Go to the main content

Digital resilience is (in short) the extent to which companies have taken measures against (the consequences of) digital incidents. The NCTV (Nationale Cybersecurity strategie 2022 – 2028) gives the following description:

“The ability to bring risks to an acceptable level through a set of measures to prevent cyber incidents and when cyber incidents have occurred to detect them, mitigate damage and make recovery easier”.

The U.S. National Institute for Standards and Technology[1] defines “cyber resilience” as follows:

“The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”

The following definition is common in the EU:

“Cyber resilience refers to the ability to protect electronic data and systems from cyberattacks, as well as to resume business operations quickly in case of a successful attack.”

Whatever definition is used, it is important that the following aspects are taken into account:

  • It concerns a package of measures that an organisation or company has taken;
  • Cyber incidents can be malicious and non-malicious (such as attacks on the one hand and accidents on the other);
  • It includes both preventive and mitigating measures. This includes visibility into threats, incident prevention and measures aimed at mitigating the consequences and accelerating recovery;
  • Measures can  be technical in nature, but also relate to organisational and human aspects such as implementing procedures or raising knowledge and awareness.

Many stakeholders use a somewhat “tight” definition of digital resilience that are about measures aimed at preventing cyber attacks and less explicitly about non-malicious cyber incidents (such as an underground telecom cable that is accidentally cut during a construction project). We also include such non-malicious incidents in the scope of digital resilience strategies and measures.

Digital resilience is of great importance for individual companies. There are different types of risks, ranging from phishing attacks (where, for example, a fake email asks for sensitive information), ransomware attacks (in which company data is encrypted and returned for ransom), the failure of software or hardware of both office and industrial processes, causing them to come to a standstill, et cetera.

When one of the above occurs, this can have consequences for the continuation of business operations or business activities and cause economic or reputational damage to an individual organisation or the chain in which this organisation works. Cyber attacks can also have (personal) consequences for customers or employees of companies, for example when personal data is distributed.

Digital resilience is not only important for individual companies, but also for (business) ecosystems. Ecosystems are groups of organisations/companies that are geographically close and interdependent (see section 3.1 for a further explanation of the concept of ecosystem and some important aspects). In the event of cyber incidents, the consequences can have an impact on other companies. This could include a cyber incident at an energy company, (drinking) water supplier, financial institution or telecommunications company, where the consequences do not only relate to that company, but can affect others who depend on these companies. For a healthy ecosystem, it is therefore important that the ecosystem as a whole is also sufficiently mature when it comes to digital resilience.

There are some examples of incidents in the Netherlands where an attack had an impact on other companies (KPN Security provides an annual overview of major and high-profile cyber incidents in the Netherlands):

  • Due to a ransomware attack at logistics company Bakker at the beginning of April 2021, delivery from several warehouses came to a standstill. Customers could not pass on orders and it was not possible to locate products in the warehouses. The attack led to empty cheese shelves at Albert Heijn. After about a week, the ‘cheese hack’ was solved.
  • The international meal service Apetito was hit by a ransomware attack in June 2022. As a result, the company had little or no access to its IT systems. Apetito supplies meals to healthcare institutions, childcare and private individuals, among others. The attack disrupted the production and delivery of meals.
  • Five municipalities in Limburg, including Kerkrade and Vaals, were confronted with a cyber attack in July 2022. It was aimed at a software supplier. As a result of the attack, the administration of the social domain was locked down. Data relating to, among other things, social assistance benefits and youth care were not accessible.
  • The notorious Conti ransomware gang took The Sourcing Company’s servers hostage in March 2022. The company provides IT services to many housing corporations. Conti then published thousands of files containing sensitive data on the dark web, including copies of passports and bank details.

In Breda, the theme of Digitisation has gained more and more (policy) focus in recent years. For example, the Masterplan Bredata has been drawn up, aimed at Digitisation and the development of a smart city. The goal is to contribute to the liveability of Breda and to make the city excel in the field of digital possibilities by 2030, with a top-of-the-line digital infrastructure. The plan proposes Digitisation as a catalyst for connecting infrastructures, residents and visitors, further strengthening Breda’s strengths. The municipality emphasises the important aspects of Digitisation – such as security, privacy and humanity – and puts the quality of life of its residents first.

In the context of security, the Breda city region is also highly committed to digital resilience. That is why the region is involved with two initiativesin the City Deal “Local Resilience Cybercrime”, in which Breda collaborates on new solutions to increase the cyber resilience of companies in a world in which cybercrime continues to increase. Digitaal Weerbaar Breda has a strong relationship with this city deal.

In addition to the more policy-based programmes, there are numerous (smaller) initiatives that contribute to the digital resilience of the city region. For example, the Gastveilig Hazeldonk project at the Hazeldonk business park is experimenting with applied digital technologies to increase (digital) security.

There are also initiatives at regional level within the same domain. The Platform veilig Ondernemen (Zeeland West – Brabant) organises, among other things, information meetings, training courses and thematic meetings in the field of cybercrime. In addition, there are connections with other city regions and their initiatives that deal with the same problems, for example with the Cyber Resilience Centre Brainport. And finally, Digital Resilient Breda started  in 2020, when the Covid-19 pandemic led to concerns about the cyber security of the local Amphia hospital. After all, a breach of its systems would have a major impact on society. Several essential organizations for the region have joined forces and together formed Digital Resilient Breda.