Skip to Content

Cyber Resilience: The Silent Test Every Dutch Company is Already Taking

From Firewalls to Full-Scale Governance: Why Cyber Resilience Is Now a Boardroom Duty
August 13, 2025 by
Cyber Resilience: The Silent Test Every Dutch Company is Already Taking
Paolo Maria Pavan

In 2024, one in five Dutch companies learned the hard way what “cyber incident” really means. For large corporations, it was three in ten. The first blow? Financial loss. Then came the data breaches. And finally, the operational standstill that turns a boardroom into a war room.

The survey by ABN AMRO and MWM2 was clear: almost every organisation has already been hit once. The twist? They’re still confident. In fact, smaller companies seem particularly assured in their own defences, a confidence built on antivirus software, firewalls, and a belief that “it won’t happen to us.”

But here’s the problem: prevention without detection is like locking your front door while leaving the windows open. And recovery planning? For many, it’s an afterthought. That’s where financial losses snowball and reputations evaporate overnight.

The Geopolitical Layer Nobody Wants to Talk About

The digital domain is no longer just a playground for teenage hackers and ransomware gangs. It’s now an arena for geopolitical conflict. State actors, yes, the ones you read about in the news, are quietly collaborating with cybercriminals, targeting supply chains, critical infrastructure, and healthcare systems.

Their mission? Destabilise, weaken, and distract.

Their method? Slip in through the weakest link.

And yet, only nine percent of companies see state actors as a serious threat. This is the governance equivalent of standing in the rain without realising you’re wet.

The Legislative Clock is Ticking

Europe has already decided that cyber resilience is not optional. The NIS2 Directive and the Cyber Resilience Act are not policy experiments, they are binding rules that bring risk management, incident reporting, and supply chain security into the legal DNA of essential sectors.

But awareness is shockingly low.

  • Two-thirds of large companies have heard of NIS2.
  • Fewer than half of SMEs have.

Even if your company is too small to be directly in scope, your customers and suppliers may not be. That means compliance questions will land on your desk whether you like it or not. And when Q3 arrives, so does enforcement.

Why SMEs Are the New Prime Target

Larger corporations have hardened their digital fortresses. The result? Attackers are pivoting toward SMEs, where defences are thinner and the blast radius can still reach far into the supply chain.

A breach in one SME can ripple out to suppliers, partners, and sometimes entire sectors. This is why cyber resilience is no longer a private problem, it’s a network responsibility.

The Governance Takeaway

Cybersecurity is no longer an IT department’s technical project. It is a governance obligation, a compliance requirement, and a strategic survival issue. The companies that treat it as such will not only weather the inevitable incidents, they’ll be trusted players in a market that increasingly values reliability over speed.

If you’re still thinking of cyber resilience as a cost, you’ve already lost the opening move. In 2025, it’s your license to operate.

Cyber Resilience: The Silent Test Every Dutch Company is Already Taking
Paolo Maria Pavan August 13, 2025
Share this post
Tags
AUDIO ES IT NL Paolo Maria Pavan THIRD PARTY RISK
Our blogs
Read Next
Fraud Has Learned a New Language, Have You?
How plain language can close the fraud gap for Dutch entrepreneurs and their teams before scammers cash in.