Photo: Designed by vectorpocket / Freepik
The KPN study Cyber Resilient Netherlands 2026 shows that Dutch organizations rate their digital resilience at an average of 7.1. This seems reassuring, but that number conceals an important tension. For example, 67 percent of organizations feel prepared for a cyber incident, while only 28 percent systematically practice incident response and crisis management.
The difference between feeling and actual preparedness is therefore significant. Cyber resilience often turns out to depend on isolated measures in practice, rather than a cohesive whole of policy, technology, and behavior.
Cyber resilience is mainly at 'basic level'
To make digital resilience measurable, the researchers work with a maturity model with four levels: reactive, basic, strategic, and visionary. Most Dutch organizations are in the basic phase. Processes and responsibilities are set up, but not yet fully integrated into the organization or structurally anchored in the business operations.
Particularly in areas such as compliance, architecture, and crisis planning, organizations score relatively better. At the same time, themes such as security monitoring, budget & resources, and having a clear security roadmap lag behind. Only 16 percent have a roadmap at the executive level, where prioritization and coherence are determined.
Governance and awareness are decisive
A recurring insight from interviews with CISOs and CIOs: cyber resilience is not an IT affair. Governance and organization-wide awareness turn out to be prerequisites, not side issues. Only when responsibilities are clearly assigned and the board is actively involved does space arise for structural improvement.
Organizations that see security solely as a technical issue often remain stuck in reactive measures. Where management and the board show ownership, cyber resilience becomes an integral part of risk management and strategic decision-making.
Blind spots: supply chain security, monitoring, and IAM
The research reveals several vulnerable points:
- Supply chain security: only 23 percent of organizations have mature supplier risk management. Almost one in ten organizations does not even have a complete overview of suppliers.
- Identity & Access Management (IAM): 5 percent still operate without multi-factor authentication (MFA). Additionally, 39 percent only have MFA on critical systems, while identity misuse is a common attack vector.
- Security monitoring: 33 percent of organizations lack continuous, organization-wide insight. Monitoring is often limited to core systems, while attacks move laterally through networks.
These blind spots make it clear that isolated technical solutions are insufficient without cohesive management.
Investments are increasing, but remain under pressure
On a positive note, 66 percent of organizations expect to increase their security budget in 2026. At the same time, 38 percent of security professionals believe that the available resources are inadequate. Investments are primarily directed towards monitoring & detection, IAM, strategy development, and security awareness.
These choices align with the experienced risks, but also emphasize that cyber resilience is not a one-time investment. It requires continuous adjustment, evaluation, and practice.
Seven tips to strengthen digital resilience
For organizations that want to grow from 'basic' to 'strategic' level, here are some concrete points of attention:
1. Ensure governance anchoring
Explicitly establish cyber resilience at the executive level, including priorities, budget, and mandate for the CISO.
2. Work with a cohesive security roadmap
Link technology, processes, and human behavior to clear objectives and measurement moments.
3. Make MFA and least privilege the norm
Implement identity & access management organization-wide, without exceptions that increase risks.
4. Practice incident response structurally
A plan on paper is not enough. Regular practice under realistic conditions demonstrably increases crisis capability.
5. Strengthen supply chain security
Map suppliers and cloud dependencies and integrate them into risk management.
6. Invest in continuous monitoring
Go beyond just logging and ensure active follow-up and organization-wide insight.
7. Make security part of daily behavior
Awareness and training are not one-off campaigns, but an ongoing process.
From feeling to demonstrable resilience
Digital resilience in the Netherlands has a solid foundation, but true maturity requires more coherence, ownership, and practice. As long as self-confidence is not supported by demonstrable processes and behavior, cyber resilience remains vulnerable.
Organizations that structurally connect governance, technology, and human action are better prepared for a threat landscape that is constantly evolving.
