The Netherlands' own privacy regulator has been swept up in the wave of attacks against Ivanti's edge software. The Dutch Data Protection Authority (AP) confirmed it was among the organizations hit when attackers raced to exploit recent Ivanti Endpoint Manager Mobile (EPMM) flaws as zero-days, leading to a data breach.

In a letter to parliament, justice secretary Arno Rutte and kingdom-relations secretary Eddie van Marum said the January 29 attack affected employees of both the AP and the Council for the Judiciary (RVDR). Attackers may have accessed personal data including names, business email addresses, and phone numbers; ministers did not give figures but said affected individuals were notified directly.

The vulnerabilities in question, CVE-2026-1281 and CVE-2026-1340, prompted CISA to add the 9.8-rated CVE-2026-1281 to its Known Exploited Vulnerabilities list shortly after disclosure. Ivanti initially described exploitation as affecting “a very limited number” of customers, though outside observers suggested the activity was more widespread. The Dutch cyber agency NCSC-NL and the office of the CIO are assessing broader government risk.

Security experts stress that patching alone may not be enough. The UK's NHS warned that EPMM appliances are internet-facing by design and therefore prime targets, while watchTowr CEO Benjamin Harris advised that any organization which exposed a vulnerable instance at disclosure should treat it as compromised, tear down the infrastructure, and run incident response.