The hack at Clinical Diagnostics exposed a painful weakness. Companies and institutions appear inadequate at shielding sensitive information from misuse or criminal infiltration. There is a long way to go after a major incident to restore broken trust. The data breach at Clinical Diagnostics led to the announcement of further investigations by the Health Care and Youth Inspectorate, the Autoriteit Persoonsgegevens and the Openbaar Ministerie, among others. Lawyers, meanwhile, are preparing mass claims.
Clinical Diagnostics remains silent about the exact circumstances of the hack and what has been done to prevent a recurrence. Meanwhile, the social upheaval is enormous. One out of three Dutch people have doubts about participating in new screenings of Bevolkingsonderzoek Nederland, Hart van Nederland panel survey of August 29, 2025 showed. It is a new thump on top of the picture that over two million Dutch people are affected by some form of online crime every year (source: Cybercrime Picture 2024 | KortOM | Opportuun). In addition to the enormous financial damage to people and businesses, trust in each other and in the digital infrastructure is constantly being tested.
Tightly configured control frameworks cannot simply rebuild broken trust. Above all, a good antenna must be developed to identify and deal with new threats in time. Administrators, concerned experts and employees on the shop floor must each contribute to prevention from their own roles. Without up-to-date knowledge of the external context (including the risks of using AI, possible criminal modus operandi), effective digital resilience is an illusion.
Prevention requires a comprehensive, integral approach with an important role therein for the private sector, according also to the aforementioned Cybercrime Scenario 2024 report. Illustrative of this is the strong incentive for prevention built into criminal law in the United Kingdom. As of Sept. 1, 2025, the revised Economic Crime and Corporate Transparency Act is in effect. Companies that do not do enough to prevent fraud (including corruption, data theft and other forms of financial economic crime) are now at risk of criminal prosecution. In doing so, the U.K. Home Office has published the Failure to Prevent Fraud Guidance, with examples and elaborate principles that also apply to digital fraud. In it, the importance of demonstrable "top level commitment," compliance risk assessments to be carried out regularly, due diligence in the chain, communication and training is highlighted.
However, more is needed to avoid falling into old mistakes. To maintain the "corporate memory" in large organizations, an upgrade of processes, systems and procedures is not enough. Risk management only thrives in a culture in which everyone keeps each other on their toes, everyone can call each other to account and there is good cooperation between the various disciplines. A good measure of success is the extent to which employees feel involved in the realization of the set goals, are sufficiently equipped for their tasks and enjoy going to work. Prevention pays off especially right at the gate, just as managers in the financial sector are tested in advance for their suitability, also in the context of maintaining digital resilience.
But even when tendering for large projects, the government can immediately set appropriate conditions for the prevention of fraud and (cyber) crime and strengthen the integrity culture of tendering parties. The government can apply the measures recommended by the National Cyber Security Center for compliance with the duty of care enshrined in the European NIS2 directive when tendering for new projects, and also monitor compliance with these measures. It is obvious that the costs of doing so far outweigh the importance of better management of the risk of cybercrime.
