Guidelines for Dutch governmental websites

October 10, 2019

Dutch governmental websites must be accessible to all citizens through established guidelines covering user experience, analytics, email security, and data archiving. This article addresses technical and non-technical compliance requirements across multiple disciplines.

Who's Who

  • DigiToegankelijk: A framework layered on WCAG standards providing news and explanations about website accessibility guidelines
  • CommunicatieRijk: Covers government-citizen communication, including technical guidelines for Dutch governmental websites
  • Het Nationaal Archief: The governmental organization responsible for storing Dutch historical records, maintaining 137 km of documents, 15 million photographs, nearly 300,000 maps and drawings, and 800 terabytes of digital files

Comply or Explain

Organizations can provide explanations when guidelines cannot be met, rather than facing strict penalties—a regulatory approach used by governments without creating formal laws.

Website Analytics

Google Analytics is prohibited for Dutch government websites due to data storage on foreign servers. The Dutch government mandates Piwik/Matomo alternatives or offers statistiek.rijksoverheid.nl, hosted domestically.

SSL Certificates

Dutch government websites must use PKIoverheid certificates, which comply with European regulations for Qualified Website Authentication Certificates (QWAC).

Email Security and Spam Prevention

STARTTLS and DANE

STARTTLS encrypts communication between email servers. DANE requires email server support, TLSA DNS records, and DNSSEC—preventing DNS manipulation of encryption keys.

SPF (Sender Policy Framework)

SPF verifies sending servers through DNS TXT records. Example:

v=spf1 include:mail.grrr.nl include:servers.mcsv.net -all

DKIM (DomainKeys Identified Mail)

Sending servers sign messages with private keys; receiving servers validate using publicly published DNS records. Multiple selectors allow key rotation:

default._domainkey.grrr.nl TXT v=DKIM1; k=rsa; p=public-key-x;
news._domainkey.grrr.nl TXT v=DKIM1; k=rsa; p=public-key-y;

DMARC (Domain-based Message Authentication, Reporting & Conformance)

Domain owners specify actions for messages failing SPF/DKIM validation. Progressive implementation prevents delivery failures:

Initial monitoring:

v=DMARC1;p=none;pct=100;rua=mailto:reports@grrr.nl;

Enhanced security:

v=DMARC1;p=reject;sp=reject;pct=100;rua=mailto:reports@grrr.nl;

Archiving

Dutch law requires all governmental data—including websites—to be archived. After 20 years, materials become public. The government recommends hiring specialized companies for compliance, as internal archiving requires scraping, storage, backup, integrity verification, and public accessibility management.

Originally published on norday.tech.