The real question is not who carries the CISO title, but who owns digital risk before pressure arrives.
On a wet Tuesday morning, the founder of a twelve-person installation company opens three things at once: a supplier email asking for new bank details, an AI draft for a tender, and a message from the IT provider about an urgent software patch.
The signal has to become readable
That is where the business story sits. Cybersecurity is no longer a server-room topic. The Chief Information Security Officer wordt steeds belangrijker, as the Dutch search phrase puts it, but the title is not the point. This is now a board and ownership question.
The owner behind the title
Rijksoverheid confirmed that the Tweede Kamer adopted the Cyberbeveiligingswet and the Wet weerbaarheid kritieke entiteiten on 15 April 2026. The Cyberbeveiligingswet implements the European NIS2 directive in Dutch law.
Government guidance already names the sectors likely to carry the load: energy, transport, banking, healthcare, drinking water, digital infrastructure, ICT service management, and digital providers. It also points to postal and courier services, waste management, food, chemicals, research, and manufacturing. Certain micro and small digital service providers can also fall within the NIS2 frame.
For most micro and small firms, the practical issue is simpler than the title sounds. They will not hire a full-time chief information security officer. The harder question is who can decide about access, suppliers, payment checks, AI use, logs, recovery, and customer notice when pressure arrives.
That pressure does not stop at the legal border. It moves through customer contracts, tenders, insurers, banks, chain partners, and larger clients that need proof from smaller suppliers.
The small-company gap
CBS gives the sober picture. In 2024, 1% of all companies reported a cyberincident with costs caused by an external attack. Another 3% reported such an incident without costs.
What the signal changes
In 2025, 86% of companies with 250 or more employees had taken ten or more of twelve surveyed cybersecurity measures. Among companies with 2 to 10 employees, the share was 13%.
That gap is where many smaller suppliers live. A design office, payroll bureau, logistics partner, installer, consultant, or software shop may sit inside the working chain of a larger organisation. The larger client may ask for cyber rules, supplier checks, audit answers, incident clauses, and insurance proof.
CBS also reported that 19% of all companies were insured against cyberincidents. Insurance helps, but it does not replace control. After an incident, a company still needs proof that it acted early, handled the issue properly, and kept its records in order.
Cash, contracts, and evidence
I read cyber governance first through cash. DNB distinguishes non-bank fraud, where the victim gives or approves a payment under false pretences, from bank fraud, where payment happens without account-holder consent. CEO fraud and invoice fraud belong in the first group.
For a small company, that means a supplier bank account changed by email, a rushed holiday payment, or a mailbox that looks normal until the money is gone.
For the installation founder, the value lies in simple control. A payment-change rule cannot rely only on email. Someone must know who can approve bank details, who can enter the accounting system, who still has access after leaving, and which supplier holds customer or staff data.
The same question applies after an incident. DNB says the time between discovery and exploitation of software vulnerabilities has shortened to hours, and sometimes minutes. That gives roles, contact lists, logs, and decision notes real business value.
What founders should check
DNB explains that DORA has applied in the financial sector since 17 January 2025. It focuses on ICT risk, incidents, testing, outsourcing risk, and cyber information sharing. Financial institutions must also keep an information register for ICT service contracts.
AFM said on 11 June 2026 that DORA gap analyses by trading platforms were often too general. It pointed to monitoring, access management, logging, emergency changes, and continuity management. For smaller firms outside that sector, DORA works mainly as a control pattern: policy is weak if nobody can show what happened.
AI belongs in the same conversation
AI pulls this topic further into management. CBS reported that in 2025, 33% of companies with 10 or more employees used one or more specified AI technologies. That was up from 23% in 2024 and 14% in 2023. The 2025 figure is provisional.
Rijksoverheid states that the EU AI Regulation entered into force on 1 August 2024 and is being phased in. Certain unwanted AI applications have been prohibited since February 2025. High-risk AI requirements and transparency obligations follow from 2 August 2026.
For a small firm, the first control question is modest. Which AI tools are staff using, what data goes into them, and who checks the output before it affects a customer, worker, contract, tender, or payment?
A calmer boardroom habit
UWV expects ICT jobs to grow by about 20,000 through 2028, driven by digitalisation, cybersecurity, and AI. That labour-market forecast keeps the discussion honest. Many small firms will not solve this by hiring a senior specialist.
A workable rhythm can still be modest. Name one owner with access to the founder or board. Give that person enough authority to stop unsafe shortcuts. Put the same issues on the monthly agenda: critical systems, supplier access, former staff accounts, payment-change controls, backups, AI tools, incident contacts, customer notice, and contract duties.
The Chief Information Security Officer is becoming more important, and the CISO moving toward the boardroom is a useful symbol. But it is not the story for most Dutch small businesses. The story is that the boardroom itself has become digital. Cash, trust, staff data, customer files, supplier portals, AI tools, and tax records now sit in the same operating space. Someone has to own that space before the wrong email, login, or outage becomes tomorrow morning’s business decision.
Sources
- CBS source
- Chief Information Security Officer wordt steeds belangrijker binnen bestuur
- Overheid.nl Wetgevingskalender – Cyberbeveiligingswet and NIS2 legislative status
- Rijksoverheid – Rijksoverheid warning not to wait for Cyberbeveiligingswet
- Ondernemersplein, Overheid.nl – NIS2 reach into sectors, suppliers, and smaller firms
- CBS – AI and digital work are now normal business infrastructure
- DNB – Cyber and AI as financial-stability and third-party risk
- DNB – DORA as a practical model for ICT risk governance
Referenced in the article
Column | Market Pulse
Dutch Factory Prices Leave Old Quotes Exposed to New Costs
The May CBS signal is less a victory lap than a stress test for contracts, stock, credit and customer patience.
Column | Governance
Circular Tenders Will Ask Small Firms for More Than a Promise
Dutch authorities are bundling demand, and the proof burden will travel through the chain.
Column | Compliance
When a Paid Invoice Still Leaves a Compliance Question
Dutch payment control is moving closer to the payer name, the invoice and the proof behind the sale.
The Polder is written for readers who need the Dutch business environment translated into practical meaning. Corrections, source policy and editorial accountability are part of the publication record.
