New Research: Dutch Organisations Rate Cyber Resilience at 7.1, Yet Structural Gaps Remain

Dutch organisations rate their own cyber resilience at an average 7.1 out of 10, but one in three still does not feel prepared for a cyberattack. This is one of the key findings of Cyber Resilient Netherlands 2026, a new study by KPN and Security Innovation Stories. The research shows that while awareness is growing, many organisations remain stuck at a basic level of cyber maturity.

A solid pass, but is it enough?

On paper, a 7.1 appears reassuring. However, the study focuses on organisations that form the backbone of Dutch society, including critical infrastructure and public services. In that context, the question arises whether a “comfortable pass” is truly sufficient. Nearly 10 percent of organisations even rate their own cyber resilience as inadequate.

Moreover, only 56 percent have explicitly embedded information security in annual plans and roadmaps, indicating that cybersecurity is not yet structurally anchored in strategic decision-making across the board.

Policies in place, practice lagging behind

Although cybersecurity has gained prominence at executive level, the study reveals a gap between policy and practice:

• 5 percent of organisations still operate without multi-factor authentication (MFA);

• 39 percent apply MFA only to critical systems, leaving other environments more exposed;

• just 23 percent have supply chain security at a mature level;

• 33 percent lack continuous, organisation-wide monitoring and detection;

• while 67 percent say they feel prepared for a cyber incident, only 28 percent regularly practise crisis scenarios;

• only 16 percent have a security roadmap at board level.

These shortcomings increase the risk that incidents are detected too late or handled ineffectively during the critical first phase.

Rising budgets, persistent debate

There is positive news: 66 percent of organisations expect their security budgets to increase in 2026. At the same time, 38 percent of professionals still consider the available budget insufficient. This raises the question whether higher spending alone will lead to greater cyber resilience, or whether clearer priorities and governance are needed.

Priorities for 2026: regulation, AI and people

Looking ahead, respondents identify stricter regulation such as NIS2, DORA and eIDAS, alongside the secure use of AI and human behaviour as top priorities for 2026. These themes underline that cyber resilience is not only a technical issue, but also an organisational and cultural challenge.

Different perspectives at board and operational level

According to Chantal Vergouw, Chief Business Market and member of the Executive Board at KPN, there is a noticeable perception gap.

Chantal Vergouw, KPN: “IT and security professionals consistently rate their organisation’s maturity lower than management does. They see where things break down: governance, security monitoring and crisis preparedness. Cyber resilience depends on clearly assigned ownership and decision-making. When this is missing, vulnerabilities linger and incidents are handled ad hoc.”

Bram de Bruijn, founder of Security Innovation Stories, adds nuance:
“Security professionals tend to be critical of their own work. At the same time, we see that executives increasingly understand the potential impact of cyber incidents. The challenge is to translate this awareness into structural decisions and well-practised continuity plans.”

Starting a dialogue on cyber resilience

Cyber Resilient Netherlands 2026 is intended as an invitation to dialogue rather than a judgement. Based on insights from more than 250 respondents and 19 in-depth interviews with IT and security professionals many working in critical sectors the study highlights the need for sustained attention to security roadmaps, identity and access management, crisis preparedness, supplier management and continuous monitoring.

The full report is available in Dutch.

source: Digitale weerbaarheid: tekort aan monitoring, oefendiscipline en ketenbeveiliging remt volwassenheid

Photocredits: Sasiistock