Digital resilience is (in short) the extent to which companies have taken measures against (the consequences of) digital incidents. The NCTV (Nationale Cybersecurity strategie 2022 – 2028) gives the following description:
“The ability to bring risks to an acceptable level through a set of measures to prevent cyber incidents and when cyber incidents have occurred to detect them, mitigate damage and make recovery easier”.
The U.S. National Institute for Standards and Technology[1] defines “cyber resilience” as follows:
“The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”
The following definition is common in the EU:
“Cyber resilience refers to the ability to protect electronic data and systems from cyberattacks, as well as to resume business operations quickly in case of a successful attack.”
Whatever definition is used, it is important that the following aspects are taken into account:
- It concerns a package of measures that an organisation or company has taken;
- Cyber incidents can be malicious and non-malicious (such as attacks on the one hand and accidents on the other);
- It includes both preventive and mitigating measures. This includes visibility into threats, incident prevention and measures aimed at mitigating the consequences and accelerating recovery;
- Measures can be technical in nature, but also relate to organisational and human aspects such as implementing procedures or raising knowledge and awareness.
Many stakeholders use a somewhat “tight” definition of digital resilience that are about measures aimed at preventing cyber attacks and less explicitly about non-malicious cyber incidents (such as an underground telecom cable that is accidentally cut during a construction project). We also include such non-malicious incidents in the scope of digital resilience strategies and measures.