The CBS Cybersecurity Monitor 2024 shows that the Netherlands is becoming more digitally resilient. Companies are increasingly taking measures, the number of successful cyberattacks is decreasing, and the government is taking additional steps with legislation and investments. However, this does not mean your organization can rest on its laurels. In fact, now is precisely the time to assess your position relative to other companies in the Netherlands and the rest of Europe.
Fewer Attacks, but Higher Threat
First, the good news: large Dutch companies report significantly fewer external attacks than a few years ago. In 2016, 40% reported being a victim; in 2023, this was only 16%. Furthermore, only 1% of companies actually experienced ransomware. Compared to the European average (where more than 1 in 5 companies reported a security incident in 2023), the Netherlands performs above average.
However, this does not mean the threat is diminishing. Phishing, ransomware, and supply chain attacks remain a serious challenge. After all, a breach at a supplier can just as easily cripple your company.
Investing Pays Off
Dutch companies spend an average of 17% of their IT budget on cybersecurity. This is comparable to the rest of the EU, but it is striking that more than 70% of organizations have increased their security budget in the past two years. Why? Because the costs of a single serious incident are often much higher than the structural investment in security.
In addition, the government is allocating substantial funds: with the National Cybersecurity Strategy 2022–2028, €111 million is available to strengthen resilience. The EU also supports businesses and governments, for example, through the Digital Europe program. This means there are ample opportunities to utilize subsidies, support, and knowledge sharing.
Legislation: Stricter Rules Ahead
What you, as an entrepreneur, truly need to consider is the new legislation. The NIS2 Directive and the Cyber Resilience Act will introduce much stricter requirements starting from 2024/2025. These include mandatory incident reporting within 24 hours, higher fines for negligence, and mandatory security standards for products and software.
The Netherlands leads the EU with a broad package of measures and strong public-private cooperation (NCSC and Digital Trust Center). However, here too, the legislator expects you to have your affairs in order. Waiting until the rules come into effect is no longer an option.
Security Measures: how Do You Score?
The monitor shows that 61% of Dutch companies now use multi-factor authentication (MFA), well above the EU average of 40%. Strong password policies are also on the rise: 72% of companies have a policy, although many countries perform even better here. Large companies are frontrunners: almost 100% use MFA, but for micro-enterprises, this is not yet 60%.
Other measures vary: encryption and VPNs are the norm for large organizations, but far from it for smaller companies. And notably: only 17% of Dutch companies have taken out cyber insurance. This leaves a large portion unnecessarily financially vulnerable.
What Can You Do Now?
The figures are clear: the Netherlands is performing well, but there is still a significant gap between large companies and SMEs. You can close that gap by taking three steps today:
- Check your basic measures: antivirus, firewalls, backups, and MFA should no longer be a point of discussion for you.
- Invest smartly: assess whether your current IT budget allows sufficient room for cybersecurity. If not, set priorities and create a plan.
- Prepare for new legislation: inventory which rules apply to your company and ensure you are compliant before the obligations take effect.
By taking action now, you not only reduce the risk of an incident but also strengthen the trust of customers, suppliers, and partners.
Do you have doubts about your company’s digital resilience or do you have questions about this?