The Dutch Parliament will hold a session on cybersecurity on May 20 amid growing concerns over the digital resilience of businesses in the country, after the Dutch Data Protection Authority (AP), warned that security standards “have remained too low for years,” and called for stronger preventive oversight powers.
In a position paper released ahead of the discussion, the independent regulator identified three “urgently needed improvements” to cybersecurity in the Netherlands:
- raising baseline security standards across organizations and suppliers;
- limiting the impact of data breaches through stricter data governance; and
- expanding supervisory capacity so that authorities can conduct more preventive, risk-based enforcement.
The AP said cyber incidents and data breaches in the Netherlands have become routine, pointing to a sharp rise in reported breaches. More than 44,000 data breaches were reported to the regulator in 2025, up from about 38,000 in 2024, according to the paper. Part of the regulator’s supervision includes mandatory reporting requirements and risk-based supervision under the legal framework of the General Data Protection Regulation (GDPR).
“Prevention remains better than cure,” the regulator said, while warning that limited resources force it to focus primarily on the most serious incidents after breaches occur, rather than on proactive monitoring before attacks happen.
Wednesday’s meeting is expected to bring together government officials, regulators, businesses and cybersecurity stakeholders as the Netherlands faces increasing pressure to strengthen digital defenses against ransomware attacks, data theft and supply-chain vulnerabilities.
The AP said that years of breach notifications have revealed persistent weaknesses in both technical safeguards and organizational governance. According to the regulator, 33 percent of surveyed organizations admitted that incidents were caused by an absence of adequate policy, while 40 percent said policies existed but were implemented poorly or not monitored sufficiently.
AP Calls for Higher Cybersecurity Standards and Stronger Oversight
The AP urged organizations to gain a thorough understanding of the cybersecurity risks they face and the measures they need to take, including around the processing and storage of data, and added:
“They must also take responsibility and control by not shifting cybersecurity onto the shoulders of individual employees, but by ensuring it centrally and placing it high on the agenda of executives.”
The regulator noted that audits, security tests and technical safeguards “are essential in this regard to detect and rectify errors early.”
The risks extend beyond regulatory exposure and operational disruption. Breaches involving customer data can erode consumer trust, disrupt digital services and damage customer experience through account lockouts, payment interruptions, exposure to fraud and delays in support response.
Poor data governance, excessive data retention and weak communication after breaches can intensify the impact on individuals, particularly when organizations fail to quickly notify affected users or provide clear guidance on protective measures.
The AP singled out information and communication technology (ICT) suppliers as a key area of concern because weaknesses in vendors can spread across entire supply chains. The AP recently announced plans to carry out preventive checks on vendors’ security postures to help reduce the risk of breaches caused by inadequate protections.
The regulator also emphasized the importance of businesses taking measures to limit the impact of security breaches when they do happen:
“A data breach can happen to any organization. Therefore, it is not only important to implement security measures to prevent data breaches; organizations should also take measures to mitigate the consequences of a data breach.”
The AP urged companies and public institutions to adopt stricter data minimization practices, comply with data retention limits and improve communication with victims following breaches through rapid and clear warning messages.
The AP said these measures are still too often neglected despite being required under GDPR.
The regulator argued that stronger enforcement powers and additional resources are necessary to create a deterrent effect: “[I]f organizations are hacked because security was not up to standard, sanctions may follow. This prompts organizations to take action to bring their own cybersecurity up to standard.”
“In a world where data breaches, cyberattacks, and the number of victims only seem to be increasing, the AP has no choice but to draw attention to this,” the regulator added.
The Parliamentary session comes as European governments intensify efforts to strengthen cybersecurity rules and critical infrastructure protections amid rising geopolitical tensions and increasingly sophisticated cyber threats targeting both public and private sectors.
