Dutch boardroom cyber security knowledge gap exposed

The Netherlands is preparing to implement the NIS2 directive, which will make boardroom executives personally liable for cyber security incidents. While the European deadline passed in October 2024, Dutch implementation has been delayed until early to mid-2026.

However, according to Bibi van den Berg, professor of cyber security governance at Leiden University, the legislation will create a fundamental mismatch: it places responsibility on executives who lack the necessary knowledge infrastructure to make informed risk assessments. 

Van den Berg has observed a clear shift in boardroom attitudes over the past decade. Where executives once dismissed cyber security as a technical matter best delegated to IT staff, they now universally acknowledge its strategic importance.

The problem, she argues, is that this awareness hasn’t translated into genuine understanding. Boardrooms now recognise cyber security as critical but lack the knowledge to assess whether their organisations are managing it effectively. 

Misplaced threat focus 

When asked about their primary cyber security concerns, Dutch executives consistently cite state actors as their biggest worry – regardless of whether they run a municipality, a major corporation or a small business. 

Van den Berg sees the same pattern across all types of organisations. Whether she speaks with municipal authorities, major corporations or small businesses, executives consistently identify state-sponsored attacks as their primary concern.

“When I ask why they think their organisation would be a specific target, they can’t really explain it,” Van den Berg said. “It’s in the news constantly, so everyone assumes it’s their biggest threat too.” 

The constant media focus on Russian and Chinese cyber-operations has created that threat perception problem,Van den Berg argued. She used a pointed example: “If you’re running a gingerbread factory, are you really a target for state-sponsored attacks? I don’t think so. But that’s what everyone worries about.”  

The result is misallocated cyber security budgets. Organisations invest in defences against sophisticated state actors, while neglecting the basic security measures that would actually protect them against the threats they face. 

Fundamental data problem 

Part of the challenge stems from the fundamental difference between cyber security risk assessment and other types of risk management. Van den Berg compared it to flood risk management, where Dutch authorities have decades of sea level data, storm patterns, and modelling capabilities.

“So, during a storm, when various things can happen, you can reasonably model what the water will do,” she said. “With cyber, there are several fundamental differences – for one, you don’t have the data.” 

Cyber incident data is fragmented worldwide, often proprietary to cyber security companies or withheld by organisations concerned about reputational damage. Even when data exists, the threat landscape evolves so rapidly that historical patterns have limited predictive value.

“Things that were a big problem five years ago are no longer issues. Attack surfaces change, attackers change, attack tactics change and completely new types of attacks emerge,” Van den Berg said. “Just as we’re starting to understand something and have enough data about it, we’re already onto the next thing.” 

The second fundamental difference: unlike the sea, cyber adversaries act with intent. “We often deal with actors who deliberately try to mess things up. They’re not going to follow a predictable pattern, because as soon as it’s predictable, they get caught.” 

Knowledge liability gap 

Van den Berg argues that NIS2, while well-intentioned, places the burden in the wrong place. “Many of these problems could be kept away from boardrooms if the products and services were better,” she said.

“We’re making a whole lot of people responsible, who all need to be trained, all need to suddenly think about what challenges this brings, and they can’t always oversee it properly. Rightly so, because they’re not in the business of digital security.” 

She points to the broader ecosystem of poor security by design. “We all use systems, software from a limited set of suppliers for about 90-95% of the things we do daily. If you can get those suppliers – through legislation, but also through diplomacy and other measures – to take their responsibility to make things fundamentally safer at the source, then a whole lot of problems disappear downstream for end users.” 

With implementation expected in 2026, the question of how boardroom executives will educate themselves adequately becomes pressing. NIS2 will hold them personally liable for cyber security failures, yet Van den Berg questioned whether adequate preparation is even feasible given the complexity and breadth of the field. 

The Dutch government provides support through agencies such as the National Cyber Security Centre, which offers advice and incident response capabilities. But Van den Berg identifies a critical gap in systematic board-level education.

“If you hold people liable for damages and say, ‘You should have known this’, then the question is how many books should they have read?” she said. “It’s far too complex, far too big, far too many challenges. There are so many risks.” 

Moving beyond risk  

Van den Berg advocated for a fundamental shift from traditional risk management to what she called “cushion thinking” – building protective layers that work against multiple types of threats simultaneously rather than trying to predict which specific risk will materialise. 

The approach draws on an analogy: a fire door doesn’t just protect against fire. During a flood, it will hold back water for a time. Against an intruder, it provides another barrier. One measure with multiple protective effects.

“You free yourself from constantly having to think about what your biggest threat is,” Van den Berg said. “Instead, you ask how to arrange things to have as many cushions as possible around the organisation to absorb impact, whatever form it takes.” 

But individual organisational resilience is no longer sufficient. “Organisations used to do this on their own, saying, ‘We’ve got all these cushions, we’re fine’,” she said. “But then it turns out there are all these connections with suppliers and customers, and there are vulnerabilities in those connections. So, you need to think about this in a network perspective as the only possible way to get your barriers right.” 

This also means rethinking the balance between prevention, detection, response, and governance “Investment patterns need to be much more distributed. Not just on the prevention side, but also on detection, also on response, also on governance over the whole thing, also on learning from incidents,” said Van den Berg. 

The delay in Dutch implementation offers a window of opportunity – but only if that time is used to build the support infrastructure executives will need. Without it, Van den Berg warned, NIS2 risks becoming another compliance checkbox rather than a driver of genuine security improvement. 

“We’re making people liable for something they fundamentally cannot oversee,” she said. “That’s only justifiable if we simultaneously give them the tools to actually do the job we’re asking of them.” 

The alternative is a regulatory framework that punishes executives for failures rooted in a supply chain they cannot control, armed with threat intelligence they cannot properly interpret, and defending against risks they cannot accurately assess. NIS2 may shift accountability to the boardroom, but accountability without capability simply redistributes the problem rather than solving it.