Dutch Businesses Cut Cyber Incident Rates by More Than Half in Under a Decade

2026-06-04 data

The Hague, Thursday, 4 June 2026.
The share of Dutch businesses hit by cyber attacks has fallen from 11% to just 4% since 2016 — yet large firms remain stubbornly exposed, with a 16% incident rate that hasn’t budged since 2023.

A Decade of Progress, Captured in One Report

On May 27, 2026, Statistics Netherlands (CBS) — the Dutch national statistics agency, based in The Hague — published its 2025 Cybersecurity Monitor, marking the ninth consecutive year the institution has produced this annual assessment of digital resilience across Dutch businesses and individuals [1][2]. The report was commissioned by the Dutch Ministry of Economic Affairs and Climate Policy and draws primarily on CBS’s own data on cybersecurity measures and incidents [1][4]. The headline finding is striking in its clarity: the proportion of Dutch businesses that experienced at least one cyber incident caused by an external attack fell from 11% in 2016 to just 4% in 2024 [1][2][3]. That represents a decline of -63.636 percent over eight years — a reduction that, by any measure, signals a structural shift in how Dutch businesses are managing their digital exposure.

What the Numbers Actually Mean

The financial consequences of cyber incidents have also receded sharply. In 2016, some 6% of Dutch businesses reported incurring financial costs as a direct result of external cyber attacks [1][2]. By 2024, that figure had dropped to just 1% [1][2][5]. That is a reduction of -83.333 percent — meaning that not only are fewer companies being hit, but the proportion suffering measurable economic damage has collapsed. For context, cyber incidents can encompass a wide range of disruptions, from IT systems going offline following a ransomware attack to data breaches and business email compromise (BEC) fraud [5]. The CBS monitor captures all of these categories, and the downward trajectory holds across most of them [2].

The Stubborn Exception: Large Enterprises

Despite the broadly positive trend, one data point refuses to move in the right direction. For enterprises with 250 or more employees, the cyber incident rate held flat at 16% in both 2023 and 2024 — unchanged, and sitting at four times the national average of 4% [2][3][5]. This is not a paradox so much as a logical consequence of scale and visibility: larger organisations operate more complex digital infrastructure, manage greater volumes of sensitive data, and present a correspondingly more attractive target for sophisticated threat actors [GPT]. What makes this figure particularly notable is that large enterprises are also the most heavily defended. According to the 2025 Cybersecurity Monitor, 86% of firms with 250 or more employees had implemented at least ten of the twelve standard security precautions surveyed by CBS in 2025 [1][2][3]. Among the smallest firms — those with between two and ten employees — only 13% had done the same [1][2][3]. The investment gap is real, and yet for large businesses, it is not translating into a lower incident rate.

Sector by Sector: Who Is Most at Risk

The CBS data breaks the picture down further by sector, and the variation is instructive. In 2024, the information and communication sector recorded the highest external cyber incident rate at 7%, followed closely by financial services at 6% [1][2][3]. These are industries that rely heavily on digital systems and handle large quantities of sensitive data — characteristics that make them prime targets [2]. At the other end of the spectrum, the accommodation and food services sector and the health and social care sector each recorded incident rates of just 2% [1][2][3]. CBS offered a specific explanation for the hospitality sector’s lower exposure: businesses in accommodation and food services are less dependent on IT systems than those in other sectors, which naturally reduces the risk of IT-related disruptions and downtime [1]. For health and social care, the agency attributed the low rate to strict information security policies that generally afford better protection against external attacks [1].

The Encryption Gap and the Insurance Question

The disparity between large and small businesses becomes even more pronounced when looking at specific cybersecurity measures. Data encryption — one of the more technically demanding protections — was in use at 91% of large enterprises in 2025, compared with just 33% of the smallest firms employing between two and ten people [1][2][3]. For simpler measures such as antivirus software, the gap narrows considerably, with adoption rates high across all business sizes [7]. Multi-factor authentication (MFA) tells a similarly encouraging story of progress: between 2017 and 2025, MFA adoption among large enterprises rose from 71% to 97%, while among small businesses with between 10 and 50 employees it climbed from 29% to 79% [7]. Phishing and spoofing attacks remained the most prevalent threat type in 2024, affecting 23% of all businesses surveyed. Data breaches or data manipulation affected 14% of large businesses, while BEC fraud was reported by 11%. Ransomware, despite its public profile, was reported by only 1% of all businesses [7]. On the insurance side, just 19% of all businesses surveyed carried cyber incident insurance in 2025 — a figure that rises to 40% in financial services and 35% in the information and communication sector, but falls to as low as 12% in construction, transportation and storage, and accommodation and food services [2][5].

Progress Is Real — But Complacency Would Be a Mistake

The 2025 CBS Cybersecurity Monitor, published on May 27, 2026, presents a genuinely encouraging picture for Dutch business resilience [1][2][4]. The overall incident rate has fallen to its lowest recorded level, financial damage has been dramatically curtailed, and the adoption of basic security precautions has broadened considerably over the past decade [2][3][5]. Yet the data also contains clear warnings. The resilience gap between large and small businesses remains wide, with micro-businesses still far behind on complex measures like data encryption [1][7]. Large enterprises, despite their heavy investment in defences, continue to face a stubbornly high 16% incident rate [2][3][5]. And while ransomware may be rare in statistical terms, a ransomware attack in April 2026 that resulted in the theft of patients’ medical data demonstrated that even sectors with strong security cultures are not immune [5]. The Dutch National Cyber Security Centre (NCSC) has noted the CBS findings, and advises smaller organisations in particular to embed cybersecurity practices organisationally — including conducting incident response drills, maintaining an emergency contact list, and structuring access management — rather than treating security as a purely technical exercise [7]. The decade-long downward trend in cyber incidents is a genuine achievement. The work, however, is far from done.

Bronnen

cybersecurity Dutch business