The Netherlands’ national data protection authority reported that it has been the victim of a cybersecurity breach that exposed some employee information. The Autoriteit Persoonsgegevens, the Dutch body responsible for enforcing privacy rules, said the incident involved unauthorised access to its systems and is under active investigation.
The regulator said in a statement that it detected the breach in early February 2026 and immediately took steps to isolate affected systems and contain the incident. Initial analysis indicated that the attackers accessed personal data belonging to several of its staff members. The authority did not disclose the exact number of employees affected or specify what categories of information were accessed.
The Autoriteit Persoonsgegevens said it has engaged external cybersecurity experts to assist with forensic analysis and ongoing response efforts. The organisation added that it has notified relevant supervisory bodies and is in contact with law enforcement authorities as part of the inquiry. Officials said they are taking steps to strengthen network protections and prevent similar incidents in the future.
The authority emphasised that its core regulatory functions and public services remain operational despite the breach. It said that while employee data was accessed, at this stage, there is no indication that any external party has misused the information. The organisation said it is continuing to review logs and system records to determine the full extent of unauthorised activity.
Cybersecurity analysts noted that even organisations responsible for data protection are vulnerable to attacks, and that incidents affecting internal records can present reputational and operational challenges. Experts recommend regular risk assessments, multifactor authentication, and ongoing monitoring as part of a comprehensive security strategy. They said notification to affected individuals and authorities should follow applicable legal requirements.
The Autoriteit Persoonsgegevens said it will update the public and its staff as more information becomes available and as the investigation progresses. It reaffirmed its commitment to data protection and said it will review and enhance its internal security measures following the incident.