At one of the Netherlands’ largest cybersecurity events this year, Cybersec Netherlands, speakers from government, industry, and academia shared their views on the threats and opportunities ahead. The message was clear: the landscape is shifting fast. EU regulations like NIS2 and the rise of AI will determine which organizations thrive – and which struggle to keep up.

From over a hundred sessions, we distilled six recurring themes. Here’s what’s buzz, what matters, and what it means for your business.

A decade ago, the focus was prevention: bigger firewalls, tighter controls. Today, the consensus is clear: no system is unbreakable. The focus has shifted to resilience – the ability to withstand, respond, and recover.

In practice, that means:

• Testing backups regularly and keeping them offline.
• Running crisis simulations with leadership teams, not just IT.
• Rehearsing “assume breach” scenarios.

For Dutch businesses, especially in logistics and manufacturing , with strong rippling effects, resilience isn’t a buzzword. Our take: Definitely here to stay.

The EU’s NIS2 Directive raises the bar for governance and reporting, with a hard deadline: Q2 2026. Dutch organizations in critical sectors – and their suppliers – must prove they are in control.

This involves more than IT: boards, legal, and compliance teams will all be engaged. Key requirements include:

• Clear accountability for cybersecurity at management level.
• Mapping and monitoring supply chain dependencies.
• Documenting and reporting major incidents quickly.

Even if your organization’s industry is not directly in scope , NIS2 will cascade through contracts – much like GDPR did.

Cybersecurity is no longer limited to laptops, servers, and cloud apps. The digitization of operational technology (OT) – machines, production lines, rail systems, energy grids – means attackers have targets with real-world consequences.

For the Netherlands, with its advanced infrastructure, OT security is now a board-level concern.

Practical steps include:

• Segregating IT and OT networks, keeping them apart.
• Using digital twins – virtualizing the physical, to baseline – and monitoring for anomalies.
• Training engineers and operators in cyber hygiene.

If ports or factories go down, the economy takes a hit immediately.

As you’re well-aware, AI is no longer hype. And attackers already use it to:

• Generate phishing campaigns and voice deepfakes.
• Automate vulnerability scanning and exploit development.
• Spread disinformation at scale.

Defenders can also benefit but must avoid “AI magic” promises. Demand results and proof of effectiveness.

For now, businesses should:

• Update awareness training for AI-driven scams.
• Evaluate and validate “AI-enabled” tools carefully.
• And be aware that whatever is available to them, is also available to hackers.

Dutch and European organizations face a balance: reliance on U.S. “hyperscalers” for cloud and AI, versus growing regulatory and political pressure for digital sovereignty.

Complete independence is unrealistic, but retaining transparency and control in the supply chain is essential.

At the same time, collaboration is critical. Whether via so-called Information Sharing and Analysis Centres (ISACs), or initiatives like Dutch Cyber Chain Resilience, businesses are expected to share intelligence and defend together.

Despite advances in AI and technology, people remain the weakest link. Mistakes by employees are still the most common entry point for attackers.

Dutch businesses should go beyond one-off training. According to the speakers, psychology-based programs, gamification, and ongoing reinforcement are becoming the standard. Reducing human error is still one of the most cost-effective measures you can take.

Five priorities for Dutch businesses in the following quarters:

1. Get NIS2-ready – governance, documentation, and supply chain checks.
2. Build resilience – assume breach, test recovery, rehearse incidents.
3. Secure OT environments – segment networks and train engineers.
4. Prepare for AI-driven threats – train staff, validate AI tools.
5. Strengthen collaboration – join ISACs, share intelligence, call for- and ensure transparency.

Cybersecurity in 2025 is not about higher walls or the next shiny tool. It’s about resilience, governance, and collaboration.

If you’ve spotted gaps while reading this, you don’t have to close them alone. At Skuridat, we bring both skill and technology to the table: consulting expertise, interim CISO support, and a platform that continuously monitors for exposed assets, leaked credentials, and phishing domains. The outcome matters most: becoming not just compliant, but secure, resilient, and ideally anti-fragile – stronger every time you’re tested.