdiction)
2. Where is the data physically hosted? (EU data center is necessary but not sufficient)
3. Who owns the hosting infrastructure? (AWS in Frankfurt is still Amazon)
4. Is there a signed Data Processing Agreement?
5. Can you export all your data in a standard format?
6. Does the tool maintain an audit trail of all data operations?
7. Can you delete specific records on request?

If your tools fail on questions 1-3, hosting location alone doesn't protect you. An EU data center owned by a US company is a legal gray zone — not a guarantee.

The infrastructure question most vendors dodge

Many SaaS tools advertise "GDPR compliant" on their marketing pages. Fewer explain what that means in practice. "GDPR compliant" often means "we have a DPA template" — not "we store your data exclusively on EU-owned infrastructure."

These two things are not the same:

• EU-hosted on US infrastructure — data sits in Frankfurt or Amsterdam, but on AWS/GCP/Azure. The US company owns the infrastructure and is subject to US law.
• EU-hosted on EU infrastructure — data sits in EU data centers owned by EU companies (Hetzner, OVH, Scaleway). No US parent company, no CLOUD Act jurisdiction.

Some automation platforms sit on top of existing ERPs and route your data through their own infrastructure. Even if your ERP is hosted in the EU, the automation layer might process data through US-owned cloud services. Ask the question. Get a specific answer.

SaaS inflation adds to the urgency

There's a second factor driving European businesses to reconsider their toolstack. SaaS pricing has inflated by 12.2% in 2026 alone. The average company now spends more on software subscriptions than it did two years ago for fewer features — because vendors have learned they can raise prices once you're locked in.

Companies that built their operations on a stack of five US-based SaaS tools are now paying more, with less control over their data, and increasing regulatory exposure. The smart ones are consolidating: fewer tools, EU-owned, with data export built in so they're never locked in again.

How to evaluate any tool for sovereignty

Before adopting a new business tool, ask these five questions:

1. Where is the company incorporated? An EU company is not subject to the US CLOUD Act. This matters more than where the servers are.
2. Who owns the hosting infrastructure? Hetzner, OVH, and Scaleway are EU-owned. AWS, GCP, and Azure are not — regardless of which region you select.
3. Can I export everything? Full data export in CSV, JSON, or API access. If you can't leave, you're a hostage, not a customer.
4. Is there a real DPA? Not a checkbox on a settings page. A document that specifies data categories, processing purposes, sub-processors, and retention policies.
5. Does the tool maintain audit logs? Every data access, modification, and deletion should be logged. Without this, you can't demonstrate compliance.

Building on the right foundation

LedgerSoft is an EU company, built in Amsterdam, hosted on EU-owned infrastructure (Hetzner). No US cloud providers in the stack. Full data export via API. Audit trail on every record. DPA included with every account.

Dutch businesses are already automating. The question is whether the infrastructure under those tools is owned by Europeans and governed by European law — or whether it's one US subpoena away from being someone else's problem.

Your data shouldn't need a transatlantic flight to process an invoice.