Research report · 2025
Security Awareness Benchmark Netherlands 2025
Based on anonymised platform data from Dutch organizations that used 2LRN4 in 2024. Phishing click rate, training completion and NIS2 readiness — measured at the start and after 12 months.
Data: 2024 · Scope: Netherlands · Method: anonymised aggregation via 2LRN4 platform · License: CC BY 4.0
Key findings
Interpretation: Organizations that combine phishing simulations with e-learning and clear management communication achieve a click rate well below 10% after 12 months — the threshold typically applied in NIS2 audits.
Phishing click rate by sector
| Sector | At start | After 12 months | Improvement |
|---|---|---|---|
| Healthcare | 24% | 8% | −67% |
| Education | 22% | 7% | −68% |
| Government | 19% | 6% | −68% |
| Industry | 17% | 5% | −71% |
| Financial | 14% | 4% | −71% |
Most dangerous phishing types
Percentage of employees who clicked on the first simulation of this type.
NIS2 readiness: before and after
- Demonstrable board training (art. 20)
- Employee phishing awareness (art. 21)
- Audit evidence and reporting
Data collected via the 2LRN4 platform during calendar year 2024. Anonymised and aggregated across participating organizations in the Netherlands. Phishing click rate: percentage of unique employees who clicked on a simulated phishing email. Training completion: percentage of started e-learning modules that were fully completed. NIS2 readiness: score on the 2LRN4 readiness check (16 criteria based on art. 20 and 21 of the NIS2 Directive). Sector classification based on Dutch SBI codes. Organizations with fewer than 50 employees are excluded. License: CC BY 4.0 — free to cite with attribution "2LRN4 Security Awareness Benchmark Netherlands 2025".
Including sector comparison, NIS2 analysis and recommendations per organization size. Free to use with attribution.
See how 2LRN4 takes organizations from 44% to 81% NIS2 readiness.
NIS2 awareness platform