This study examines how the digital or cyber resilience of Dutch organisations can be measured in a broadly applicable way. It analyses existing frameworks, identifies gaps, and highlights opportunities and challenges for measurability to support effective cybersecurity policy and strengthen organisational digital resilience.

Digitale weerbaarheid van Nederlandse organisaties: Mogelijkheden en uitdagingen voor de meetbaarheid

[Digital resilience of Dutch organisations: Opportunities and challenges for measurability]

Fook Nederveen, Erik Silfversten, Maria Chiara Aquilino, Scott Warnier

ResearchPublished Jan 22, 2026

Cover: Digitale weerbaarheid van Nederlandse organisaties: Mogelijkheden en uitdagingen voor de meetbaarheid
Download PDF

Dutch

Additional Downloads

Includes Translations; Samenvatting

Note: This report is in Dutch. An English-language summary is available.

Governments increasingly acknowledge that not all incidents can be prevented, shifting their emphasis from prevention to resilience — the ability of systems to continue functioning despite disruptions. In the digital domain, this concept is referred to as digital resilience or cyber resilience, which is essential as societies and organisations grow more dependent on technology. This study, commissioned by the Research and Data centre of the Dutch Ministry of Justice and Security on request of the National Coordinator for Security and Counterterrorism (NCTV), explores whether and how the digital resilience of Dutch organisations can be measured in a broadly applicable way. It combines a literature review, expert interviews, and internal workshops to assess existing approaches for measuring resilience. Eighteen methods were identified and analysed, covering various technical, procedural and organisational aspects. Most focus on qualitative indicators and lack empirical evidence of validity or reliability. None offer a complete, data-driven picture of organisations' resilience levels, nor are such methods currently used by governments for measurement purposes. Nevertheless, several existing frameworks — such as Cyber Essentials, NIST, ISO, and domain-specific models — provide useful starting points for designing future measurement tools. Given the conceptual and practical challenges, the study recommends that the NCTV proceeds incrementally, starting with comparable benchmarks for specific components of resilience. As formal reporting obligations are limited, voluntary and legally aligned data collection should be pursued, leveraging frameworks such as the Dutch Cybersecurity Act (implementing NIS2). Such efforts can gradually improve insight into the digital resilience of organisations and support effective policy development.

Key Findings

No existing comprehensive measure of digital resilience

Despite the policy emphasis on digital/cyber resilience, there is currently no established, comprehensive method for measuring it at the organisational level. The study identified 18 existing approaches, but none fully capture all phases of resilience (identify, protect, detect, respond, and recover) nor integrate technical, procedural and organisational measures. Most rely on qualitative assessments and lack demonstrated validity or reliability, making it difficult to use them for government-level monitoring or comparison between organisations.

Measurement challenges stem from complexity and interdependence

Digital resilience depends on a wide range of dynamic factors, such as evolving threats, complex technologies, and social and organisational conditions that are hard to quantify. Moreover, organisations are deeply interdependent, meaning factors beyond their control — like supply chain disruptions — can affect resilience outcomes. These complexities make it challenging to develop credible, quantitative indicators or data-driven measurements that accurately reflect resilience across different organisational contexts.

Recommendation

Given the limitations of current tools, the study concludes that the Dutch National Coordinator for Security and Counterterrorism (NCTV) should take a step-by-step approach. We advise to start with benchmarking specific aspects of digital/cyber resilience, for example recovery after incidents, and progressively expanding the measurement scope. Data collection should also align with existing mechanisms and mandates — such as reporting under the Dutch Cybersecurity Act (which implements the EU's NIS2 Directive). This incremental strategy would enable richer insights without imposing undue burdens on organisations.

Topics

Document Details

Citation

Chicago Manual of Style

Nederveen, Fook, Erik Silfversten, Maria Chiara Aquilino, and Scott Warnier, Digitale weerbaarheid van Nederlandse organisaties: Mogelijkheden en uitdagingen voor de meetbaarheid: [Digital resilience of Dutch organisations: Opportunities and challenges for measurability]. Santa Monica, CA: RAND Corporation, 2026. https://www.rand.org/pubs/research_reports/RRA3700-1.html.
BibTeX RIS

Research conducted by

The research described in this report was prepared for the Wetenschappelijk Onderzoek- en Datacentrum (WODC) within the Dutch Ministry of Justice and Security and conducted by RAND Europe.

This publication is part of the RAND research report series. Research reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND research reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.