EU in origin but Netherlands have added to it by requiring companies to be able to retain proof that every user had been asked for their permission. My understanding is that the base version, the EU-wide model, would require companies to show that yes, here's the code, before sending a cookie we request permission; but there's a higher level of proof required in NL.