Photo: Designed by vectorpocket / Freepik

According to the KPN research Cyber Resilient Netherlands 2026, Dutch organizations rate their digital resilience at an average of 7.1. This seems reassuring, but that number conceals an important tension. For example, 67 percent of organizations feel prepared for a cyber incident, while only 28 percent practice incident response and crisis management structurally.

The difference between feeling and actual preparedness is therefore significant. Cyber resilience often turns out to be dependent on isolated measures, rather than a coherent whole of policy, technology, and behavior.

Cyber resilience is mainly at 'basic level'

To make digital resilience measurable, the researchers work with a maturity model with four levels: reactive, basic, strategic, and visionary. Most Dutch organizations are in the basic phase. Processes and responsibilities are set up, but not yet fully integrated into the organization or structurally anchored in the business operations.

Particularly in areas such as compliance, architecture, and crisis planning, organizations score relatively better. At the same time, themes such as security monitoring, budget & resources, and having a clear security roadmap lag behind. Only 16 percent have a roadmap at the executive level, where prioritization and coherence are determined.

Governance and awareness are decisive

A recurring insight from interviews with CISOs and CIOs: cyber resilience is not an IT affair. Governance and organization-wide awareness prove to be prerequisites, not side issues. Only when responsibilities are clearly assigned and the board is actively involved does space for structural improvement arise.

Organizations that see security solely as a technical issue often remain stuck in reactive measures. Where management and executives show ownership, cyber resilience becomes an integral part of risk management and strategic decision-making.

Blind spots: supply chain security, monitoring, and IAM

The research reveals several vulnerable points:

• Supply chain security: only 23 percent of organizations have mature supplier risk management. Almost one in ten organizations does not even have a complete overview of suppliers.
• Identity & Access Management (IAM): 5 percent still operate without multi-factor authentication (MFA). Additionally, 39 percent have MFA only on critical systems, while identity misuse is a common attack vector.
• Security monitoring: 33 percent of organizations lack continuous, organization-wide insight. Monitoring is often limited to core systems, while attacks move laterally through networks.

These blind spots make it clear that isolated technical solutions are insufficient without coherent management.

Investments are increasing but remain under pressure

The positive news is that 66 percent of organizations expect to increase their security budget in 2026. At the same time, 38 percent of security professionals believe that the available resources are inadequate. Investments mainly go to monitoring & detection, IAM, strategy development, and security awareness.

These choices align with the experienced risks but also emphasize that cyber resilience is not a one-time investment. It requires continuous adjustment, evaluation, and practice.

Seven tips to strengthen digital resilience

For organizations looking to grow from 'basic' to 'strategic' level, here are some concrete focus points:

1. Ensure governance anchoring

Explicitly establish cyber resilience at the executive level, including priorities, budget, and mandate for the CISO.

2. Work with a coherent security roadmap

Link technology, processes, and human behavior to clear objectives and measurement moments.

3. Make MFA and least privilege the norm

Organize identity & access management organization-wide, without exceptions that increase risks.

4. Practice incident response structurally

A plan on paper is not enough. Regular practice under realistic conditions demonstrably increases crisis capability.

5. Strengthen supply chain security

Map suppliers and cloud dependencies and integrate them into risk management.

6. Invest in continuous monitoring

Go beyond just logging and ensure active follow-up and organization-wide insight.

7. Make security part of daily behavior

Awareness and training are not one-time campaigns but an ongoing process.

From feeling to demonstrable resilience

Digital resilience in the Netherlands has a solid foundation, but true maturity requires more coherence, ownership, and practice. As long as self-confidence is not supported by demonstrable processes and behavior, cyber resilience remains vulnerable.

Organizations that structurally connect governance, technology, and human action are better prepared for a threat landscape that is constantly changing.