Prepared on paper? The state of cyber resilience in the Netherlands

However, despite the solid 7.1 score, around one in three organizations admit they are not well prepared for a serious cyberattack. And although 67 percent of organisations do indicate they feel prepared for a cyber incident, only 28 percent routinely practise crisis situations. 

This contradiction is telling. Cybersecurity has clearly moved up the agenda: boards talk about it, budgets have increased, and organisations deploy more tools than ever. Although the progress is real, the research shows that readiness is often assumed rather than tested.

The maturity gap becomes even clearer in the blind spots. Identity and access management is inconsistent, with 5 percent of organisations still operating without multi-factor authentication. In addition, 39 percent only use MFA on critical systems.

Supply-chain risk remains underestimated: only 23 percent of organisations have organised this at a mature level. Monitoring outside core systems is limited. And human behaviour continues to undermine technical controls. These weaknesses don’t show up in a self-assessment score until something goes wrong.

For CISOs, this matters more than ever. Regulatory pressure is increasing, attackers are faster and more automated, and AI is expanding the attack surface. In that environment, cyber resilience is no longer about “having things in place,” but about knowing they work.

A 7.1 is not a failure, but it’s not a finish line either. Real cyber resilience isn’t reflected in surveys or dashboards. It’s demonstrated during incidents, stress-tested in exercises, and embedded in business decisions. Confidence without validation isn’t resilience: it’s optimism.