Use of two-factor authentication doubles among Dutch companies since 2017
The adoption of two-factor authentication (2FA) and stronger password policies has risen sharply among Dutch companies over the past seven years, according to the Cybersecurity Monitor 2024 published by Statistics Netherlands (CBS). The report was requested by the Ministry of Economic Affairs.
By 2024, 61 percent of Dutch companies had implemented two-factor authentication for their websites, apps, or ICT systems—a more than twofold increase from 26 percent in 2017. Meanwhile, 72 percent had established formal password policies, up from 57 percent seven years earlier.
Two-factor authentication requires users to enter a second code in addition to a password, typically sent via SMS, an app, or a separate device. Password policies enforce the use of complex passwords with combinations of numbers, uppercase letters, and special characters.
Larger companies are leading the push toward safer logins. In 2024, 97 percent of businesses with 250 or more employees used 2FA, compared to 57 percent of companies with 2 to 10 employees. Password policies followed a similar pattern of higher adoption in bigger firms.
However, the increase in smaller companies’ adoption of these security measures has been more rapid. Among companies with 10 to 50 employees, the use of 2FA rose from 29 percent in 2017 to 76 percent in 2024. Password policies in that group grew from 64 to 80 percent.
Sector-wise, two-factor authentication was most common in 2024 in the information and communication sector (88 percent), followed by financial services (83 percent) and health and social care (80 percent). The hospitality industry used 2FA the least, but saw the strongest growth—from 16 percent in 2017 to 44 percent in 2024. Password policies showed similar trends across sectors.
Despite these advances, cybersecurity incidents continue to occur. Larger companies report more incidents, though the overall number of companies experiencing cyberattacks has declined across all sizes. Among the largest firms, 39 percent reported an external cyberattack in 2016, dropping to 16 percent in 2023.
