Dutch organisations are aware of their digital dependencies, but are still slow to translate this into action, according to research by NPM portfolio company Conclusion. The Tech Reality Check 2026, conducted among 1058 IT decision-makers in four European countries, shows that 62 percent of Dutch respondents only take risks related to foreign legislation seriously after an incident, compared to 55 percent on average in Europe.
Although digital sovereignty is high on the agenda due to geopolitical developments and new regulations, concrete action is lagging behind. While 86 percent of European respondents say they are aware of the risks of relying on foreign technology, only half have translated this awareness into actively applied policies, creating a gap between awareness and execution.
This gap is relatively large in the Netherlands. Only 36 percent of organisations have active policies in place to manage digital dependencies, compared to 53 percent in Germany and 56 percent in Spain. In addition, 49 percent have full insight into critical dependencies, whereas this is around 70 percent in Spain and Germany. Furthermore, 45 percent of Dutch organisations expect major disruptions if a key supplier or cloud platform fails.
“Digital sovereignty is about understanding which technologies, suppliers and knowledge you depend on, and the risks that come with them,” said Lucas Jellema, CTO of Conclusion. “This requires a structured approach: mapping dependencies per system, process and dataset, assessing the impact of potential disruptions, and weighing the remaining risks after mitigation.”
Jellema added: “In the Netherlands, we like to see ourselves as a digital frontrunner, but this research shows that awareness of risks is less often translated into concrete decisions and measures than in comparable countries. It reflects a pattern: we know action is needed, yet postpone it until an incident occurs. What is needed now is not more technology or policy on paper, but governance that forces choices: which risks do we accept, which mitigation measures do we take, and who takes ownership within the organisation? Only by making these choices explicit can organisations gain the control needed to strengthen digital sovereignty.”
