Skip to main content
hoofdvisual met tekst en landen-EN (1)
  • Author

    Conclusion

    |
  • Publish date

    2 June, 2026

    |
  • Deel

only address digital risks after an incident   62% of organisations

Digital sovereignty: the Netherlands waits until things go wrong   

 

Dutch organisations are broadly aware of their digital vulnerabilities, yet tend to take action only after an incident has occurred. 62% of Dutch respondents acknowledge that risks related to foreign legislation only receive attention following an incident, compared to a European average of 55%. This is according to the Tech Reality Check 2026, a study by Conclusion among 1,058 IT decision-makers across four European countries (the Netherlands, Germany, Portugal and Spain). 

Awareness has yet
 to translate into action 

Digital sovereignty is high on the European agenda. Geopolitical tensions, new legislation such as NIS2, DORA and the Cyber Resilience Act, and a growing awareness of dependency have firmly positioned the topic in many boardrooms. 86% of European respondents are aware of the risks when technology or data falls under foreign legislation. At the same time, only half have translated that awareness into active policy that is actually implemented. As a result, the gap between knowing and doing has itself become a risk.  

people-02

Dutch figures reveal a lag  

The pattern of postponement appears in other areas of the research as well. Only 36% of Dutch organisations have active policies in place to manage risks related to digital dependencies, compared to 53% in Germany and 56% in Spain. Just under half (49%) have full visibility of their critical digital dependencies, versus 70% and 71% in Spain and Germany respectively. In addition, 45% expect major disruption if a critical supplier or cloud platform were to fail — the highest percentage among the countries surveyed.  

Knowledge concentrated among a few  

Another signal emerges from how organisations assess internal knowledge. 68% of Dutch respondents indicate that critical systems rely on technology understood by only a small number of people within the organisation — again the highest percentage among the countries surveyed. This means that in the Netherlands, digital sovereignty is not only a matter of suppliers and jurisdictions, but also of internal knowledge dependency and legacy systems.

 

Lucas Jellema, CTO of Conclusion: “Digital sovereignty is about understanding which technologies, suppliers and knowledge you depend on, and the risks that come with them. That analysis requires structure: map dependencies across systems, processes and datasets, assess the impact of potential disruptions, and determine the residual risks after mitigation. In the Netherlands, we like to see ourselves as a digital frontrunner, but this study shows that awareness of risks is less often translated into concrete decisions and actions compared to similar countries. It reflects a broader pattern: we know there is work to be done, yet postpone it until an incident occurs. What is needed now is not more technology or more policy on paper, but governance that drives decision-making: which risks do we accept, which mitigation measures do we implement, and who within the organisation takes ownership? Only by making these choices explicit can organisations establish the control needed to truly strengthen digital sovereignty.”

Mockup TRC EN

About the study  

 The Tech Reality Check 2026 is the first study in an annual series by Conclusion. It was conducted among 1,058 IT decision-makers in Germany, the Netherlands, Portugal and Spain, and explores four themes: costs and technical debt, digital sovereignty, collaboration in data ecosystems, and agility in an AI-driven organisation. The full report is here available:

Tech Reality Check 2026