On March 19, 2026, the Dutch Ministry of Finance confirmed unauthorized access to policy department ICT systems, detected via third-party notification rather than internal controls — a detection gap consistent with CWE-778 (Insufficient Logging). Tax, customs, and subsidy systems serving approximately 9.5 million citizens are unaffected; data exfiltration has not been confirmed or ruled out and attribution remains unknown. Organizations with data-sharing or network interconnects with Dutch government ministries should audit those connections for anomalous activity, review authentication and logging completeness on policy-adjacent systems, and assess privacy notification obligations under applicable regulation.