IBR

Cyber threat increases, preparedness falls short: a wake-up call for SMEs

Cyberdreiging groeit
The cyber resilience of Dutch businesses is under pressure. The most recent figures from the International Business Report (IBR) show that the number of significant cyber incidents in SMEs and the mid-market is rising sharply. At the same time, the number of companies with a structured cybersecurity policy is declining.
Contents

Incidents are becoming more serious and more visible 

In the second quarter of 2025, 24 percent of 4083 surveyed Dutch entrepreneurs and executives in the SME and mid-market segment stated that their organisation had experienced a cyberattack with significant impact. In Q3, this rose to over 30 percent. In addition to the 30 percent of companies that have experienced a significant cyberattack, a further 39 percent reported being affected by attacks with limited impact. This means that nearly 70 percent of Dutch businesses have experienced cyberattacks—a clear sign that the threat is not hypothetical, but real. 

Strikingly, the proportion of companies indicating they “do not know” whether they have been attacked remains stable at around 20 percent. This points to a lack of monitoring and insight. Smaller organisations in particular appear vulnerable: they are more often targeted due to limited security capacity, while not always being aware of the severity of the threat. 

Threat is recognised, but action is lacking 

While in Q2 only 20 percent of companies expected an increase in cyber threats, this rose to over 31 percent in Q3. Despite these experiences, 55 percent of companies believe the threat level will remain roughly the same over the next 12 months. At the same time, the number of organisations that believe the risk will remain unchanged is declining. Perception is shifting, but the translation into action is still missing. External factors such as AI-driven attacks and geopolitical tensions play a role. Hybrid working models also increase the attack surface, especially for SMEs that have not adapted their security to this new reality. Yet the SASI report shows that more than 60 percent of SME user accounts still do not have Multi-Factor Authentication (MFA) activated. Guest users are often not monitored, which creates additional risks. 

Preparedness declines despite increasing threat 

In Q2, 64 percent of companies reported having a comprehensive cybersecurity policy with regular updates and tests. In Q3, this dropped to 54 percent. The research also shows that 28 percent of companies rely on basic measures and 25 percent respond mainly ad hoc to incidents. In 13 percent of organisations, there is little to no attention paid to cyber resilience. The number of companies that respond ad hoc or have few measures in place is rising slightly. This points to a gap between risk perception and actual resilience. Many SMEs struggle to maintain structured policies due to limited capacity. There appears to be ‘compliance fatigue’ or an underestimation of the necessity. Reactive policy is no longer sufficient: those who wait until something happens are already behind. External analyses show that many SMEs only take action after an incident, leading to higher costs and greater damage. 

NIS2: awareness grows, but remains insufficient 

The NIS2 directive is receiving increasing attention. In Q3, 35 percent of respondents were very familiar with the directive and working towards compliance, compared to 24 percent in Q2. Yet nearly one in five respondents (19 percent) are barely or not at all familiar. Particularly in sectors without direct supply chain responsibility, the urgency does not yet seem to have fully landed. There is confusion about applicability and obligations, especially for companies indirectly affected by compliance requirements from their clients.  

In addition to NIS2, various other regulations require organisations to strengthen their digital compliance. These range from operational resilience in the financial sector (DORA) to stricter rules for AI applications and data sharing (AI Act and Data Act). It is essential for businesses to stay informed about these developments and take timely action to meet the new requirements. Non-compliance may result in fines and reputational damage

What does this mean for you as an entrepreneur? 

The figures show that awareness is growing, but structural action is lagging behind. That is a risk. Cybersecurity is not an IT issue, but a strategic theme. Especially in SMEs and the mid-market, where the impact of an attack is immediately felt, proactive policy is essential. 

Would you like to know where your organisation stands?  

Contact us for a concrete audit or advisory meeting. Together, we’ll ensure you are resilient against tomorrow’s threats. 

Contact us