Netherlands Phone Spoofing Law: How a New Dutch Bill Aims to Protect Against Telecom Fraud

The Dutch government's proposed legislation targets the growing threat of caller ID spoofing and phishing via telecom networks — with major implications for digital privacy across Europe

Netherlands Phone Spoofing Law: How a New Dutch Bill Aims to Protect Against Telecom Fraud

Dutch Government Introduces Landmark Anti-Spoofing Bill

The Dutch cabinet has published a draft legislative proposal aimed at tackling one of telecom security's most persistent problems: the spoofing of Dutch phone numbers to facilitate phishing attacks, bank fraud, and other forms of digital deception. The draft bill, now open for public consultation, marks a significant step in a legislative process that has been in motion since late 2020 — and its implications stretch well beyond the Netherlands.

Phone number spoofing — the practice of disguising the true origin of a call or text message by displaying a false caller ID — has become an increasingly sophisticated tool in the arsenal of cybercriminals. Victims receive what appears to be a call from their bank, a government agency, or a trusted business, only to find themselves targeted by social engineering attacks designed to steal credentials or funds. The Dutch government's bill attempts to address the technical and regulatory gaps that have allowed this to continue largely unchecked.

The original proposal was first announced at the end of 2020, targeting the misuse of telecom infrastructure for phishing purposes. An earlier version was put out for consultation in 2022, but substantial revisions since then have prompted the government to launch a fresh round of public feedback. "Due to subsequently implemented substantial changes, a new consultation is considered appropriate," the announcement accompanying the draft bill states.

Why Existing Laws Are Failing to Stop Telecom Fraud

Cybersecurity professional monitoring telecom fraud activity
Telecom-based fraud increasingly exploits gaps in existing regulatory frameworks across Europe

At the heart of the Dutch government's justification for new legislation is a frank acknowledgement: the existing legal framework is simply not up to the task. According to the draft bill's explanatory notes, growing financial and personal harm caused by phishing and spoofing has exposed deep structural weaknesses in how the Netherlands currently governs its numbering resources under the Telecommunications Act.

Two core vulnerabilities are identified. The first is the use of Dutch telephone numbers on a permanent basis outside the Netherlands for voice calls and SMS traffic. This is a critically important distinction — the bill is not targeting ordinary roaming, where Dutch residents use their SIM cards while travelling abroad. Instead, it targets a situation where Dutch number ranges are being used continuously and commercially from foreign infrastructure, effectively weaponising the trust Dutch citizens place in domestic phone numbers.

This creates a supervisory nightmare. Because the telecom providers involved in routing these calls and messages are often headquartered outside the Netherlands, Dutch regulators — including the Autoriteit Consument & Markt (ACM) — struggle to exercise effective oversight. The cross-border nature of the infrastructure means that by the time a fraud is traced, the responsible party may be in a jurisdiction with limited cooperation arrangements.

The second vulnerability is the ease with which caller ID can be manipulated. Technically, this is not a new problem — the ability to spoof caller ID has existed since the widespread adoption of VoIP (Voice over IP) technology. But the scale and sophistication of its abuse have grown dramatically. Modern spoofing attacks can impersonate a bank's official helpdesk number, a government tax authority, or even emergency services. According to Europol's cybercrime division, social engineering attacks using spoofed caller IDs have become one of the fastest-growing categories of financial fraud across the EU.

The existing legal prohibition on incorrect use of number identification in the Netherlands is — as the bill candidly acknowledges — not sufficiently tailored to the roles of different telecom providers within the call delivery chain. A modern phone call may pass through half a dozen networks before reaching its destination, and the current rules do not clearly allocate responsibility for spoofing prevention at each hop. Moreover, the existing framework does not account for alphanumeric sender IDs — the kind used when a text message appears to come from "ING Bank" or "Belastingdienst" rather than a numeric phone number. This gap significantly limits the technical countermeasures that telecom operators could otherwise implement.

€1B+Estimated annual losses from telecom fraud across the EU
2020Year the original Dutch anti-spoofing proposal was announced
3rdConsultation round launched following major legislative revisions
VoIPPrimary technical vector enabling caller ID spoofing at scale

How Phone Number Spoofing Attacks Work — and Why They Are So Effective

Understanding the proposed legislation requires understanding the mechanics of the attack it is designed to prevent. Caller ID spoofing exploits a fundamental design weakness in the global telephone signalling system. When a call is placed over the public switched telephone network (PSTN) or a VoIP service, the caller's number is transmitted as a piece of metadata called the Calling Line Identification (CLI). In traditional telephone networks, this was assumed to be accurate. VoIP, however, allows this field to be set to virtually any value — and most networks do not verify it against the actual originating account.

This means a criminal operating a VoIP server — potentially from anywhere in the world — can instruct their system to display the number of ABN AMRO's fraud helpdesk, the Dutch Tax Authority, or any other trusted institution when placing calls to Dutch residents. The recipient's phone will ring showing a number they may recognise and trust. Research from the ACM's annual oversight reports has shown that this technique underpins a significant portion of "bank helpdesk fraud" (bankhelpdeskfraude), a specific crime category in which victims are manipulated into transferring funds or revealing access credentials by someone posing as their bank's security team.

Alphanumeric spoofing adds another layer of difficulty. Many legitimate businesses send SMS messages using a branded sender name — "PostNL" or "DHL" rather than a phone number. This is technically straightforward to replicate. Fraudsters sending phishing SMS messages can make them appear in the same conversation thread as legitimate messages from the same organisation on many smartphones, bypassing the visual cues that users rely on to identify suspicious communications.

"The current framework for number management in the Telecommunications Act is due for renewal. Growing damage to citizens and businesses from phishing and spoofing demands more robust regulatory tools and clearer accountability across the telecom chain."

— Dutch Cabinet, Draft Bill Explanatory Notes

What the Dutch Anti-Spoofing Legislation Would Actually Change

Legislation documents and digital privacy concept
New regulatory frameworks aim to assign clear responsibilities to telecom providers at each step of the call delivery chain

While the full text of the draft bill is subject to consultation and may evolve, the structural changes being pursued are clear. The proposed legislation seeks to modernise the Telecommunications Act's number management framework, addressing both the permanent offshore use of Dutch numbers and the spoofing of caller identification.

Crucially, the bill aims to assign clearer responsibilities to each link in the telecom chain. Rather than a blanket prohibition that all operators struggle to enforce, the new framework would delineate which provider — the originating network, transit networks, or terminating network — is responsible for verification and blocking at each stage of a call or message's journey. This chain-of-responsibility approach mirrors technical standards being developed internationally, including the STIR/SHAKEN framework widely adopted in the United States, which cryptographically signs calls to verify the legitimacy of caller ID information. According to ETSI, the European Telecommunications Standards Institute, European equivalents to STIR/SHAKEN are under active development.

The bill also directly tackles alphanumeric sender IDs, bringing these within the scope of spoofing prohibition for the first time. This is significant for businesses that legitimately use branded SMS identifiers, as they may face new requirements to register or authenticate their sender names through verified channels — a move that, while adding administrative overhead, would dramatically reduce the feasibility of SMS phishing attacks that impersonate trusted brands.

Issue Current Legal Status Proposed Change
Numeric caller ID spoofing Prohibited but poorly enforced Chain-of-responsibility enforcement model
Alphanumeric sender ID spoofing Not adequately covered Explicitly brought within spoofing prohibition
Offshore permanent use of Dutch numbers No effective oversight mechanism New restrictions on permanent non-domestic use
Foreign telecom provider liability Practically unenforceable Clearer obligations for domestic terminating networks
Number management framework Outdated Telecommunications Act provisions Comprehensive modernisation of number governance

The Broader European Context: Digital Sovereignty and Telecom Security

The Dutch bill does not exist in a vacuum. Across the EU, regulators and legislators are grappling with the same fundamental challenge: telecom infrastructure that was designed for a world of nationally contained networks is now deeply globalised, and the fraud that exploits it is equally borderless. The European Electronic Communications Code (EECC), which EU member states were required to implement, provides a baseline framework, but leaves much of the operational detail to national regulators — creating exactly the kind of patchwork enforcement environment that cross-border fraudsters exploit.

From a digital sovereignty perspective, the Dutch proposal is notable for its explicit recognition that national number resources — the Dutch +31 country code — represent a form of national digital infrastructure that requires active governance. Allowing those resources to be used permanently from abroad, without oversight, is framed not merely as a consumer protection failure but as a structural vulnerability in the national telecom ecosystem. This framing aligns with broader EU discourse around digital sovereignty and the need for European states to maintain meaningful control over critical digital infrastructure.

Similar legislative efforts are underway or have recently concluded in the UK, Germany, and Australia. The UK's Ofcom introduced new rules requiring telecom providers to implement technical measures against CLI spoofing. Germany's Bundesnetzagentur has pursued comparable enforcement actions. Originally reported by Security.NL. Summarised and curated by European Purpose.