Corporate Governance 2026

NETHERLANDS Law and Practice Contributed by: Manon Cremers, Heleen Kersten and Frédérique van der Wegen, Stibbe

6. Audit, Risk and Internal Controls 6.1 External Auditors Dutch corporate law requires an audit of the financial statements for all large and medium-sized companies. The external auditor must examine whether the annual accounts provide the required legal disclosures and a true and fair view, whether other parts of the finan - cial report comply with statutory requirements and whether the management report conflicts with the annual accounts or contains material misstatements. The external auditor reports to the management board and supervisory board and records the result in an independent auditor’s report. Appointment of the External Auditor Book 2 of the DCC provides that the general meeting appoints the external auditor; if it fails to do so, the supervisory board is authorised to appoint the audi - tor; and, in the absence of a supervisory board, the management board is authorised to do so. If an NV/ BV is a public interest entity, the appointment must be notified to the AFM. Further rules on the selection and appointment of auditors of public interest entities are included in Regulation (EU) 537/2014 and in the CG Code. The audit committee plays an important role in pre - paring the appointment. Public interest entities must regularly change audit firms. An audit firm may not perform that function for more than ten consecutive years, and the same firm may not carry out the statu - tory audit again until four years have passed. Within the audit firm, the auditor responsible for the audit may not be responsible for the audit report for more than five years. 6.2 Risk Management and Internal Controls General Risk Oversight Under Dutch corporate law, the management board is responsible for identifying and managing risks asso - ciated with the company’s strategy and activities. The supervisory board, if there is one, supervises the management board’s policy and the general course of affairs. For Dutch listed companies, these respon - sibilities are further elaborated in the Dutch CG Code.

also evidence mismanagement and may lead to per - sonal liability of the management board in bankruptcy. 5.4 Global Anti-Money Laundering Dutch companies are not subject to a general AML reporting regime merely because they are incorpo - rated in the Netherlands. AML obligations arise main - ly where an entity qualifies as an “institution” under the Dutch Anti-Money Laundering and Anti-Terrorist Financing Act ( Wet ter voorkoming van witwassen en financieren van terrorisme , or Wwft), such as a financial institution or specified gatekeeper. Where the Wwft applies, the principal obligations include risk-based customer due diligence, identification and verifica - tion of the customer and its UBO, ongoing monitor - ing, record-keeping, staff training and screening, and prompt reporting of unusual transactions, including intended transactions, to FIU-Nederland. Board oversight is principally relevant where the com - pany falls within the Wwft. In that case, the board must ensure that the institution has an adequate risk-based AML framework, including a documented and up-to- date business-wide risk assessment and appropri - ate policies, procedures and measures. If day-to-day management is determined by two or more persons, one day-to-day policymaker must be designated as responsible for Wwft compliance. Depending on the nature and size of the business, an independent compliance function and audit function may also be required. Directors are not subject to a separate universal AML liability regime under Dutch law, but personal exposure may arise under general directors’ duties, regulatory enforcement and, in serious cases, crimi - nal or administrative liability as a factual leader of the infringement. The AFM may impose fines on the legal entity and on individuals who have factually directed the breach. Failure by a reporting institution to report an unusual transaction is an economic offence, while good-faith reporting is protected by statutory criminal and civil immunity.

533 CHAMBERS.COM

Powered by