Cybersecurity picture 2025: threats diverse and unpredictable, basic digital hygiene in order remains crucial
The National Coordinator for Security and Counterterrorism (NCTV) has published the Cybersecurity Assessment Netherlands 2025 (CSBN). The CSBN paints a picture of a digital threat landscape that is becoming increasingly complex and unpredictable. Cyberattacks are becoming more sophisticated, while digital systems are highly interdependent. This development calls for a broad, proactive approach to increase digital resilience. In this article, we highlight the most important points from the CSBN for Dutch companies and organizations.
Digital threats are diverse and unpredictable: The image refers to a wide variety of incident types, causes, attackers, and degrees of impact. State actors, cybercriminals, and other malicious parties carry out cyberattacks on Dutch targets.
Digital dependencies can entail risks: the Netherlands is dependent on providers from other, often non-European, countries for many digital processes and services. Digital dependencies, such as those on large technology companies from the US, which were not previously considered risky, may become so at a later date. In this context, it is important to identify the potential risks of digital dependencies in order to increase resilience. Therisk management roadmapcan help companies and organizations in this regard.
Cyberattacks on critical infrastructure: Cyberattacks affect all layers of society, including critical infrastructure. Recently, for example, several attacks on the telecom sector have been observed worldwide. Some of these attacks were long-term in nature and showed that malicious actors had been present in the systems for quite some time.
Generative AI makes attacks easier and more scalable: The rapid development of generative artificial intelligence (AI) makes it easier for actors to carry out attacks. Generative AI can be used in various ways: both to support malicious activities and to defend against threats. At present, generative AI can, for example, automate or improve certain aspects of a digital attack. Existing security measures are still effective against these attacks.
Notable threats to Dutch organizations
Attacks on edge devices: Edge devices remain an attractive target for both state and criminal actors. These digital devices, located at the edge of your network, are frequently attacked in order to gain access to the underlying networks using known and unknown vulnerabilities (so-calledzero-days). Read howto use edge devices safely.
DDoS attacks: Distributed denial-of-service (DDoS) attacks also continue to cause disruptions. Although a DDoS attack cannot be prevented entirely, you can protect your organization relatively well against them. Read how youcan limit theimpact of DDoS attacks.
Supply chain and supplier incidents: Incidents at suppliers or service providers also caused considerable damage to the supply chain last year. In such incidents, customer data was also affected at the companies involved. It is therefore important for your organization to understand itsdependencies on suppliers. Where possible, enforce additional security measures.
Ransomware and other disruptions:Figuresfrom Project Melissa show that at least 121 unique ransomware incidents will have occurred in the Netherlands by 2024. In addition to targeted cyberattacks, disruptions also occur that are not the result of malicious acts: software errors have repeatedly been found to be the cause of outages or operational disruptions.
Basic principles increase digital resilience
The conclusion that threats are becoming more unpredictable and complex does not necessarily mean that defending against them is becoming more difficult. Many digital incidents are caused by a lack of basic digital hygiene. For the average organization, this means: don't fixate on the complex threat landscape, but make yourself resilient byfollowing the basic principlesset out by the NCSC and DTC. An important part of these basic principles is preparing for incidents, which involves the resilience and recovery capacity of organizations when an incident has occurred.
Entry into force of the Cybersecurity Act (NIS2)
Since theCybersecurity Act(Cbw) came into force, a large number of organizations have been required to conduct a risk analysis and, based on that analysis, take appropriate and proportionate measures to secure their network and information systems. The Cybersecurity Act is the national translation of the European NIS2 Directive. This Act is expected to enter into force in the second quarter of 2026. The Act contributes to increasing the digital resilience of the Netherlands and limiting the risks of service failure. The Rijksoverheid organizations not to wait until the Cbw comes into force. After all, the risks to organizations and systems already exist. Organizations that take action now will not only protect themselves against these existing risks, but will also be better prepared for the arrival of the new legislation.
Progress of the Dutch Cybersecurity Strategy
In 2022, the government presented the Dutch Cybersecurity Strategy (NLCS) with the aim of creating a digitally secure and resilient Netherlands. Simultaneously with the CSBN2025, the progress report on the NLCS was sent to the House of Representatives. It is necessary to strengthen the commitment to the implementation of the Dutch Cybersecurity Strategy (NLCS). The government takes the risks of digitization seriously and emphasizes the need to continue to focus urgently on the implementation of the NLCS, the implementation of the revised Network and Information Security Directive (NIS2), and the Cyber Resilience Act (CRA).
