From 19 June 2026, withdrawal must be as easy as signing up. The law strictly covers the first fourteen days. And that is exactly where most companies fall into the trap.
A colleague of mine won an argument last week about the new cancellation button. According to him, most people are missing the point: the law is not about cancellation at all, but only about withdrawal within fourteen days.
He was right. I looked it up and the legal text supports him. Only that changes nothing about what you should do.
Because behind that one button there is no technical assignment. There is an underlying question that most companies would rather not ask out loud: how easy do you actually make it for your customer to leave? And the answer you give to that over the coming months says more about how you see your customers than any brand promise on your homepage.
TL;DR
- Legally, the law only covers withdrawal, not regular cancellation — but that does not shrink the strategic imperative.
- One information compliance mistake extends the cooling-off period to 12 months: customers can cancel daily, cost-free, for nearly a year.
- Mandatory login is no longer permitted, but you may still request identifying data via a form or magic link.
- Germany shows the direction: one frictionless exit flow for both withdrawal and cancellation is more efficient than separate buttons per deadline.
- The legal minimum and the best customer experience are closer together than most companies realise.
Why your colleague is legally right
Let's be precise, because this is where almost every LinkedIn post about this law already goes wrong. The market calls it a cancellation button. Legally that is incorrect. The law introduces a withdrawal function, and that is different from a cancellation function.
The distinction is razor-sharp. Withdrawal is your statutory right to undo an online contract within the cooling-off period, as if it never existed. That cooling-off period is fourteen days as standard. Cancellation is the regular termination of a running contract after that cooling-off period. Two different things, two different rights, two different moments.
The new obligation comes from Directive (EU) 2023/2673 (opent in nieuw venster) and is anchored in the Netherlands in the new Article 6:230oa of the Civil Code. The core is that digital withdrawal must be no harder than concluding the agreement. Whoever signs up with a few clicks must be able to withdraw with a few clicks. The button must carry legally required labels such as "withdraw the agreement here", and strictly speaking it only needs to be available during the withdrawal period. After those fourteen days the obligation for this specific button under this directive lapses.
So yes, my colleague is right. Someone wanting to cancel on day fifteen cannot rely on this directive. And a company that reads only the legal text may make its regular cancellation process as complicated as it likes after that.
That is exactly where it goes wrong.
The fourteen days are not a hard boundary
Before I get to strategy, there is a legal complication that makes my colleague's position less absolute.
That fourteen-day boundary is not set in concrete. If you do not correctly and fully inform the consumer in advance about the existence and location of the withdrawal function — for instance because your general terms and conditions have not yet been updated — the cooling-off period does not simply expire. As a sanction, the withdrawal period is extended to a maximum of twelve months on top of the original fourteen days. This is set out in Article 6:230o paragraph 2 of the Civil Code and is not a new penalty but existing law since 2014. What is new is that information about the withdrawal function now falls under the pre-contractual information obligation, which means a careless mistake there can earn you the same extension.
Do the maths on what that means. A compliance slip in your flow turns a standard cooling-off period of fourteen days into a contract from which a customer can walk away daily for nearly a year, with the right to full restitution. In that scenario, the withdrawal function is not "done after fourteen days" at all. It haunts you for twelve months.
That is not a detail in the fine print. That is an open nerve running through your entire portfolio, and precisely why "it only applies for fourteen days" is a dangerous starting point.
The login trap: why good intentions will soon no longer be allowed
And most of the processes I see in the market are not maliciously designed. Quite the opposite.
Last month I spoke with a director who explained to me why termination at his company deliberately runs through the personal account area. Not to frustrate customers. But because that way he receives neat, structured data instead of a half-filled email that his staff cannot do anything with. An email without a policy number, without the correct name spelling, without a clear start date. An email that only leads to questions, follow-up calls and frustration. On both sides.
That is a fair argument. I completely understand his logic. The problem is that the law on withdrawal will soon say: you may not force a customer to log in or create an account to use the withdrawal button. The personal account area as a compulsory gateway disappears, at least for those first fourteen days.
And look what happens then. The reflex of most companies becomes: "Fine, we'll strip out the login for withdrawal and put up an open form." Problem solved, box ticked. But that brings you back to exactly the messy email that you were trying to prevent with your personal account area. You have met the legal requirement and broken your own process.
The customer's interest and the company's interest are not the same problem
The mistake lies in the assumption that you have to choose. Either you protect the customer with a low-threshold button, or you protect your own process with structured data. As if one comes at the expense of the other.
But that is not right. They are two separate problems that you can solve independently.
The customer's interest is: I want to be able to leave without being held hostage by a password I have forgotten, an account I never created, or an app I do not want to download. Simplicity. No barriers.
The company's interest is: I want to know exactly who is terminating which product, without manual detective work. Identification. Clean data.
The law does not forbid you from getting that data. The law forbids you from making login a mandatory condition. That is a fundamental difference. You may still offer login, voluntarily, as the fastest route for those already logged in. You may ask for a limited number of fields that you need to find the policy. What is not allowed is putting up a wall.
The solution that serves both interests has existed for a long time. A form that asks for exactly the data you need to identify the contract, connected to your system so the data arrives structured. Or a magic link with a one-time code: the customer enters their email address, receives a secure link or a One Time Password by email, and confirms thereby that they are who they claim to be. No password to remember, no account to create, but a verified identity and clean data on your side. The customer experiences simplicity. You get structure. Nobody loses out.
It was never a choice between the two. It only felt that way because the personal account area happened to do both.
Where the legal text and reality diverge
Now comes the point at which I concede my colleague his legal rightness and still disagree with him strategically.
Suppose you do it exactly according to the letter. You build a frictionless withdrawal button for the first fourteen days, because you have to. And on day fifteen you hide regular cancellation again behind a mandatory phone call or a deeply buried PDF form, because you are allowed to. Legally watertight.
Only that chafes on two sides.
First, that same Directive 2023/2673 also contains stricter rules against dark patterns, against steering and misleading interface designs. If you make withdrawal within fourteen days possible in two clicks because you must, but then suddenly hide cancellation on day fifteen, you are on thin ice. The spirit of the law points in exactly the opposite direction from your construction. I wrote about this earlier in my blog on the dark-patterns ban and the cancellation button, and the thread is the same: the time when you could subtly hold customers with design tricks is over.
Second, and more importantly, no customer feels the difference between day fourteen and day fifteen. For you that is a legal dividing line. For the customer it is arbitrary. They do not understand why yesterday they could leave with one click and today they suddenly have to call. They only remember that you made it difficult at the moment they wanted to leave. And they tell others about that experience.
You can therefore follow the legal text to the exact day and still deliver the worst customer experience in your market.
What Germany shows us
Across the border you can already see where this is heading.
Germany has had a mandatory Kündigungsbutton since 1 July 2022 — a real, permanent cancellation button for ongoing contracts, enshrined in paragraph 312k of the Bürgerliches Gesetzbuch. Not a temporary withdrawal button for fourteen days, but a button with which you can cancel a running subscription online at any time. Whoever signs up online must also be able to cancel online. Streaming, energy, telecoms: it applies broadly, and German courts have sharpened the requirements in a series of rulings, up to and including a ban on mandatory login.
With one telling exception: financial services fall outside that German cancellation button. Insurance too. And at the same time Germany is adding a separate Widerrufsbutton from 19 June 2026 — the same EU withdrawal button we are also getting. Germany will then have two buttons side by side: a permanent cancellation button for most sectors, and a temporary withdrawal button for the first fourteen days, with the financial sector partially excluded from the first.
That is precisely the fragmentation you do not want to end up in. A button for this, a button for that, an exception here, a deadline there. Before you know it you are building three different exit routes that only confuse your customer, purely because the legal categories prescribe it that way.
The most efficient route is almost always the reverse: stop rigidly separating withdrawal and cancellation on the basis of day fourteen or fifteen, and build one overarching, frictionless exit flow. One place where a customer can leave, whether they are within the cooling-off period or terminating a running contract. Not because the law literally requires it for financial services, but because the direction is unmistakable and you are making things unnecessarily hard for yourself and your customer by doing it differently.
What "the best version" means in practice
Right, so what does that one exit flow look like? Not as theory, but as something your team can build.
Visible, not hidden. The route to termination should be findable, not tucked away in the terms and conditions or behind a chatbot that redirects you three times. A logical place under a clear label such as "manage my contract" or "end my contract", where a customer instinctively looks.
No mandatory wall. Offer login as the fastest route, but never as the only route. Whoever does not want to or cannot log in always has an open form or a magic link as an alternative. Voluntary, not compulsory. And extend that line to day fifteen, not just to the legally required fourteen days.
Ask for exactly enough, no more. Ask for the fields you need to find the contract and nothing beyond that. Every extra step that does not contribute to identification is soon forbidden territory, and also annoying.
Immediate confirmation. The law requires that the customer immediately receives a confirmation by email. Do not make this an administrative formality but a neat, human closure. "It is arranged, your policy runs until that date, and should you return later you are welcome." A decent farewell is cheaper than a bad review.
A human within reach. The law gives consumers in automated processes the right to contact a real employee. At most companies I see, the handover to a human is already well arranged, so that is rarely where the pain is. But make sure it also applies when terminating. Someone who is unsure whether they want to cancel and briefly speaks to a person is perhaps the customer you could have kept. Not by holding them back, but by helping them.
This is not a long list. It is five choices you can implement in a few weeks if you start now. And that is precisely why "we only tick off the fourteen days" is such a waste. The difference between the legal minimum and the best version is not months of work. It is the question you ask yourself before you begin.
The question you should ask yourself
My colleague asked the question "does this law actually apply after day fourteen?" A good legal question, and he was even right about it. But it is not the question that matters.
The question that matters is: what customer experience do I want to offer at the moment a customer leaves me? Because that moment comes regardless, on day ten or on day two hundred. The only variable you have in your hands is how it feels.
The law is now the stick behind the door. Fine. Use that stick. Everyone in your market must build that withdrawal button before 19 June 2026, and the vast majority will go exactly that far and no further, because they see it as a cost item and read the legal text literally. That is precisely why this is an opportunity. At the moment your entire sector is forced to think about how easy it is to leave, you stand head and shoulders above the rest by not stopping at day fourteen.
Not because you have to. Because it is smart.
Sources
* The European directive introducing the withdrawal function: EUR-Lex, Directive (EU) 2023/2673 (opent in nieuw venster) * Explanation of the withdrawal function, Article 6:230oa Dutch Civil Code and the twelve-month sanction: Rassers Advocaten (opent in nieuw venster) * The link between the information obligation and the extended cooling-off period: Thuiswinkel.org (opent in nieuw venster) * The German Kündigungsbutton and the exception for financial services: § 312k BGB, gesetze-im-internet.de (opent in nieuw venster)