The Dutch law applies to any company doing business in the Netherlands. So it applies to Facebook and Google as well as local Dutch sites, because they have offices here and accept money from Dutch users/advertisers.

It's almost just like in the real world...

(Also, there's plenty of jurisprudence for that when for instance it comes to online gambling.)

"Doing business" is also complicated.

We're a Dutch not-for-profit, running under a US .org domain name, with some servers hosted in Germany, and our visitors come from everywhere.

Right now the decision is only to annoy Dutch visitors (based on IP), but I've been waiting to implement it until there is some clarity.

What's the penalty for non-compliance in NL?

Maximum penalty is a fine of up to around 450.000 euros.

It is nearly always the case that the country the servers are in, and the country the owners (persons/companies) are in is the relevant law.

Imagine a dutch company with servers in the netherlands, witha .com address. Why would they be exempt from dutch law?

Why would a Dutch company operating a .com on a US server, or an American company operating a .com (or .nl for that matter) on a Dutch server not be exempt?

I'm not arguing either way, and truthfully I'm not sure how I feel about it, but it gets hard to determine jurisdiction when you're talking about an entity (owner + domain + site files/server) being split across multiple jurisdictions.

Your server don't have to be in the US to operate a .com (or in netherlands to operate a .nl).

Sometimes laws can be written as "a person/company shall not cause personal data to be stored without users consent" (say). So if you, in the Netherlands, programme your server in the US to store personal data without consent, then you might be breaking the law. (Since you have caused a computer to do that.)