Are Dutch organisations ready to manage future cyber risks?

Globally, the survey reveals an environment of heightened risk and urgent adaptation. Geopolitical volatility has become a primary driver of strategy, compelling 60 per cent of global organisations to increase their cyber investments. Despite this, many leaders feel unprepared, with most companies still trapped in a costly reactive cycle rather than investing proactively. To break out, they are turning to AI as a key defensive tool, though skills gaps remain a major barrier. At the same time, long-term threats like quantum computing are on the horizon, but organisational readiness lags, creating a pressing need for future-focused action.

This analysis delves deeper into the survey's findings from the Netherlands. The Dutch results reveal several remarkable outcomes that diverge from the global and Western Europe outcomes. 

Read here the Dutch perspective of Angeli Hoekstra, Partner Cybersecurity & Privacy.

Dutch organisations have faced a more challenging economic environment, which logically shapes their outlook. For instance, 26 per cent of Dutch respondents reported declining revenues compared to only 18 per cent of their global peers. This recent experience of commercial headwinds naturally sets a more cautious tone for the year ahead.

Dutch leaders are clearly less optimistic about high-end growth, with only eighteen per cent expecting an increase of 10 per cent or more (globally 27 per cent. However, 33 per cent of the Dutch respondents are confident about securing modest revenue gains of 1-4 per cent.

When reacting to geopolitical threats, increasing cyber risk investment remains the top priority for Dutch organisations. The data suggests however that the Dutch place an almost equal emphasis on adjusting cyber insurance policies. This indicates a potential trend towards a dual-pronged strategy of both direct investment and risk transfer.

Modernisation of technology and data protection are important drivers for Dutch organisations when formulating investment priorities. This is line with the international outcomes. Previous experiences with cyber breaches or other incidents also play a notable role in this context.

This outcome shows one of the most significant differences between the global and the Dutch approach to cybersecurity.  Only eight per cent of Dutch organisations spend ‘significantly more on proactive measures,’ a stark contrast to 24 per cent globally. A substantial 38 per cent indicates that they are maintaining a balance, far higher than the 21 per cent global average.

The key question: Is this a sign of already mature proactive risk management? 

When addressing the cyber talent gap, Dutch leaders, like their global peers, are heavily prioritizing technology. Their top three priorities are tech-focused: AI and machine learning tools, security automation and tool consolidation. This strong consensus suggests a shared belief in the power of technology to bridge workforce shortages.

This pronounced tech-centric approach is a pragmatic answer to a tight labour market, where specialised talent is scarce. Instead of trying to outbid competitors for a limited pool of experts, organisations are using automation and a notable reliance on managed services as a force multiplier.

When it comes to implementing AI for cyber defence, Dutch organisations face significant internal hurdles, many of which are shared by their global peers. For instance, uncertainty among leadership about the value of AI for that purpose is a common theme worldwide, showing that this is not a uniquely Dutch problem.

Where the Dutch situation becomes distinct, however, is in the intensity and nature of its primary barriers. The challenge in the Netherlands is less about a lack of ambition and more about a pronounced deficit in foundational readiness. A staggering 61 per cent of Dutch respondents cite a 'lack of knowledge in the application of AI for cyber defence' as a top challenge, markedly higher than the 50 per cent global average. This is directly coupled with their second-biggest barrier: unclearness on the risk appetite for the usage of AI, a concern that is far more acute in the Netherlands (52 per cent) than it is globally (39 per cent).

These outcomes suggests that Dutch leaders are conscious that the foundational groundwork on knowledge and risk must be laid before they can move forward safely.

The Netherlands is significantly lagging in quantum preparation. The danger is that hackers will use powerful quantum computing capabilities when they become more mature to crack encrypted messages and data. An overwhelming 62 per cent are still in the exploring phase. Only 13 per cent are in the 'piloting and testing' stage. This is not a lag; it’s a fundamentally different strategic timeline. While global peers are actively experimenting and implementing, Dutch leaders seem to take a 'wait and see' approach, which prioritises certainty over first-mover advantage. 

According to Angeli Hoekstra, Partner Cybersecurity, Privacy & Resilience, post quantum computing algorithms have already been developed by for example NIST and can be applied in organisations to become post quantum safe. She says it is important to start implementing now, as hackers already collect data to decrypt later when quantum computing capabilities are more mature.

Dutch respondents report that their CISOs collaborate with their C-suite peers somewhat less than their global counterparts. The alignment with the CEO however is really limited. Only 28 per cent of Dutch respondents (compared to 46 per cent globally) report providing insights to the CEO to a large extent about cyber programmes to inform strategic decision making on cyber security. These outcomes paint a picture of a Dutch CISO who a respected functional partner is, but not yet a core enabler of business strategy. The level of deep, strategic integration seen globally has not fully materialised in the Netherlands.

While collaboration exists, its depth and strategic impact are shallower in the Netherlands. To truly adapt to the new threat landscape, the next step for Dutch leadership is to elevate the CISO's role from a technical advisor to an essential voice in all strategic business decisions, ensuring security is an enabler of innovation, not just a defence mechanism.