Cybersecurity Assessment Netherlands 2025
Digital threats against the Netherlands are becoming more diverse and unpredictable. There is a wide variety of attacks by state actors, cybercriminals, and other malicious actors. International relations are becoming more unpredictable, which has an impact on digital security. State actors are setting up or expanding cyber programs, sometimes involving non-state actors or private organizations. Changing geopolitical relations can also make digital dependencies risky, whereas they were not before. Furthermore, malicious actors can use generative AI, which makes it easier for them to carry out attacks on a larger scale.
These are the main conclusions of the Cybersecurity Assessment Netherlands (CSAN) 2025, published today by the National Coordinator for Counterterrorism and Security(NCTV). These developments are taking place simultaneously and in conjunction with each other, making the threat landscape increasingly complex.
Esther van Beurden – Director of Cybersecurity, State Threat and National Security Analysis: "We see that the digital threat is constantly evolving. Geopolitical relations are changing. State actors are expanding their cyber programs and using state-sponsored groups or companies to carry out cyber attacks. Geopolitics also influences our digital dependencies, which can make them risky, whereas they were not before.”
Basic principles increase digital resilience
The conclusion that threats are becoming more unpredictable and complex does not necessarily mean that defending against them is becoming more complex as well. Many digital incidents are caused by a lack of basic “digital hygiene”. For the average organization, this means: don't fixate on the complex threat landscape, but make yourself resilient by following the basic principles set out by the NCSC and DTC (www.ncsc.nl, information in Dutch). An important part of these basic principles is preparing for incidents, which involves resilience and recovery capabilities when an incident occurs.
Furthermore, when the Cybersecurity Act (www.nctv.nl, information in Dutch) will come into force, a large number of organizations will be required to conduct a risk analysis and, based on that analysis, take appropriate and proportionate measures to secure their network and information systems. The Cybersecurity Act is the national implementation of the European NIS2 Directive and is expected to come into force in the Netherlands in the second quarter of 2026. The Act contributes to increasing the digital resilience of the Netherlands and limiting the risks of service outages.
Van Beurden: It is important that we remain digitally resilient in the Netherlands. Important steps are being taken in this regard with upcoming legislation and other initiatives. Digital resilience is no longer just a matter for technical experts; especially for non-digital factors such as geopolitics, it is – or should be – a matter for the boardroom. But don't be deterred by the increasing complexity; resilience starts with getting the basics right.
Progress of the Dutch Cybersecurity Strategy
In 2022, the government presented the Dutch Cybersecurity Strategy (NLCS) with the aim of creating a digitally secure and resilient Netherlands. The progress report on the NLCS was sent to the House of Representatives at the same time as the CSAN2025. It is necessary to strengthen the commitment to implementing the Dutch Cybersecurity Strategy (NLCS). The government takes the risks of digitization seriously and emphasizes the need to continue to focus urgently on the implementation of the NLCS, the implementation of the revised Network and Information Security Directive (NIS2), and the Cyber Resilience Act (CRA).