Cybersecurity Disclosure in Dutch Annual Reports

<h3>Background</h3> Annual reports provide stakeholders with financial and non-financial risks that could influence company performance, including cyber risks. Cyber incidents can cause financial loss, reputational damage, costs of patching, and potential legal liability. Companies must implement cybersecurity controls and risk management frameworks to prevent such incidents. In 2022, the EU introduced NIS2 and DORA, setting obligations for cybersecurity and supply chain risk management. Supply chain cyber risk has increased, as suppliers are often the weakest link, prompting regulatory requirements to manage third-party risks. <h3>Purpose</h3> This article examines whether the 2022 regulatory changes (NIS2 and DORA) have altered how cybersecurity risks are disclosed in annual reports of Dutch listed companies. The research question is: “To what extent is there an observable change in how Dutch listed companies disclose cyber risk and supply chain cyber risk in their annual reports before and after the introduction of NIS2 and DORA in 2022?” <h3>Method</h3> The study focuses on listed companies on the AEX, AMX, and AscX indices. A keyword research methodology was used, covering annual reports from 2020, 2022, and 2024. Keywords related to cybersecurity and supply chain controls were identified and extracted. Paragraphs, tables, and graphs containing these keywords were collected and analysed. A second round of keyword research focused on the nature of cybersecurity measures and supply chain security information, using keywords aligned with DORA and NIS2 provisions. Data from both phases were compiled in a single Excel file for comparison across years. <h3>Results</h3> All extracted cybersecurity-related content from annual reports was recorded, including the frequency of keyword mentions, relevant paragraphs, tables, graphs, and report sections. The second phase categorized disclosures by cybersecurity controls and supply chain security information, allowing detailed analysis of changes over time. Data were consolidated in a single Excel document, enabling longitudinal comparison of disclosure patterns from 2020 to 2024. <h3>Conclusion</h3> The study provides a framework to assess whether EU cybersecurity legislation has influenced companies’ reporting practices, revealing how changes in regulation may drive revisions and improvements in cybersecurity and supply chain risk management policies.