The cyber resilience of Dutch companies is under pressure. The latest figures from the International Business Report (IBR) show that the number of significant cyber incidents in SMEs and the mid-market is rising sharply. At the same time, the number of companies with structural cyber security policies is declining. Read Grant Thornton's contribution below.
In Q2 2025, 24 percent of the 4083 Dutch entrepreneurs and executives in the SME and mid-market surveyed said their organization had experienced a cyberattack with significant impact. In Q3, that rose to more than 30 percent. In addition to the 30 percent of companies that experienced a significant cyber attack, another 39 percent said they had been affected by limited-impact attacks. With this, a total of nearly 70 percent of Dutch companies have experienced cyber attacks. A signal that the threat is real.
Interestingly, the proportion of companies indicating they "don't know" whether they have been attacked remains stable around 20 percent. This indicates a lack of monitoring and insight. Smaller organizations seem especially vulnerable: they are more likely to be targeted because of their limited security capacity, while not always being aware of the severity of the threat.
Whereas in Q2, 20 percent of companies were still expecting an increase in cyber threats, in Q3 that has risen to over 31 percent. Despite these experiences, 55 percent of companies think the threat level will remain about the same over the next 12 months. At the same time, the number of organizations that think the risk remains the same is falling. Perceptions are changing, but the translation to action is lagging. External factors such as AI-driven attacks and geopolitical tensions play a role in this. Hybrid operating models also provide a larger attack surface, especially in SMEs that have not adapted their security to this new reality. Yet the SASI report that more than 60 percent of SMB user accounts still do not have Multi-Factor Authentication (MFA) activated. Guest users are often not monitored, creating additional risks.
In Q2, 64 percent of companies said they had a comprehensive cybersecurity policy with regular updates and testing. In Q3, that dropped to 54 percent. In addition, the survey found that 28 percent of companies rely on basic measures and 25 percent primarily respond to incidents on an ad hoc basis. At 13 percent, cyber resilience is barely considered. The number of companies that primarily respond ad hoc or have hardly any measures in place increases slightly. This indicates a gap between risk perception and actual resilience. Many SMEs struggle to maintain policies structurally due to limited capacity. There seems to be 'compliance fatigue' or underestimation of the need. Reactive policies are no longer sufficient: those who wait for something to happen are behind the times. From external analyses show that many SMEs only take action after an incident, leading to higher costs and greater damage.
The NIS2 guideline is gaining traction. In Q3, 35 percent of respondents are very familiar with the guideline and are working toward compliance, up from 24 percent in Q2. Still, nearly one in five respondents (19 percent) are hardly or not at all familiar with it. Especially in sectors without direct supply chain responsibility, the urgency does not seem to have caught on yet. There is confusion about applicability and obligations, especially for companies indirectly affected by compliance requirements of their clients. Besides NIS2, there are several other legislations that require organizations to have increased digital compliance, ranging from operational resilience in the financial sector (DORA) to stricter rules for AI applications and data sharing (AI Act and Data Act). It is essential for companies to stay abreast of these developments and take timely measures to comply with the new requirements. Non-compliance can lead to fines and reputational damage.
The numbers show that awareness is growing, but structural action lags behind. That is a risk. Cybersecurity is not an IT issue, but a strategic theme. Especially in SMEs and the mid-market, where the impact of an attack can be felt immediately, proactive policy is essential.
Click here for more information on the subject on the Grant Thornton website
