On September 12, 2025, the Dutch government published the report “From Vulnerable to Resilient: Lessons Learned from the Imminent Acute and Long-Term Failure of Outsourced ICT Services at Government Organizations.” The document painfully exposes the government’s dependence on external ICT suppliers and the magnitude of the risks when a link in that chain fails.

The findings are relatable to virtually every organization—whether government or private sector. Outsourced ICT is often indispensable, but at the same time, a vulnerable Achilles’ heel. RiskStudio was developed based on precisely this reality: increasing resilience through insight into suppliers, dependencies, and digital risks.

Download Report

Key points of the report

The report identifies several vulnerabilities that emerged during impending IT outages:

1. Dependence on critical suppliers: when one party fails, the continuity of vital processes can be immediately jeopardized.

2. Limited visibility into the supply chain and subsuppliers: organizations know their primary supplier, but often not the underlying parties on which that supplier relies.

3. Inadequate monitoring and reporting: risks often only become apparent after an incident has occurred.

4. Contracts and agreements offer a false sense of security: paper agreements proved insufficient in the event of acute disruptions.

5. Few concrete scenarios for outages: disaster plans or substitution are not properly prepared or tested.

Recommendations from the report 

To make organizations more resilient, the report makes the following recommendations, among others: 

1. Increase insight into the supply chain – know not only the primary supplier, but also its suppliers and dependencies.

2. Monitor continuously – don’t wait for incidents, but actively track the resilience of suppliers and the supply chain.

3. Make risks manageable– translate technical risks into management insights to enable timely action.

4. Prepare scenarios – consider outages in advance, develop test plans, and provide alternative routes.

5. Strengthen governance and collaboration– make agreements on transparency and escalation throughout the supply chain.

How can RiskStudio contribute to resilience?

Here are concrete ways RiskStudio can be used to strengthen the report, further develop recommendations, and mitigate risks:

• Theme from the report
  Possible contribution from RiskStudio
• Outsourcing & Supply Chain Insights
  RiskStudio can provide detailed profiles of IT suppliers: their incident history, digital footprint, and dependencies (e.g., which sub-suppliers or technologies they use). This allows government organizations to assess where their suppliers are vulnerable and where redundancy is necessary.
• Continuity & Disaster Planning
  Through scenario analyses with RiskStudio (what happens if supplier X fails, what are the cascading effects?), an organization can visualize and prioritize risks. This helps in developing contingency plans and determining what is “critical” in an IT chain.
• Monitoring & Early Warning
  RiskStudio can provide daily or periodic monitoring: alerts for incidents, changes in vendor cybersecurity ratings, or exposure to new threats. This allows government organizations to intervene sooner if risks arise.
• Contractual basis & compliance
  Use RiskStudio data in contracts: for example, require suppliers to have a minimum rating/security posture and that sub-suppliers are transparent. This is also useful for audits.
• Benchmarking & best practices
  Compare with other government organizations: who performs (cyber)security work best within outsourcing and infrastructure? What are successful models or vendors? RiskStudio can help with benchmarking, so you can learn from successes and shortcomings elsewhere.
• Visual reporting for management & stakeholders
  RiskStudio can help with graphs, heatmaps, and dashboards that show where the greatest vulnerabilities lie, which suppliers pose the greatest risk, and more. This makes it more transparent and actionable for management and stakeholders.

What is RiskStudio?

RiskStudio is a (Dutch) online platform that helps organizations gain control over their digital dependencies and supply chain risks. In a world where companies increasingly rely on external suppliers and cloud solutions, the question is becoming increasingly urgent: how vulnerable are we if one link in our supply chain fails?

RiskStudio answers this question. Using cyber ratings, data breach or leaked account monitoring, and smart analytics, we identify suppliers, shadow vendors, and digital vulnerabilities. Organizations receive not just a snapshot but a continuous view of their digital ecosystem.

Unique features of RiskStudio are:

1. Fast results: With an outside-in approach, using fully automated publicly available data and passive scans, initial insights are actionable within minutes. So you don’t have to wait for information from your supplier.

2. Continuous insight: Insights are enriched daily with updates. Threats and risks in the digital world change rapidly, and you want to be proactively informed of important trends and developments.

3. Full chain: Not only your direct suppliers, but also downstream and shadow suppliers are inventoried, so you have a complete picture of your digital chain and insight into the (weak) links.

4. Management relevance: Comprehensive dashboards and clear reports instead of technical details. Compare the performance of companies with each other or with the industry. Maintain an overview, focus on what’s important, and formulate policy based on demonstrable insights.

Conclusion

The report “From Vulnerable to Resilient” rightly emphasizes that outsourced IT is both a strength and a vulnerability. Organizations need not only agreements, but above all continuous insight and control over their digital chain. RiskStudio offers exactly that: a future-proof platform that helps organizations apply the lessons learned from this report today. This is how we make the transition from vulnerable to resilient, in both government and business.