Go to the main content

Digital resilience is (in short) the extent to which companies have taken measures against (the consequences of) digital incidents. The NCTV (Nationale Cybersecurity strategie 2022 – 2028) gives the following description:

“The ability to bring risks to an acceptable level through a set of measures to prevent cyber incidents and when cyber incidents have occurred to detect them, mitigate damage and make recovery easier”.

The U.S. National Institute for Standards and Technology[1] defines “cyber resilience” as follows:

“The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”

The following definition is common in the EU:

“Cyber resilience refers to the ability to protect electronic data and systems from cyberattacks, as well as to resume business operations quickly in case of a successful attack.”

Whatever definition is used, it is important that the following aspects are taken into account:

  • It concerns a package of measures that an organisation or company has taken;
  • Cyber incidents can be malicious and non-malicious (such as attacks on the one hand and accidents on the other);
  • It includes both preventive and mitigating measures. This includes visibility into threats, incident prevention and measures aimed at mitigating the consequences and accelerating recovery;
  • Measures can  be technical in nature, but also relate to organisational and human aspects such as implementing procedures or raising knowledge and awareness.

Many stakeholders use a somewhat “tight” definition of digital resilience that are about measures aimed at preventing cyber attacks and less explicitly about non-malicious cyber incidents (such as an underground telecom cable that is accidentally cut during a construction project). We also include such non-malicious incidents in the scope of digital resilience strategies and measures.

Digital resilience is of great importance for individual companies. There are different types of risks, ranging from phishing attacks (where, for example, a fake email asks for sensitive information), ransomware attacks (in which company data is encrypted and returned for ransom), the failure of software or hardware of both office and industrial processes, causing them to come to a standstill, et cetera.

When one of the above occurs, this can have consequences for the continuation of business operations or business activities and cause economic or reputational damage to an individual organisation or the chain in which this organisation works. Cyber attacks can also have (personal) consequences for customers or employees of companies, for example when personal data is distributed.

Digital resilience is not only important for individual companies, but also for (business) ecosystems. Ecosystems are groups of organisations/companies that are geographically close and interdependent (see section 3.1 for a further explanation of the concept of ecosystem and some important aspects). In the event of cyber incidents, the consequences can have an impact on other companies. This could include a cyber incident at an energy company, (drinking) water supplier, financial institution or telecommunications company, where the consequences do not only relate to that company, but can affect others who depend on these companies. For a healthy ecosystem, it is therefore important that the ecosystem as a whole is also sufficiently mature when it comes to digital resilience.

There are some examples of incidents in the Netherlands where an attack had an impact on other companies (KPN Security provides an annual overview of major and high-profile cyber incidents in the Netherlands):

  • Due to a ransomware attack at logistics company Bakker at the beginning of April 2021, delivery from several warehouses came to a standstill. Customers could not pass on orders and it was not possible to locate products in the warehouses. The attack led to empty cheese shelves at Albert Heijn. After about a week, the ‘cheese hack’ was solved.
  • The international meal service Apetito was hit by a ransomware attack in June 2022. As a result, the company had little or no access to its IT systems. Apetito supplies meals to healthcare institutions, childcare and private individuals, among others. The attack disrupted the production and delivery of meals.
  • Five municipalities in Limburg, including Kerkrade and Vaals, were confronted with a cyber attack in July 2022. It was aimed at a software supplier. As a result of the attack, the administration of the social domain was locked down. Data relating to, among other things, social assistance benefits and youth care were not accessible.
  • The notorious Conti ransomware gang took The Sourcing Company’s servers hostage in March 2022. The company provides IT services to many housing corporations. Conti then published thousands of files containing sensitive data on the dark web, including copies of passports and bank details.