CYBERSECURITY STATISTICS NETHERLANDS 2026

The Netherlands ranks among the top 5 most attacked countries in Europe. Its digital infrastructure, high number of internet users (98% of the population) and concentration of data centers make the country an attractive target. According to the Verizon DBIR 2025, 83% of attacks are financially motivated, while 17% are driven by geopolitics or espionage.

Types of cyberattacks in the Netherlands (2025)

Notable is the explosive growth of supply chain attacks (+45%). Attackers increasingly target suppliers and software partners to compromise multiple organizations through a single breach. The SolarWinds effect is clearly visible in the Netherlands: 34% of businesses experienced an incident via a third party in 2025. Among managed service providers (MSPs), this figure was 48%, making them a critical attack vector targeting SMBs.

The average time to detect a cyberattack is 204 days in the Netherlands. Organizations using AI-based detection systems reduce this to an average of 98 days. Organizations with a fully automated Security Operations Center (SOC) detect incidents in less than 24 hours. The cost difference is significant: a data breach detected within 100 days costs an average of $3.07 million less than one that goes undetected for 200+ days.

Cyberattacks by sector

Not all sectors are equally affected. The five most attacked sectors in the Netherlands are:

• Financial services — 58% of companies reported at least one incident in 2025
• Healthcare — 52% were affected, with increasing severity due to vulnerable medical equipment
• Government & public sector — 47% experienced attacks, particularly DDoS and espionage
• Manufacturing — 44% attacked, often through vulnerable OT (operational technology) systems
• ICT & telecom — 41% affected, with supply chain attacks as the biggest threat

Sources: NCSC Cybersecurity Assessment Netherlands 2025, Verizon DBIR 2025, CBS ICT Usage Survey

The average ransom demanded in the Netherlands is $360,000, but for large enterprises, demands can reach $2.5 million or more. Of the affected organizations, 29% actually pay the ransom — despite urgent advice from the NCSC and police not to do so.

Of the businesses that pay the ransom, only 67% recover all their data. In 18% of cases, the data is still leaked on the dark web despite payment. In 11% of paid cases, a second attack follows within 12 months by the same or a different group. The average total cost of a ransomware attack (including downtime, recovery and reputational damage) is $1.96 million for a mid-sized company.

The average downtime after a ransomware attack is 23 days. For businesses without a tested incident response plan, this increases to 34 days. The indirect costs are often higher than the ransom itself: production downtime costs an average business $9,000 per hour, customer churn is estimated at 15-25% in the first year after an attack, and reputational damage is "noticeably long-lasting" for 42% of businesses.

Ransomware by sector in the Netherlands

Healthcare is the hardest hit: 34% of healthcare institutions experienced a ransomware attack in 2025. The urgency of patient care makes this sector particularly vulnerable — attackers know that hospitals are more likely to pay. The Ransomware-as-a-Service (RaaS) model lowers the barrier for cybercriminals: groups like LockBit, BlackCat and Cl0p offer ransomware as a subscription service, enabling less technically skilled criminals to carry out attacks.

Double extortion is now standard: 78% of ransomware attacks in the Netherlands combine data encryption with the threat of data leaks. In 2025, the NCSC recorded 340 cases where stolen data actually appeared on the dark web.

Sources: NCSC Annual Report 2025, Sophos State of Ransomware Report, Coveware Quarterly Report Q4 2025

Of all cyberattacks in the Netherlands, 41% start with a phishing attack. The average click rate on phishing emails is 3.4%, meaning that out of every 1,000 phishing emails, 34 are successful. The average employee takes just 82 seconds to click on a malicious link after opening the email.

AI-generated phishing is the fastest-growing threat: the number of AI-crafted phishing messages increased by 67% in 2025. These messages are harder to detect because they are grammatically correct, personalized and imitate the writing style of trusted senders. According to the Verizon DBIR 2025, the success rate of AI-phishing is 2.3 times higher than traditional phishing.

Phishing: most impersonated brands (NL)

• Banks (ING, Rabobank, ABN AMRO) — 28% of all phishing in the Netherlands
• Government agencies (Belastingdienst, DigiD) — 19% of all phishing
• Delivery services (PostNL, DHL) — 16% of all phishing
• Tech companies (Microsoft, Google) — 14% of all phishing
• Telecom providers (KPN, T-Mobile) — 8% of all phishing
• E-commerce (Bol, Amazon, Marktplaats) — 7% of all phishing

Spear phishing (targeted phishing aimed at specific employees) is responsible for 71% of successful breaches at businesses. CEO fraud and business email compromise (BEC) caused an estimated $97 million in damages in the Netherlands in 2025. The average BEC attack costs a company $131,000.

Smishing (SMS phishing) and vishing (voice phishing) are growing rapidly: the number of smishing incidents rose by 54% in 2025. QR code phishing ("quishing") is a new trend: 12% of all phishing attempts now use malicious QR codes. The Dutch Fraud Helpdesk received more than 480,000 phishing reports in 2025, a 28% increase compared to 2024.

Financial damage from phishing in the Netherlands

The total financial damage from phishing in the Netherlands is estimated at $178 million in 2025. This includes direct theft via online banking ($55 million), credential theft and subsequent attacks ($78 million), and business email compromise ($44 million). The Dutch Banking Association reports that banking phishing losses rose by 18% despite more advanced detection, as attackers use AI to bypass security. The average damage per successful phishing attack increased from $3,400 in 2023 to $5,100 in 2025.

Sources: Verizon DBIR 2025, APWG Phishing Activity Trends Report, Fraudehelpdesk Annual Report 2025

According to the IBM Cost of a Data Breach Report 2025, the average cost of a data breach in the Netherlands is $5.17 million. This represents a 12% increase compared to 2024 and 28% compared to 2022. The cost per leaked record has risen to $186.

Cost by sector in the Netherlands

Healthcare has the highest cost per record ($421) due to the sensitivity of medical data and strict regulations around patient records. The financial sector has the highest total costs due to the scale of affected datasets.

Organizations that use AI and automation for incident detection save an average of $1.86 million per data breach. Companies with a fully implemented security AI platform pay an average of $3.31 million per incident, versus $5.17 million without. Detection time drops from 204 to 98 days. Businesses that successfully implement AI in their operations are also better prepared for cyber threats.

The Dutch Data Protection Authority (AP) imposed $7.1 million in fines in 2025 for GDPR violations related to data breaches. The average fine was $943,000, with a maximum of $2.91 million for a large retailer.

Hidden costs of a data breach

In addition to direct damages, there are significant hidden costs that are often overlooked:

• Customer churn — an average of 3.4% customer loss in the year after a public data breach, valued at $1.27 million
• Insurance premiums — premium increases of 25-40% in the year after a claim
• Legal costs — an average of $360,000 in legal advice, notifications and potential lawsuits
• Compliance costs — audits and adjustments after an incident cost an average of $296,000
• Management time — C-level executives spend an average of 320 hours handling a serious data breach
• Credit monitoring — for personal data, an average of $48 per affected individual for monitoring

Sources: IBM Cost of a Data Breach Report 2025, Dutch Data Protection Authority Annual Report 2025, Ponemon Institute

In 2026, only 24% of Dutch businesses have cyber insurance. Among large companies (250+ employees), this percentage is 52%, while SMBs lag behind at just 18%. The total market size for cyber insurance in the Netherlands is $445 million, a 34% increase compared to 2024.

Premiums rose by an average of 28% in 2025. This is due to the rising number of claims (loss ratio of 72%), higher average claim amounts, and the increasing complexity of cyberattacks. Some sectors saw premium increases of up to 45%, particularly healthcare and the public sector.

Insurers impose increasingly strict requirements

• MFA required — 94% of insurers require multi-factor authentication as a condition
• Endpoint Detection & Response (EDR) — 78% require active endpoint security
• Regular backups — 89% require proof of offline backups
• Security awareness training — 67% require annual employee training
• Incident response plan — 72% require a documented plan
• Patch management — 81% require evidence of timely software updates

The average payout for a cyber claim is $248,000. For ransomware claims, this is higher: $508,000 on average. Notably, 38% of claims are (partially) denied due to non-compliance with policy terms, such as missing MFA or outdated software.

Sources: Dutch Association of Insurers, Aon Cyber Risk Monitor 2025, Marsh Global Insurance Market Index

In 2025, the NCSC published more than 6,800 security advisories, of which 1,247 were classified as HIGH or CRITICAL. The NCSC processed 4,200 incident reports from government organizations and critical infrastructure, a 22% increase compared to 2024.

The Dutch Data Protection Authority received 28,400 data breach notifications in 2025 — an average of 78 per day. Of these notifications, 42% involved hacking or cyberattacks, 31% human error (sending to the wrong recipient), and 27% technical failures or lost devices.

Incident reports by type (NCSC 2025)

The Digital Trust Center (DTC), which serves the non-critical business sector, reached more than 180,000 businesses with threat intelligence in 2025. The DTC sent 42,000 individual notifications to businesses about vulnerabilities in their systems. Yet 61% of businesses say they do not know where to report cyber incidents.

Data breaches at the Dutch Data Protection Authority

The mandatory data breach notification requirement provides valuable insights into the nature and scope of security incidents:

• 28,400 data breaches reported in 2025, a 14% increase compared to 2024
• 42% caused by hacking or malicious software
• 31% due to human error — misdirected emails, attachments with wrong data
• Healthcare reported the most data breaches (24% of all notifications), followed by government (18%) and financial services (14%)
• An average of 2,300 individuals affected per reported data breach
• 14% of notifications led to follow-up investigation by the AP

The AP expanded its enforcement capacity by 30% in 2025 and announced stricter monitoring of the notification requirement. Organizations that fail to report a data breach or report it late risk fines of up to $10.6 million or 2% of annual revenue.

Sources: NCSC Annual Report 2025, Dutch Data Protection Authority Data Breach Report, Digital Trust Center

Despite the fact that 74% of successful attacks have a human component, only 39% of Dutch businesses invest in annual security awareness training for employees. The average investment is just $40 per employee per year.

Companies that do invest structurally in awareness programs see impressive results:

• 72% fewer successful phishing attacks after 12 months of structured training
• 56% faster reporting time for suspicious emails by employees
• 89% of employees recognize basic phishing attempts after training (vs. 47% before)
• ROI of 587% on awareness investments over 3 years (KnowBe4 benchmark)

The most effective training programs combine simulated phishing tests (monthly), micro-learnings (5-10 minutes per week) and gamification. Companies that only give an annual presentation see minimal improvement. The click rate on simulated phishing drops from an average of 27% to 4% after 12 months of consistent training.

Password hygiene remains a major problem: 41% of Dutch employees reuse passwords for work and personal accounts. Only 34% of businesses have rolled out a password manager. The most commonly used passwords in the Netherlands in 2025 were still variations of "welkom01", "123456" and "Qwerty123".

Remote work and cybersecurity

Hybrid work has expanded the attack surface. In 2025, 47% of Dutch knowledge workers work from home at least two days a week. The impact on cybersecurity is measurable:

• 38% of data breaches are related to remote work or BYOD (Bring Your Own Device)
• 27% of remote workers use the corporate network without a VPN
• 44% share their home network with unsecured IoT devices (smart speakers, cameras)
• Companies with a remote workforce above 50% pay an average of $1.16 million more per data breach

Sources: Verizon DBIR 2025, KnowBe4 Benchmarking Report, Proofpoint State of the Phish 2025

The total cybersecurity market in the Netherlands is estimated at $4.45 billion in 2026, a 16% increase compared to 2025. Companies spend an average of 11.2% of their IT budget on cybersecurity, up from 8.6% in 2023. Experts recommend a minimum of 15%.

Where are companies investing?

Notable is the strong growth in governance, risk & compliance (+42%), directly driven by NIS2 implementation. Companies are investing heavily in getting their compliance framework in order. Cloud security is the largest budget item (24%), which makes sense given the accelerated migration to cloud environments.

The Dutch government is investing $418 million in cybersecurity in 2026, of which $127 million goes to the NCSC, $90 million to the Defense Cyber Command, and $48 million to the DTC and programs for businesses. The government has announced a 25% increase in this budget through 2028.

Dutch cybersecurity startups raised $402 million in funding in 2025. There are now more than 450 cybersecurity companies based in the Netherlands, with concentrations in The Hague (The Hague Security Delta) and Eindhoven (Brainport).

Sources: Gartner IT Spending Forecast 2026, IDC European Cybersecurity Market, Dutch National Budget 2026, Techleap.nl

AI as a defensive weapon

Of Dutch companies with more than 100 employees, 58% use AI for cybersecurity. The main applications are:

• Anomaly detection — AI systems analyze network traffic and detect deviations 12x faster than manual analysis
• Automated incident response — SOAR platforms (Security Orchestration, Automation & Response) automate 68% of routine security tasks
• Vulnerability management — AI scanners identify vulnerabilities 4x faster and prioritize based on risk
• Threat intelligence — machine learning analyzes billions of data points daily to detect new threats early
• Email filtering — AI-based filters block 99.2% of phishing attempts (vs. 94% for traditional filters)

Organizations that extensively use AI and automation for cybersecurity save an average of $1.86 million per data breach and detect incidents 108 days faster than organizations without AI tools.

AI as an offensive weapon

Cybercriminals are increasingly using AI for:

• AI-generated phishing — 67% growth in 2025, with 2.3x higher success rate
• Deepfake voice & video — 340% increase in deepfake attacks for CEO fraud
• Automated vulnerability scans — AI scans thousands of systems in minutes instead of hours
• Polymorphic malware — AI generates unique malware variants that bypass traditional antivirus software
• Password cracking — AI models crack passwords up to 60% faster than brute-force

The NCSC warns that generative AI significantly lowers the barrier to cybercrime. Less technically skilled criminals can now carry out sophisticated attacks using AI tools available on the dark web. The cost of setting up a phishing campaign has dropped by 95% thanks to AI.

Sources: IBM Cost of a Data Breach 2025, NCSC Cybersecurity Assessment, Capgemini Research Institute AI in Cybersecurity

1. Zero Trust becomes the standard

In 2026, 42% of large Dutch organizations have implemented a Zero Trust Architecture (ZTA), up from 18% in 2023. Zero Trust operates on the principle of "never trust, always verify" — every request is verified regardless of location or network. Gartner predicts that by 2028, more than 70% of companies will adopt Zero Trust as their core strategy.

2. Quantum-safe cryptography

With the advent of quantum computers, current encryption standards become vulnerable. The NCSC advises Dutch organizations to begin migrating to quantum-safe algorithms now. An estimated only 8% of Dutch organizations have started a post-quantum cryptography strategy. Quantum computers are expected to be able to break current RSA encryption around 2030-2035.

3. Cybersecurity-as-a-Service is booming

Outsourcing cybersecurity to Managed Security Service Providers (MSSPs) is growing by 27% per year. In 2026, 38% of SMBs use an MSSP, up from 22% in 2024. The average cost of a managed SOC service is $2,650 to $8,470 per month for an SMB, significantly cheaper than running an in-house SOC.

4. OT/IoT security becomes critical

The number of connected IoT devices in the Netherlands is growing to 48 million in 2026. Operational Technology (OT) in industry, energy and water is increasingly targeted by cyberattacks. In 2025, the number of attacks on OT systems rose by 35%. The NCSC classifies OT security as one of its three priorities for 2026.

5. Cyber resilience over prevention

The focus is shifting from 100% prevention to cyber resilience: the ability to withstand attacks, detect them quickly and recover. In 2026, 56% of large companies have a formal cyber resilience program, including regular crisis exercises. The average recovery time after a ransomware attack dropped from 23 to 16 days for companies with a resilience program.

6. Regulation is increasing

In addition to NIS2, new regulatory frameworks are affecting Dutch businesses:

• Cyber Resilience Act (CRA) — mandatory cybersecurity requirements for hardware and software with digital elements (2027)
• DORA — Digital Operational Resilience Act for the financial sector (active since 2025)
• AI Act — contains cybersecurity requirements for high-risk AI systems (phased implementation 2025-2027)
• eIDAS 2.0 — European digital identity with security requirements (2026)

7. Cybersecurity in the boardroom

Cybersecurity has definitively become a boardroom topic: 76% of Dutch board members name cybersecurity as a top-3 risk (compared to 42% in 2022). The number of companies with a CISO at C-level rose to 34% among companies with more than 250 employees. Board members spend an average of 14% of their time on cybersecurity-related decisions.

Total global cybercrime costs are estimated at $10.5 trillion in 2025 (Cybersecurity Ventures), growing to $15.6 trillion by 2029. If cybercrime were a country, it would be the third-largest economy in the world, after the US and China. For businesses operating digitally, cybersecurity is no longer optional but a baseline requirement.

Sources: Gartner Predictions 2026, NCSC Cybersecurity Assessment 2025, Cybersecurity Ventures, IDC FutureScape