According to the recent KPN study Cyber Resilient Netherlands 2026, Dutch organizations rate their digital resilience at an average of 7.1, but there appears to be a clear gap between ambition and implementation — especially in the areas of supply chain security and monitoring.
KPN’s study, conducted among more than 250 IT and security professionals in vital sectors such as energy, healthcare, government, and financial services, shows that organizations are making progress, but that fundamental building blocks of digital resilience such as governance, security monitoring, crisis management, and supply chain security are still insufficiently implemented.
In this blog, we explain why supply chain risks pose such a challenge — and how RiskStudio can support organizations in strengthening this critical pillar of cyber resilience.
The Problem: Limited Visibility into Suppliers and SaaS Services
One of the clearest conclusions from the KPN study is that many organizations still have insufficient insight into their suppliers and the SaaS services they use. As a result, risks arising outside their own organizational boundaries largely remain invisible and thus unmanaged. While internal security is often reasonably in order, there is a lack of overview of what is happening with external parties that have a direct impact on the organization’s continuity and security.
In modern ICT ecosystems, organizations no longer operate in isolation. They are highly dependent on cloud platforms, third-party software, managed service providers, and other supply chain partners. Without structural monitoring and an up-to-date overview of these dependencies, there is a high probability that disruptions or security incidents will only be discovered when the impact is already noticeable. An incident at a SaaS provider can therefore not only lead to operational downtime but also to non-compliance with legal and regulatory obligations such as the NIS2 directive and the Cybersecurity Act, potentially resulting in legal and reputational damage.
Governance and Ownership are Crucial
The KPN study shows that many organizations still struggle with clear governance around digital resilience. Roles and responsibilities are often fragmented, making it unclear who truly owns specific cyber risks. This applies not only to their own IT environment but explicitly also to risks arising through suppliers, SaaS services, and other supply chain partners. Without clear agreements on ownership and decision-making, cybersecurity remains a shared responsibility without clear direction, which demonstrably hinders the organization’s maturity.
When ownership and governance of risks are lacking, vulnerabilities are primarily addressed reactively and ad-hoc. Structural weaknesses persist, and signals from the supply chain do not always receive the appropriate priority. As a result, incidents are often recognized too late, can spread more quickly, and ultimately lead to greater impact and longer downtimes than necessary. Effective governance, with explicitly assigned responsibilities and insight into supply chain dependencies, is therefore an essential prerequisite for managing cyber risks and sustainably strengthening digital resilience.
Supply Chain Risks Require a Structural Approach
The KPN report emphasizes that organizations must shift their focus from exclusively internal systems to gaining structural control over the entire digital supply chain. Cyber resilience does not stop at one’s own infrastructure but extends to suppliers, service providers, and other external dependencies. This requires continuous insight into who these parties are, what services they provide, and how critical they are to business operations.
This means:
- Continuous insight into supplier and service relationships
- Proactive monitoring of external risks
- Integration of risk signals from the entire supply chain
- Practicing and testing crisis scenarios including supply chain impact
In practice, however, this proves complex for many organizations: without mature tooling, integrated processes, and up-to-date data, it is difficult to implement this chain-wide approach structurally and scalably.
How RiskStudio Can Help
As a partner of KPN Business Partner, RiskStudio closely aligns with the challenges exposed by the KPN study in the field of supply chain risks. Where many organizations struggle with limited insight and fragmented information, RiskStudio offers a data-driven and scalable approach to gain control over external dependencies. By automatically analyzing externally visible digital footprints, RiskStudio maps out which suppliers, cloud services, and infrastructure components are actually part of the supply chain, without the need for manual inventories or questionnaires.
✦ Automatically identify digital relationships
RiskStudio analyzes the externally available digital footprints of both the organization itself and its supply chain partners. This automatically creates a clear overview of which suppliers, cloud services, and infrastructure components are essential for business operations, entirely without manual work or time-consuming inventories.
✦ Continuous risk monitoring
Instead of relying on sporadic or reactive reports, RiskStudio offers continuous monitoring of threats throughout the entire supply chain. Signals such as open vulnerabilities, domain issues, or incidents at suppliers are automatically collected, aggregated, and prioritized, so organizations always have an up-to-date and actionable overview of their risks.
✦ Supplier and supply chain analysis
RiskStudio makes it possible to assess third-party and supplier risks in an objective and structured manner. This allows organizations to establish robust risk profiles that not only align with governance objectives but also meet relevant compliance requirements.
✦ Dashboarding and reports for stakeholders
With RiskStudio, organizations can generate clear and insightful dashboards and reports specifically tailored to the needs of management, board, and other stakeholders. These reports not only provide an up-to-date picture of supply chain risks but also show trends, priorities, and the effectiveness of measures taken. These insights enable decisions about risk management and mitigation investments to be made factually substantiated and transparently. Moreover, the reports support demonstrating compliance and governance, ensuring organizations are not only better prepared for incidents but also demonstrably meet legal and internal obligations.
More than Tooling: Focus on Governance and Evidence
RiskStudio not only offers technological support but also helps organizations strengthen their structural processes. For example, decision-making processes are supported with evidence-driven insights, KPIs can be established around supply chain security and monitoring, and compliance requirements such as NIS2 are translated into concrete, actionable steps. Through this combination of tooling and process strengthening, RiskStudio contributes to a more mature and proactive cybersecurity strategy, rather than merely reactively solving incidents.
Conclusion
The KPN study Cyber Resilient Netherlands 2026 underscores that digital resilience, and specifically supply chain security and supply chain risks, remain a point of attention for many organizations.
Organizations are increasingly dependent on external parties, and visibility into this supply chain is becoming a strategic necessity. By continuously monitoring risks, understanding relationships, and strengthening governance, organizations can become more resilient against threats not only in their own environment but also in that of their partners.
RiskStudio plays an important role in this: with automated scanning technology, risk models, and governance support, it helps organizations make supply chain risks measurable and thereby strengthen digital resilience.
Read the report yourself
The study can be requested via the following link: KPN Study Cyber Resilient Netherlands 2026
