Insights from Dutch Cybersecurity Report – Key impacts for M&A deals

As companies navigate an increasingly complex M&A landscape, cybersecurity has evolved from a technical IT concern to one of the critical commercial and legal risk factors that can materially impact transaction value, deal structure, and post-closing integration. 

The Dutch Cybersecurity Report 2025 by the National Coordinator for Security and Counterterrorism (Nationaal Coördinator Terrorismebestrijding en Veiligheid, NCTV) confirms a clear trend: the digital threat landscape in the Netherlands is becoming more diverse, more sophisticated and more closely linked to geopolitical tensions, reflecting a broader global trend. State actors, organised cybercriminals and other malicious actors operate at a large scale and increasingly target commercial organisations and critical (digital) infrastructure.

The report is based, among other things, on information shared in Project Melissa, an ongoing collaboration between the Dutch Police, the Dutch National Cyber Security Centre (NCSC) and various private sector parties to make the Netherlands an unattractive target for ransomware. The Dutch Data Protection Authority has also contributed incident data. 

Below we outline three key themes from the report and highlight what they mean for Dutch businesses.

Key takeaways 

1. Supply chain vulnerabilities  

The report shows that a growing number of cyber incidents originate in the digital supply chain. This means that the cybersecurity posture of a target in an M&A transaction can no longer be assessed in isolation. Even if internal systems appear well protected, vulnerabilities at key suppliers, cloud providers or other third parties can create significant exposure.

Recent incidents illustrate this clearly. A cyberattack on a supplier to several Dutch municipalities triggered data breaches at municipalities including Dinkelland, Tubbergen and Amersfoort. A separate ransomware attack on a Dutch laboratory led to the leakage of highly sensitive patient data. Eurofins announced in August 2025 that sensitive data had been stolen from healthcare providers that had commissioned research at the laboratory during a July attack. A Dutch centre for population health screening subsequently informed 941,000 individuals that their data may have been compromised.

The impact: 

• For acquirers in M&A transactions and investors, traditional due diligence focused on internal systems is no longer sufficient. 

• The digital supply chain of a target needs to be mapped: which software and cloud providers are critical to operations, and which processors handle sensitive data? Where feasible, there is growing emphasis on obtaining security certifications, penetration test reports and incident histories from or relating to key suppliers.

2. Sector-specific risks 

The NCTV report confirms that cyberattacks affect all layers of society, including vital (digital) infrastructure. The telecommunications sector is a good example of how various risks converge, because many other sectors depend on the functioning of telecommunications services.

During the reporting period, the NCTV observed numerous attacks on telecommunications companies worldwide, in some cases revealing that malicious actors had been present in systems for a long time before detection. In the Netherlands, several smaller internet and hosting providers were targeted, and hackers reportedly had access to the networks of various telecom providers for at least a year.

To address these risks, Dutch authorities are working continuously on measures to strengthen resilience in vital processes and sectors. For telecommunications, requirements are being, or will be, laid down in national legislation, including the Dutch Telecommunications Act  and the forthcoming Dutch Cybersecurity Act (, which implements the EU’s Network and Information Security Directive 2). The report concludes that, although the resilience of the Dutch telecoms sector is generally robust, significant challenges remain, and the threat level is not expected to decrease.

The impact:. 

• M&A deals involving telecommunications, critical (digital) infrastructure, healthcare or financial services require specialised cybersecurity and regulatory due diligence. 

• For telecom targets, acquirers should assess compliance with the Dutch Telecommunications Act and the forthcoming Dutch Cybersecurity Act.

• Several regulators may be involved. Supervision of the Telecommunications Act lies with the Dutch Authority for Digital Infrastructure, while the Dutch Cybersecurity Act is expected to fall within the remit of the NCSC. 

• Certain transactions may trigger notification or approval requirements. This can add months to transaction timelines and introduce additional conditions to closing, with a direct impact on deal certainty.

3. AI-enhanced threats accelerate attack sophistication

A further theme in the NCTV report is the role of generative artificial intelligence and large language models The technology itself is not inherently a security threat, but its application significantly lowers the barrier to entry for attackers. Cybercriminals increasingly rely on LLMs to generate or refine malicious code, to design more convincing phishing emails and to conduct targeted social engineering at scale.

The report notes a rise in attacks in which generative AI plays a role, including in malware development. Between January 2025 and March 2025, four such attacks caused DigiD, the Dutch secure login system for government services, to be offline for an hour or longer. These incidents disrupted all connected services during the outages and underlined how dependent public and private processes have become on digital identity systems.

The impact:, 

• Dutch companies should critically review their AI governance and risk management frameworks, data protection and confidentiality controls, and ensure that their use of AI aligns with evolving European Union and national rules, including the EU AI Act (Regulation (EU) 2024/1689). 

• For acquirers in M&A transactions, this also means that it is important to assess how a target’s AI, cybersecurity and broader compliance framework would fit within their existing governance structure. 

• This is particularly relevant for joint ventures (which requires alignment between equal partners), minority investments where the acquirer does not acquire 50 percent or more of the target’s share capital (where minority shareholders have limited influence and must rely on reserved matters), or cross-border transactions between European Union and non-EU companies operating under fundamentally different compliance regimes (where the differences between such regimes must be identified and pushback can be expected from shareholders in less restrictive regimes). 

• Evaluation of board-level preparedness for cyber incidents is critical. Deal teams should verify that targets have documented contingency plans addressing breach scenarios, including clear decision-making authority, communication protocols and regulatory notification procedures. The DigiD incidents illustrate why such contingency planning matters: even brief, hours-long outages can cascade across all dependent systems and processes, potentially affecting closing timelines or the acquirer’s own operations if integration has commenced.

Read more: Addressing the increased threat landscape with a holistic approach to data, cyber and AI governance

Looking ahead

The Dutch Cybersecurity Report 2025 confirms that the digital threat landscape facing Dutch organisations is becoming more diverse, more complex and more interconnected. At the same time, the regulatory framework is evolving rapidly. The forthcoming Dutch Cybersecurity Act, together with sector-specific rules and the gradual roll-out of the EU AI Act, will further raise the bar for cybersecurity, governance and incident response across many sectors. For Dutch companies and dealmakers, cyber risk could now be regarded as both a business risk and a deal risk.

Mariken van Esch, Tom Reker and Lilianne Bunk