Dutch Cybersecurity Ratings Mask Critical Gaps in Monitoring and Supply Chain Defence
Amsterdam, Monday 19 January 2026
Despite awarding themselves a solid 7.1 resilience score, Dutch organisations face a dangerous reality gap, with 30 per cent rarely practising crisis response mechanisms.
The Illusion of Preparedness
While 67 per cent of respondents feel prepared for a cyber incident, this confidence appears misplaced given that nearly a third of organisations rarely or never practice their response protocols [2][3]. The Cyberweerbaar Nederland 2026 report, published on 18 January 2026 by KPN, surveyed over 250 IT and security professionals across vital sectors such as energy, healthcare, government, and financial services [1][2]. The data exposes a structural disconnect: operational staff assess organisational maturity significantly lower than management, citing governance and decision-making as key friction points [1][4]. Chantal Vergouw, Chief Business Market at KPN, warned that without clearly assigned ownership, vulnerabilities remain unaddressed and incidents are solved on an ad-hoc basis [1].
The Human Cost of Cyber Crises
Beyond the technical and financial implications, the human toll of cyber incidents is often underestimated. Research highlights that one in seven individuals involved in a cyberattack still experiences trauma symptoms two years later [5]. Inge van der Beijl, Director of Innovation at Northwave, emphasised the “insanely high” pressure on employees during such crises, noting that essential personnel sometimes drop out due to stress and overwork [5]. Effective crisis management requires acknowledging that these events are human crises as much as technical ones; experts argue that mental resilience must be integrated into crisis preparation alongside technology and forensics [5].
Escalating Geopolitical Threats
The urgency for improved resilience is underscored by an increasingly volatile geopolitical landscape. On 18 January 2026, the Cyber Security Council warned that cyber operations have become primary attack vectors capable of societal disruption, estimating that a €690 million investment is necessary to protect vital processes against state actors [6]. This warning follows the sabotage of Polish energy infrastructure in December 2025, where decentralised communication protocols were exploited to create critical vulnerabilities [6]. In this context, the 38 per cent of Dutch organisations reporting insufficient security budgets face a precarious future, although two-thirds expect budget increases in the coming period [2][3].