Research report · 2025
Security Awareness Benchmark Netherlands 2025
Based on anonymised platform data from Dutch organizations that used 2LRN4 in 2024. Phishing click rate, training completion and NIS2 readiness — measured at the start and after 12 months.
Data: 2024 · Scope: Netherlands · Method: anonymised aggregation via 2LRN4 platform · License: CC BY 4.0
Key findings
Interpretation: Organizations that combine phishing simulations with e-learning and clear management communication achieve a click rate well below 10% after 12 months — the threshold typically applied in NIS2 audits.
Phishing click rate by sector
| Sector | At start | After 12 months | Improvement |
|---|---|---|---|
| Healthcare | 24% | 8% | −67% |
| Education | 22% | 7% | −68% |
| Government | 19% | 6% | −68% |
| Industry | 17% | 5% | −71% |
| Financial | 14% | 4% | −71% |
Most dangerous phishing types
Percentage of employees who clicked on the first simulation of this type.
NIS2 readiness: before and after
- Demonstrable board training (art. 20)
- Employee phishing awareness (art. 21)
- Audit evidence and reporting
Data collected via the 2LRN4 platform during calendar year 2024. Anonymised and aggregated across participating organizations in the Netherlands. Phishing click rate: percentage of unique employees who clicked on a simulated phishing email. Training completion: percentage of started e-learning modules that were fully completed. NIS2 readiness: score on the 2LRN4 readiness check (16 criteria based on art. 20 and 21 of the NIS2 Directive). License: CC BY 4.0 — free to cite with attribution.
Including sector comparison, NIS2 analysis and recommendations per organization size. Free to use with attribution.
See how 2LRN4 takes organizations from 44% to 81% NIS2 readiness.
NIS2 awareness platform