Cyber resilience of Dutch companies falls short of threat level
One in five Dutch companies was hit by a cyber attack in 2024. Among large enterprises, that number was as high as almost three in ten. Financial damage was the most common, followed by loss of data and disruption of business processes. This is according to research conducted by ABN AMRO and MWM2 among 788 companies.
ABN AMRO 23 May 2025
It is striking that almost all organizations have had to deal with a cyber incident at some point, but that confidence in their own digital resilience nevertheless remains high. Especially smaller companies overestimate their resilience. They focus mainly on preventive measures, such as antivirus software and firewalls, but still pay too little attention to detecting attacks, rapid response or proper recovery after a hack.
According to ABN AMRO, this is worrisome. After all, the damage from a successful attack can add up quickly. If customers lose trust, processes grind to a halt for long periods of time or valuable knowledge falls into the hands of malicious parties, there may even be a strategic risk.
New digital threats make the situation even more complex. Generative AI and deepfakes increase the risk of deception and disinformation. At the same time, geopolitically motivated attacks continue unabated. Thereby, the gap between the real threat and companies' perception of risk is large.
"Geopolitical tensions lead to cyber incidents, even in the Netherlands. For example, state actors are aiming their arrows at the digital chains of companies, often working with cyber criminals," said Julia Krauwer, sector banker TMT at ABN AMRO. "Authoritarian regimes use the digital route to create chaos and weaken Europe. They attack specific targets - such as critical infrastructure and the healthcare sector - through weaker links in the chain. It is therefore important for every organization to take responsibility for our collective digital resilience. Yet only 9 percent of companies consider state actors a serious threat."
Meanwhile, additional pressure is also coming from Europe. New legislation such as the NIS2 Directive and the Cyber Resilience Act require companies to actively manage risk, report incidents and take responsibility for their supply chains. Yet awareness of these rules is still limited. Only two in three large companies and less than half of SMEs know what NIS2 entails. Krauwer: "Although many SMEs do not have to comply with NIS2 directly because of their size, they do run the risk of having to deal with the law indirectly. SMEs may be surprised if they are questioned by NIS2-compliant customers about their cybersecurity and have requirements imposed on them. Also, many of the companies that have to meet these obligations have yet to take the final steps. It is crucial that they work on this as the law goes into effect in the third quarter of this year."
According to Richard Verbrugge, Information Security Risk Officer at ABN AMRO, cybercriminals are choosing their targets more and more cleverly. "We see that cybercriminals are increasingly targeting SMEs because larger companies have their security in place better. However, many SMEs are not sufficiently aware of the cyber risks they are exposed to. For example, a cyber attack can affect not only companies, but also their suppliers and sometimes even the entire chain."
ABN AMRO supports entrepreneurs who want to increase their digital resilience. The bank helps businesses protect their data, privacy and transactions, organizes informative webinars and works with cybersecurity partner MMOX to provide tailored advice. Because only if companies cooperate and take responsibility can digital resilience in the Netherlands really improve.
