Digital threats against the Netherlands are becoming more diverse and unpredictable. There is a wide variety of attacks by both state actors as well as cybercriminals and other malicious parties. International relations are becoming more unpredictable, which impacts digital security. State actors are establishing or expanding cyber programs, involving non-state actors or private organizations. Changing geopolitical relations can also affect digital dependencies. Furthermore, malicious actors can use generative AI to carry out attacks more easily and on a larger scale.
These are the main conclusions of the Cybersecurity Outlook Netherlands (CSBN) 2025 published today, prepared by the National Coordinator for Security and Counterterrorism (NCTV) with substantial contributions from the AIVD and MIVD. All these developments occur simultaneously and in conjunction, making the threat landscape increasingly complex.
Esther van Beurden - Director Cybersecurity, Resilience State Threats and National Security Analysis. We see that the digital threat remains in motion. Geopolitical relations are changing. State actors are expanding cyber programs and using state-supported groups or companies to carry out cyberattacks. Geopolitics also influences our digital dependencies, making them risky.
Basic Principles to Enhance Digital Resilience
The conclusion that threats are becoming more unpredictable and complex does not necessarily mean that defending against them becomes so as well. Many digital incidents are caused by a lack of proper digital basic hygiene. For an average organization, the advice is: do not focus on the complex threat landscape, but make yourself resilient with the basic principles, as established by the NCSC and DTC. An important part of these basic principles is preparing for incidents, focusing on resilience and recovery when an incident has occurred.
A large number of organizations are, since the entry into force of the Cybersecurity Act, also required to conduct a risk analysis and take appropriate and proportionate measures to secure their network and information systems. The Cybersecurity Act is the national implementation of the European NIS2 directive and is expected to come into effect in the Netherlands in the second quarter of 2026. The law contributes to increasing the digital resilience of the Netherlands and reducing the risks of service outages.
Van Beurden: It is important that we remain digitally resilient as the Netherlands. Important steps are being taken with upcoming laws and other initiatives. Digital resilience is no longer only for technical experts; especially executives must also take action for a secure digital society. But do not be discouraged by increasing complexity; resilience starts with having the basics in order.
Progress of the Dutch Cybersecurity Strategy
In 2022, the cabinet presented the Dutch Cybersecurity Strategy (NLCS) with the goal of creating a digitally safe and resilient Netherlands. Simultaneously with the CSBN2025, the progress report of the NLCS was sent to the House of Representatives. Strengthening the commitment to implementing the Dutch Cybersecurity Strategy (NLCS) is necessary. The cabinet takes the risks of digitization seriously and emphasizes the need to continue urgent efforts on the implementation of the NLCS, the implementation of the revised Network and Information Security Directive (NIS2), and the Cyber Resilience Act (CRA).
