The scanner · methodology

We check 153 things that Dutch regulators, lawyers and users expect from your website.

Spread across 7 compliance areas. Run automatically in ±60 seconds. One page free, whole site from €2.50.

Start a free check See a sample report →

Why this matters

€2.1bn
GDPR fines in 2024
European data protection authorities issued over €2.1 billion in fines in 2024. SMEs are increasingly in scope.
€800–1500
Per image
Copyright agencies like CopyTrack, Permission Machine and Pixsy send tens of thousands of demand letters per year. Settlements up to €1,500 per photo.
€900,000
EAA fine ceiling
Since 28 June 2025 the ACM can issue administrative fines up to €900,000 per breach — or 1% of annual turnover if higher.
< 1 hour
Typical fix
A single issue can cost more than years of prevention. Most fixes in our report take under an hour to implement.

The 7 areas, in detail.

What we check, specifically
Origin detection via reverse image search (TinEye index, ±50M images)
Match against known stock libraries (Getty, Shutterstock, Adobe Stock)
EXIF & metadata analysis for licence indicators
Detection of AI-generated images (Stable Diffusion, Midjourney signatures)
Auteurswet art. 27a
Auteurswet art. 12
RB 2021:1234
Sample finding
High
Potentially unlicensed Getty Images photo found on /about-us.
The risk if you ignore this
Demand letters from CopyTrack, Permission Machine or Pixsy. Settlements €800–€1,500 per image, higher in commercial use. Auteurswet art. 27a allows additional damages for flagrant infringement.
What we check, specifically
Cookie banner: pre-consent detection (scripts firing before "Accept")
Privacy notice: presence + 13 mandatory items under GDPR Art. 13
Processor register: third-party scripts identified and mapped
International transfers: detection of US/non-EU endpoints (Schrems II)
Data subject rights: contact route for SARs/erasure requests in place
GDPR Art. 6, 13, 28
ePrivacy Art. 5(3)
Schrems II
Sample finding
Critical
Google Analytics loads before cookie consent.
The risk if you ignore this
AP (Autoriteit Persoonsgegevens) fines up to €20M or 4% of global turnover. For SMEs typically €1,000–€50,000 per breach plus reputational damage.
What we check, specifically
Alt text on meaningful images (WCAG 1.1.1)
Colour contrast: text at least 4.5:1, large text 3:1 (WCAG 1.4.3)
Keyboard navigation: tab order, visible focus states
Form fields: labels, error messages, screen-reader compatibility
Video & audio: captions, transcripts (WCAG 1.2.x)
PDF accessibility: tagged structure, reading order (Premium only)
EAA Directive 2019/882
WCAG 2.2 AA
EN 301 549
Sample finding
High
12 images without alt text (WCAG 1.1.1).
The risk if you ignore this
The EAA has been enforceable since 28 June 2025. The ACM (Autoriteit Consument & Markt) can impose fines up to €900,000 or 1% of annual turnover — whichever is higher.
What we check, specifically
TLS configuration: certificate validity, cipher suites, protocol versions
HTTP security headers: CSP, HSTS, X-Frame-Options, Referrer-Policy
Known vulnerabilities: jQuery, WordPress, plugins (CVE database matching)
Mixed content: HTTP resources on HTTPS pages
Subresource Integrity (SRI) on external scripts
GDPR Art. 32
NCSC Web Guidelines
Sample finding
High
Content-Security-Policy header missing.
The risk if you ignore this
No direct fine, but under GDPR Art. 32 you must take "appropriate technical measures". A data breach via a known vulnerability is an aggravating factor when the AP calculates a fine.
What we check, specifically
KVK number & VAT number: present and visible (Wet WHC)
Business address: present in footer or contact page
Terms & Conditions: present, downloadable as PDF
Contact route: email or form, not solely a premium-rate (0900) number
Imprint for German-facing sites (TMG §5)
Wet WHC
Burgerlijk Wetboek 6:230j
Sample finding
Medium
KVK number missing from website (Wet WHC).
The risk if you ignore this
ACM can impose periodic penalty payments (€500–€5,000 per day). Consumers cannot identify your business — strengthens liability in disputes.
What we check, specifically
Double opt-in: confirmation email on sign-up
Unsubscribe link: present and functional in every email
Consent records: timestamp, IP, form text retained
Specific checkbox for marketing — not pre-ticked
Send from your own domain (SPF/DKIM aligned)
Telecommunicatiewet art. 11.7
GDPR Art. 7
Sample finding
Medium
Newsletter form without double opt-in.
The risk if you ignore this
Telecommunicatiewet fines up to €900,000. Spam complaints are handled by the AP; the ACM takes action against commercial messages without consent.
What we check, specifically
Order button text: "Order with obligation to pay" or equivalent (BW 6:230v)
Cancellation form: 14-day cooling-off available, instructions in checkout
Price presentation: total price incl. VAT and shipping visible before order
Delivery time: stated concretely (no vague terms like "fast")
Statutory vs commercial guarantees: clearly distinguished (June 2026)
BW 6:230v
Directive 2011/83/EU
Sample finding
High
Cancellation form missing in checkout (June 2026).
The risk if you ignore this
An incorrectly labelled order button makes the contract voidable — the customer does not have to pay and keeps the product. Plus ACM fines up to €900,000.

Methodology

How we run it — without the black box.

See our open-source work on GitHub →

01

Research into applicable rules

We track EU-wide legislation (GDPR, EAA, ePrivacy) and the Dutch national overlay (Wet WHC, Telecommunicatiewet, BW). When a regulator tightens a rule or publishes new fining guidance, our checklist is updated.

02

Automated validation

Every testable rule gets a deterministic check: a real browser loads the page (Playwright/Chrome), we read DOM, headers, requests and TLS configuration. No "AI magic" where code can give an honest answer.

03

AI for more complex checks

For rules that aren't a simple checkbox — completeness of a privacy notice, dark patterns in a checkout, tone of consent copy — we use a combination of the latest local and cloud models, tuned for this purpose. Used in a targeted way and always traceable back to the source rule.

Want to know where your site stands?

One page free. No registration. Results in 60 seconds — with concrete next steps.

Start a free check →

We check 153 things that Dutch regulators, lawyers and users expect from your website.

The 7 areas, in detail.

Image copyright

Accessibility

Security

Legal pages

E-Commerce

How we run it — without the black box.

Research into applicable rules

Automated validation

AI for more complex checks

Want to know where your site stands?

We check 153 things that Dutch regulators, lawyers and users expect from your website.

The 7 areas, in detail.

Image copyright

GDPR & Privacy

Accessibility

Security

Legal pages

Newsletter

E-Commerce

How we run it — without the black box.

Research into applicable rules

Automated validation

AI for more complex checks

Want to know where your site stands?