Database resilience – basic registrations

Defining the problem

Many government services, used by millions of Dutch households and involving billions of euros of revenues and expenditure, are reliant on databases containing basic personal and business data. These databases are consequently essential for the effective functioning and performance of the government.

The central government stores huge volumes of citizens’ personal data in all sorts of databases. This data includes not only names, addresses and dates of birth, but also, for example, details of income and assets and people’s views on organ donation. These databases also store all sorts of business details, including financial information on companies and details of their directors. This information is extremely valuable, both for the government and for citizens and businesses themselves. Without it, collecting taxes efficiently, paying benefits, checking someone’s identity and issuing permits and licences all become very difficult. Personal and business data is often also confidential and can be misused if it falls into the wrong hands. 

Given society’s reliance on this often confidential digital information, it is vital to be able to trust that data will be processed securely and will be available for use whenever necessary. This is not something we can automatically assume: the government has to take account of the possibility, for example, that hackers may gain access to or deny other parties’ access to databases. Another risk is that the government may be reliant on external IT suppliers. Contingency plans must then be in place in case these suppliers are unable to continue providing services.

What are we auditing?

This audit will cover 23 of the government’s basic registration systems held in databases. Some of these have been statutorily designated as ‘basic registrations’. In each case, we will audit:

• the effects on citizens and businesses if data in these databases becomes unavailable or becomes available to unauthorised parties; 
• whether implemented security measures work in practice;
• any potential over-reliance on IT suppliers;
• whether preparations are in place to deal with crises and emergencies. 

Why are we carrying out this audit?

Various recent examples have shown what can happen if sensitive personal or business data falls into the wrong hands. In summer 2025, for instance, criminals were able to access confidential data of women who had taken part in the government’s cervical cancer screening programme. On occasions, government organisations have also been found to be highly reliant on a single IT supplier. This can result in major problems if a supplier does not have effective security measures in place or becomes insolvent, as threatened to happen in 2024 in the case of the French IT company Atos. This audit seeks to establish the extent to which the Dutch government is equipped to deal with such risks. The Court of Audit considers this topic to be important because the impact that any failure may have on citizens and businesses can be substantial.

Current status

The ministries and organisations to be audited were formally notified of the audit by the Court of Audit in September 2025. Our auditors are currently carrying out the audit. Publication is planned for December 2026.

Do you want to take part in this audit?

The Court of Audit invites you to share any information you may have that would benefit our investigation. We appreciate all contributions, knowledge and experience you may care to share with us on this topic. Simply send an email to bijdrage@rekenkamer.nl. 

We read all emails carefully and treat them in confidence. However, we are not able to reply to every contribution we receive.