Dutch companies strengthen against cyberattacks, but gaps remain

As the second day of the NATO Summit takes place in The Hague, digital security is a crucial part of the agenda and a growing concern for everyone. Dutch companies are increasingly affected by the threat of cyberattacks. A previous report by the bank ABN AMRO and research firm MWM2 highlighted that one in five businesses in the Netherlands experienced damage from a cyberattack in 2024. The analysts also highlighted the unpreparedness of companies to comply with the new cyber resilience standards established by the European NIS2 Directive and the Cyber Resilience Act. 

 According to a new analysis conducted by the government statistics agency CBS, in 2024, 61% of businesses used two-factor authentication (2FA), up from 26% in 2021. Furthermore, nearly three-quarters of companies implemented a password policy. The figures refer to custoremers and employees accounts. 

2FA and password policy are two of the most common ways to bolster account security. The former is a way of logging in that, in addition to the password also requires a one-time code to access the account. You might have set it up yourself on some of your personal accounts. Password policy sets requirements when creating a password of a given account, such as using a minimum number of characters, numbers, and special characters. 

Different uses of two-factor authentication

Although, as seen in the line chart above, both the use of 2FA and password policy have increased significantly in the past few years, adoption varies greatly. Larger companies, defined by CBS as those with over 250 employees, are more likely to use 2FA than smaller ones. According to the analysts, the same trend is also observed in the share of organizations implementing a password policy. 

The primary strength of two-step authentication is that it adds an extra layer of security against cybercriminals, preventing them from unauthorized access to a specific account. This makes it harder for a criminal to access an account, even though they might have stolen the password. For this reason, 2FA is one of the most widely employed security measures. Yet, its application differs across different industries. To this end, information technology and communication (IT) companies are among those that use two-step verification the most. 

Emergency bell for cybersecurity of Dutch solar energy

Solar power is becoming increasingly important to our energy supply. At the same time, all those installations are susceptible to cyber-attack. Research shows that the potential impact is significant.

Read More

The threat is ever present

The CBS researchers highlight, in their closing remarks, that as more measures are being enforced, the number of incidents is declining. The statistics institute reports that in 2017, about 40% of the largest companies reported suffering an attack in the previous year. Figures for last year suggest this number decreased to 16%. 

Yet, the threat of cyberattacks remains, driven by geopolitical tensions and the rise of AI and deepfakes. Russian hackers, as reported by the Military Intelligence and Security Service (MIVD), are noted for their activities. The MIVD discovered a Russian attack on the digital systems of a Dutch public facility, marking the first sabotage action of this kind. 

In addition, these hackers have been active in mapping critical infrastructure, such as undersea cables, and targeting the websites of political parties and public transportation companies. The MIVD notes that the Netherlands will continue to be a critical target in the years to come. 

These attacks have massive economic repercussions. Experts forecast a global economic cost of cybercrimes to rise to $10.5 trillions annually this year – it was $3 trillion ten years ago. In Europe, the public administration sector is the most affected, accounting for 20% of total attacks, according to the European Union Agency for Cybersecurity. 

Enforcing regulation 

As a response to the rise of cyberattacks, the EU has approved and it is working on a series of directives targeting companies and consumers. The directives are then transposed into national laws by member states.

New cybersecurity standards have been in effect for companies since the approval of the Network and Information Security (NIS2) directive. The NIS2 aims to enhance the security of essential services, including energy, banking, and healthcare. It sets stricter security standards and incident reporting requirements. For instance, the directive introduces the duty of care, requiring organizations to conduct risk assessments and to take measures accordingly. The bill for the NIS2 directive application was presented to the Dutch House of Representatives. 

Additionally, the Cyber Resilience Act (CRA) came into force last year, introducing stringent cybersecurity requirements for products entering the EU market. The CRA covers speakers, cameras, operating systems, and games, requiring manufacturers and retailers to ensure cybersecurity throughout the lifecycle of their products. Under this regulation, a device equipped with a camera and microphone would have to be designed with security features such as encryption and authentication, and receive security updates for at least five years, among other requirements. By 2027, all products must comply with CRA. 

'Cybersecurity experts are buckling under the pressure'

In the Cracked by Jordens series, we look at cyber security in the Netherlands. Today: stress among cyber experts.

Read More