2024: ACTIVITY REPORT OF THE CYBER SECURITY COALITION

“Today’s cyber security leaders can’t limit themselves to the role of enforcer. First and foremost, they need to focus on building a resilient organisational structure and culture,” opens Yuri Bobbert. In practice, this underscores a growing need for soft and managerial skills among leaders in the IT world. “Fostering resilience among all members of an organisation requires paying attention to the human element and responding to it successfully.”

Focus on soft skills

“This is precisely why our programme focuses on these soft skills,” he continues. “While purely technical skills are central to more tech-oriented programmes, they are less of a focus for us. We have maintained a strong focus on governance and leadership: areas in which we, as a management school, have a distinct expertise. We also serve a lot of very technical-oriented managers that acknowledge they need to develop their soft skills like convincing, persuasion, negotiating, and presenting.”

The Executive Master in IT Risk and Cybersecurity programme, a specialisation within the Executive IT Management programme, is open to candidates with a Bachelor’s or Master’s degree plus five years of relevant experience. It therefore attracts IT professionals in leadership positions. “For example, IT managers from major players in the Antwerp port area, financial industry and petrochemical cluster, as well as consultants or people who approach the topic from an HR or financial perspective,” Yuri explains.

Students who follow our track typically gain skills and capabilities for building a solid cybersecurity investment case and developing a roadmap with the right resources like people and money. They learn to define governance structures to manage and maintain an effective security organisation. To understand risk management practices, students learn how to quantify risks and develop cost-effective programmes. Next to these skills they learn how to negotiate, manage incidents, and inspire their teams with the right leadership.

Knowledge sharing as a central goal

The Master’s programme culminates in a research project. “The students dive deeply into a specific risk or security topic and truly become experts. The knowledge and insights generated over the years are made maximally accessible to the public by AMS. To maximise the impact of the research, we allow our top students to present their findings at sector meetings across Europe and make the theses, about 40 annually, publicly available afterward. This demonstrates that knowledge sharing and valorisation are central to us.

A concrete example of such a project is an extensive glossary that a student compiled last year as his graduation project. “This is essentially an atlas of all existing concepts within cybersecurity. For cyber professionals, it provides a chance to understand how the current world is structured. Once again, this shows how we aim to advance the field,” says Yuri.

The two-year Executive Master’s programme has already produced around 100 alumni. “Each contributes to strengthening the cybersecurity landscape,” Yuri continues. “Accordingly, membership of the Cyber Security Coalition is highly valuable for the AMS. “It allowed us to connect with a significant portion of our target audience for this programme. Finally, as a member, we can better understand what everyone else is doing and the issues they face, and sow the seeds for new collaborations,” Bobbert concludes.

The panel consisted of Bjorn R. Watne, Senior Vice President and Chief Security Officer of Telenor; Joanna Świątkowska, ECSO Deputy Secretary General; and Miguel De Bruycker, Managing Director General of Centre for Cybersecurity Belgium. Marc Vael, President of SAI vzw, moderated the conversation. 

The discussion explored various themes, emphasising the evolving skill set required for modern CISOs, the impact of AI and quantum computing, and the importance of regulatory frameworks. 

Evolving skill set for CISOs 

The role of the CISO is expanding beyond traditional risk and incident management, to encompass the entire cyber security supply chain, Joanna Świątkowska stressed. She highlighted the necessity for CISOs to possess both technological expertise and a deep understanding of business needs. Cyber security, she argued, is a team effort requiring diverse expertise and strong collaboration. 

Bjorn Watne concurred, noting that the CISO's role has rapidly evolved. Today, CISOs must be adept in crisis management, disaster recovery, business continuity and proactive cyber security measures. 

Miguel De Bruycker called attention to the importance of adapting to organisational scale and fostering a culture where cyber security concerns flow from IT to management, and vice versa. He also pointed out the value of the EU Cybersecurity Skills Framework for HR departments as a benchmarking tool. 

The role of AI in cyber security 

Delving into the implications of AI in cyber security, Miguel advised caution, noting that AI's effectiveness depends heavily on the quality of input data. While AI can significantly ease cyber security tasks, it also introduces new risks and challenges that must be managed carefully. 

Bjorn discussed the dual nature of AI, as both a potential threat and a powerful tool for enhancing cyber security measures. Joanna viewed AI as a revolutionary technology capable of shifting cyber security efforts from reactive to proactive, particularly by enhancing Cyber Threat Intelligence (CTI). 

Audience members raised concerns about AI security policies, emphasising the need for caution with classified data and the importance of existing rules and ethical standards. The panel agreed that AI's limitations, particularly its lack of explainability, call for careful integration into cyber security strategies. In terms of a specific AI security policy, the room did not have a unanimous opinion. Nonetheless, the existing rules, ethics policies and codes of conduct for access management and classification should also apply to AI. 

Quantum: preparing for the future 

Quantum computing was another hot topic. Some highlighted its immense potential and the significant risks it introduces, particularly due to the reliance on legacy systems. While quantum computing promises revolutionary advancements, many organisations' older libraries and algorithms may not be quantum-proof, posing substantial security threats. 

Other participants took a cautious perspective, noting that while quantum-proof algorithms are in development, their practical implementation is still evolving. They pointed out the importance of robust lifecycle management for all systems, to prevent outdated technologies from becoming critical vulnerabilities. 

The panel and audience agreed that transitioning to quantum-resistant systems requires more than technical solutions; it entails updating system architectures, integrating new hardware, and ensuring all components are quantum-ready. While this is particularly challenging for large organisations with extensive legacy systems, it nonetheless is essential for maintaining cyber security resilience in the quantum era. 

Navigating regulatory landscapes 

The discussion also addressed the complex regulatory landscape, focussing in on key regulations including the Cyber Resilience Act (CRA) and NIS-2. Joanna pointed out that while these regulations enhance cyber security, they also pose implementation challenges. Organisations need substantial education campaigns and practical toolboxes to comply effectively. 

Miguel discussed ‘regulation fatigue’, where the rapid introduction of new regulations overwhelms organisations. He noted a recent consensus among State representatives to pause the creation of new regulations until the existing ones are fully implemented and understood, to prevent an unmanageable regulatory burden. 

The panel stressed the importance of a balanced approach to regulation: stringent standards are essential, but organisations also need the resources and support to comply without stifling innovation. Continuous education and certification are crucial for keeping up with regulatory requirements, and forums such as Cybersec Europe facilitate the exchange of ideas and best practices. 

Fostering the next generation of cyber security professionals 

Both panel and audience underscored the importance of motivating and supporting the next generation of cyber security professionals. Bjorn emphasised the value of diverse roles within the CISO profession, encouraging young people to explore various aspects of the field to develop both technical and leadership skills. Joanna pointed out the challenges new professionals face (including stress and work/life imbalance), and the need for board support and a transparent vision. 

Joanna was joined by Taco Mulder, CISO FPS Policy & Support (BOSA), who advocated for mentoring programmes such as Women4Cyber and Cyber Wayfinder, noting that such initiatives not only support mentees but also provides valuable learning experiences for mentors. 

Conclusion: what makes a good CISO? 

The session concluded with reflections on the qualities that make a good CISO. A sense of humour was suggested as essential, highlighting the intense pressures of the role. Ultimately, the discussion underscored the dynamic and multifaceted nature of the CISO position, as well as the need for continuous learning, adaptability and a collaborative approach to cyber security. 

The panel recommended hosting more events specifically for CEOs to enhance their understanding of the critical role CISOs play in organisations. Increased awareness among top executives can foster better support for cyber security initiatives, ensuring that security concerns are integrated into strategic business decisions. 

The panel, which included Sandra Gobert (Executive Director at Guberna), Ronny Depoortere (President at Zetes People-ID Division), Marie-France De Pover (General Manager at KBC Group Compliance), Karine Goris, (Chief Security Officer at Belfius) and Dirk Lybaert (Secretary General at Proximus), was moderated by Marc Vael (President at SAI vzw).

One of the most pressing challenges in the ever-evolving cyber security landscape is the search for effective leadership. The increase in cyber threats has dramatically heightened the strategic importance of cyber security. As a result, today’s cyber security leaders must possess an impressive range of diverse skills and qualities.

“Chief Impossible Skillset Officer”

"A CISO must first and foremost be able to convey technical information to the board, a group that does not share the same technical background. It’s difficult but certainly achievable," said Dirk Lybaert. "A Guberna survey confirms that there are still significant gaps in technical knowledge within most boardrooms. Thus, the crucial task is ‘translation’,” added Sandra Gobert.

Considering the substantial gap between these two worlds, the panellists agreed that communication skills are now fundamental to the CISO role. “Anyone in this position must be able to inspire. This is the only way to ensure security truly becomes embedded in the organisation’s DNA, which is absolutely essential for success,” Ronny Depoortere clarified.

In addition, technical knowledge and communication must be complemented by a deep understanding of how a business operates along the entire value chain. Furthermore, a CISO must be committed to learning, including keeping up to date with the latest innovations and regulatory developments. “When you add in that a CISO must be available 24/7, it’s clear that this is a hell of a job,” Dirk Lybaert remarked. Gobert laughingly agreed: “’CISO’ today could stand for Chief Impossible Skillset Officer.”

Compliance today and tomorrow

This sentiment reflects the high expectations for cyber security leaders, who must juggle broad responsibilities. As the discussion shifted to compliance, it became clear that regulatory guidance is another key aspect of the CISO role. “The CISO must ensure that the company meets its objectives while conforming with the applicable laws and regulations,” Marie-France De Pover explained. “There is a complex web of requirements, often riddled with contradictions.”

“A company claiming to be ‘fully compliant’ with all regulations is simply not telling the truth,” Dirk Lybaert stated candidly. “Many regulatory initiatives contradict each other.” He stressed that making steady progress in compliance is what grants companies their license to operate. It’s a practical approach that reflects the importance of conformity in ensuring long-term business viability.

At the same time, the panel agreed that compliance should be paired with a robust cyber security culture, grounded in resilience. This culture should extend through every layer of the organisation, ensuring that employees at all levels are ready to respond to incidents. “Incidents will inevitably happen, and everyone in the company needs to be involved in the response,” Ronny Depoortere emphasised.

A crucial element in this process is internal testing - such as simulated phishing emails - to identify vulnerable employees. Those who fall for the tests may require additional attention and training, reinforcing the idea that cyber security is not just a technical issue but a company-wide responsibility.

The panel concluded by stressing the expanding role of the CISO as a leader with deep technical knowledge as well as top skills in communication, compliance and cultivating a cyber security culture. The expectations are vast, but as the panellists made clear, these multifaceted demands are essential to safeguarding organisations in an increasingly digital and threat-filled world.

In addition to obtaining data, money remains the biggest driver for cybercriminals. And as their attacks become more sophisticated, the financial sector and companies such as Mastercard are doing everything they can to identify potential threats. "Technology plays into the hands of cybercriminals, because with AI it is easier than ever to carry out attacks," says Rigo Van den Broeck, EVP Cybersecurity Product Innovation of Mastercard. The rise of AI-driven phishing is particularly worrying. "After all, criminals know all too well that people are the weakest link in an organisation and with AI they can now also write convincing, truthful emails." 

Turning intel into action 

To gain a better understanding of the behaviour of criminals, their tactics and the vulnerabilities they exploit, Mastercard announced its intent to acquire the threat intelligence company Recorded Future. "This company excels in collecting and analysing threat intelligence and translating it into actionable insights," explains Rigo Van den Broeck. According to Van den Broeck, that is exactly where many companies fall short. "Collecting data is only the first step, but it's about what you do with that information."  

Mastercard links that information to certain fraud cases. "It is precisely by making these connections that we can set priorities and take more targeted action within our security policy." In doing so, the company is also taking a close look at its entire supply chain. "After all, criminals are increasingly targeting suppliers. We therefore advise organisations not only to take a critical look at themselves, but to make a risk analysis of their entire ecosystem. Based on that analysis, it can then be decided which investments need to be made." 

AI as an ally 

In doing so, organisations should also take a look at what AI can do for them. "In any case, the technology helps us to detect suspicious transactions faster. The downside, however, is that criminals also have access to it and use it to set up new attacks."  

Despite this evolution, Van den Broeck mainly sees the advantages of AI. "I sincerely believe that thanks to AI, we can stay one step ahead of criminals, even though there are also attacks that cannot be detected yet." Fortunately, these attacks are the exception rather than the rule, and the number of criminals who have the knowledge to set them up is also limited. "Logically, most stick to the more classic phishing and ransomware attacks. However, where large companies have extensive resources and expertise to defend themselves against this, smaller companies are much weaker." 

To close that gap, Van den Broeck argues for more cooperation, such as the Cyber Security Coalition is offering. "By sharing knowledge and resources, we can also make every organisation more resilient. After all, no one can be completely cyber secure on their own," he emphasizes. 

In addition, a collective approach helps to get a better grip on the enormous amounts of data that come to organisations. "And if we only keep data to ourselves, we are playing into the hands of criminals, while we need to make our AI models more powerful. If used wisely, I see technology more as an ally that can make an entire organisation stronger." 

No sector - whether financial, manufacturing or governmental - is immune to the growing threat of hackers. Cyber threat intelligence (the process of collecting and analysing information about current and potential cyber attacks) is helping the Belgian Defence to respond more quickly to cyber threats. "The task is not getting any easier, because the techniques used against us are more advanced every day," says Major General Michel Van Strythem, who leads the Cyber Command. 

A complex threat landscape  

The most visible incidents are DDoS attacks, which can temporarily shut down websites. Last autumn, several Belgian municipalities fell victim to this type of attack. “Because many local authorities use the same hosting partner, the servers became overloaded and their websites were inaccessible for a while.” Although the impact of these attacks was relatively limited, they still stirred up emotions. “And that is what some criminal groups are after. They want to incite fear and create a breeding ground for anti-Western feelings.” 

Other threats also require attention. “Next to ransomware, phishing attacks and cyber intrusions with data exfiltration, a fourth major threat is coming our way: the abuse of our own infrastructure to carry out attacks on third countries,” Van Strythem continues. Such attacks can significantly undermine allied interests. “But they are very difficult to detect, especially in an increasingly complex landscape with ever-more advanced techniques. We have long since passed the point where traditional security measures could protect us.” 

The Major General emphasises the importance of vigilance and cooperation in the fight against cyber threats. “We work closely with the academic world and the technology industry to strengthen our resilience. We continuously exchange information with European colleagues and with national authorities, such as the Centre for Cybersecurity Belgium and other partners. This allows us to respond more quickly to new developments and threats.” 

Stronger through collaboration 

By working together, Defence also aims to stay one step ahead in assessing future threats. “We make predictions based on hypotheses and by drawing out possible consequences. This analytical work is performed by a team, based on our own knowledge, public information, and input from our partners.” It’s an approach that has delivered results for Defence. “To name one, we exposed a network infrastructure that was being abused to launch attacks. After this discovery, we took action with the security services to better shield the network. In this way, we were able to avert an attack.” 

This example illustrates the intense battle to stop cyber criminals. “The fight is certainly not getting any easier,” says Major General Van Strythem. “We are receiving an increasing volume of data and with everything being interconnected, we must take account of a growing number of variables. Artificial intelligence can be a valuable ally, but there as well it is crucial to share experiences via joint platforms. That is where the future lies, and as a country we will not shirk our responsibility.” 

In 2013, a large-scale hacking incident targeting the Belgacom network directly led to the creation of the Belgian Cyber Security Coalition. Since then, the complexity of cyber incidents has grown; driving rapid advancements in detection and response technologies.

“The window of time between unauthorised system access and harmful impact has shrunk alarmingly,” says Jean-Luc Peeters. “What used to take weeks or months now happens in mere days, or even less. Speed is of the essence in incident response: the faster, the better.”

Technology is a necessity in a complex reality

Advanced tools are therefore no longer optional, Peeters explains. “These technologies allow organisations to respond more efficiently by automating routine tasks. For instance, manual review of endless log files has become a thing of the past. Continuous monitoring remains the backbone of a strong incident response strategy. Fortunately, out of the hundreds of incidents organisations face, only a few escalate to catastrophic levels.”

However, over-reliance on technology poses its own risks. “Blind trust in tools can be dangerous, and experts are indispensable. We’ve seen expensive tools fail because they were poorly implemented,” he warns.

Other new challenges he highlights include vendor lock-in and security vulnerabilities caused by integration issues. “Furthermore, as multi-cloud environments become the norm, often coupled with microservices, proper management becomes even more complex. Hence, a security by default approach should be the goal of all actors. Achieving this would be a major step forward in safeguarding data security,” Peeters adds.

Purple Teaming: bridging skills and strategies

The growing complexity of cyber threats calls for careful consideration of team expertise, Peeters notes. “For instance, network security, application security and digital forensics are now distinct fields. Purple teaming, which integrates offensive and defensive teams, is therefore essential. This approach not only enhances response capabilities but also equips operational teams to close vulnerabilities. Most importantly, it drives organisational growth.”

An effective team operates like a well-oiled project team during an incident. “Clear communication lines, designated key personnel, and precise coordination are essential. Without these, leadership risks being inundated with questions, slowing the process and causing overload, often compounded by exhaustion,” Jean-Luc Peeters of CERT.be concludes.

The panel, consisting of Miguel De Bruycker (Managing Director General at the Centre for Cybersecurity Belgium), Bart Asnot (National Security Officer at Microsoft Belgium), Ilias Chantzos (Global Privacy Officer and Head of EMEA Government Affairs at Broadcom Inc.), Alex Vandurme (Head of NATO Cyber Security Centre Cyber Hygiene Branch) and Bart Preneel (Professor in KU Leuven’s COSIC research group), was moderated by Sujin Chan Allen (General Counsel at NATO’s NCI Agency).

In a world where a cyberattack occurs every 39 seconds, threat intelligence sharing has never been more urgent. At its core, threat intelligence revolves around one critical question: how can we ensure optimal sharing of cyber threat information and data between all involved stakeholders? “This has been an issue for more than 25 years,” explained Ilias Chantzos, underscoring not only the importance of this process for the industry, but also its role as a driver of progress. “We must share intelligence as effectively as possible, because the ‘dark side’ is continually doing so -  and advancing because of it,” added Bart Preneel.

“Trust and transparency are fundamental: people need to know you and understand what you do. That’s why, in a sector that operates primarily online, in-person connections - for example, through networking events and gatherings - are more important than ever,” continued Miguel De Bruycker.  However, he added that in the realm of threat intelligence sharing, you must accept that those providing information will never disclose everything they know.

Bart Asnot agreed: “The human element is fundamental. We need to learn to understand each other’s language, and together determine how to navigate the existing context and regulations.”

Regulation and complexity go hand in hand

As the panellists pointed out, while regulations are crucial for setting standards, they also add complexity, especially for smaller businesses. So, how can the right balance be achieved? “One could argue that every new regulation or legislation, whether it’s the GDPR or NIS2, is an attempt to formalise the process of information sharing,” Ilias Chantzos pointed out. “The result is that the organisation’s legal team is now often putting the brakes on information sharing, while technical teams like engineers are eager to share more.”

The downside of increasingly strict laws and initiatives around information-sharing requirements is slower progress in cyber security. “For a small-business-focused country like Belgium, compliance with these laws is an even greater challenge,” noted Bart Asnot. “Moreover, increased obligations undermine a core advantage of the digital world - the ease of cross-border collaboration - often without fully revealing one’s identity. So is it desirable or feasible to completely reverse this logic?” Bart Preneel responded.

The greater good

This tension resonated with the other panellists. “In my experience, sometimes you simply have to dare to share data, even if not required by regulations. It’s a matter of give and take, where we must always keep the greater good in mind. Ultimately, it’s about risk management,” Alex Vandurme added, highlighting the growing complexity surrounding information sharing. “Technological innovations, including those from academia, can be a great help here. "Take encryption, for example—it ensures confidentiality while enabling information sharing without exposing critical data, thanks to advanced encrypted computing techniques," Bart Preneel chimed in.

A further complication is Europe’s position as the strictest regulator - a well-known reality that clearly affects businesses. “In this whole debate, it’s crucial to keep the true purpose of these actions at the forefront. We can encrypt and secure data all we want, but the real question is what we ultimately aim to do with it,” concluded Ilias Chantzos.

Europe’s legislative efforts have been setting the example since the NIS1 entered into force in 2016, as the first EU-wide cyber security legislation. Christiane Kirketerp de Viron, Acting Director for Digital Society, Trust & Cybersecurity at the European Commission, explains, “Our internal market is intrinsically connected. This implies that the weakest link can pose a risk for the whole market. Therefore, we needed to agree on what a good level of cyber security entails and how to achieve it.”

The regulatory efforts have yielded noticeable results. “The NIS1 has led to most critical entities adopting risk management procedures and other measures, increasing cyber security maturity. We also see a clear impact in incident reporting. The NIS2 introduced Boardroom responsibility, prompting C-suite level interest. As a result, the demand for training is on the rise.”

Because the threat landscape and risks continue to evolve at a rapid pace, the EU has taken multiple legislative initiatives to better protect critical infrastructure, businesses, public institutions and citizens. “The Cyber Resilience Act, for instance, is a legal framework published at the end of 2024 that focuses on product security. Everyone agreed that security was not at the heart of product development and innovation, which instead focussed mostly on speed and getting to the market as quickly as possible. Now the cyber security requirements for both hardware and software are clear, imposing security by design, after-sales patching and a lifecycle approach, to name a few,” Kirketerp de Viron states.

Keeping up with and complying with new regulations is a tough job for SMEs and other smaller organisations. “There is a lot of good will among SMEs, who acknowledge they need to do better to protect their businesses. This is the reason we have foreseen transition periods to comply with new rules, and why we insist on standardisation. The latter plays an extremely important role in making things simpler and more straightforward for companies. So, my advice is: use the standards and take advantage of all the tools the Member States have put in place for SMEs - with financial help from the EU.”

The final piece of legislation that is currently being rolled out, the Cyber Solidarity Act, is meant to better protect the EU as a whole in times of very sophisticated attacks. “We want to improve the detection, analysis and response to cyber threats. To deal with this in an efficient way, we need to work together. That is why the Cyber Solidarity Act includes a proposal for a European alert system, composed of national and cross-border Security Operations Centres and the use of advanced technologies such as AI to identify threats faster and better. Furthermore, we want to enhance our preparedness for and response to cyberattacks. And we have foreseen a mechanism of mutual support when a Member State is affected by an incident,” Kirketerp de Viron concludes.

Séverine Waterbley is President of the FPS Economy and a Cyber Security Coalition board member. Her many contacts give her a solid perspective of the evolution in cyber security awareness in our economy: “It is clear that our companies are much more aware of the risks than 10 years ago. But with more than 100 incidents reported every day, we must continue to convince self-employed people and SMEs to better prepare.” 

Recovery plan: 13 projects, €12 million  

The FPS Economy has therefore launched the website mijnzaakcyberveilig.be / mapmecybersecurisee.be, with an online QuickScan for SMEs that helps them identify the first steps they can take in cyber security. For personalised advice to further improve their cyber security, they can turn to the CyberScan. “More than 600 self-employed people and SMEs with fewer than 50 employees have already carried out the CyberScan,” says Waterbley.  

“In addition, as part of the post-COVID recovery plan, we have invested 12 million euros in 13 projects that contribute to increasing the cyber security maturity of our SMEs.” The selected projects include a training programme from the NSZ/SNI and Safeshops.be on webshop cyber security, a programme for Brussels-based SMEs from CyberWayFinder, and a basic cyber security training for contractors developed by the federation FABA/FEGC. 

Standardised approach for SMEs 

European directives, such as the NIS2, CRA and CSA, are imposing a growing number of rules, with the aim of increasing our economy’s cyber security. “We need to give the private sector the necessary time to implement it all. It’s critical that they develop strategies and cyber security action plans now. Sometimes it seems a bit far-fetched for SMEs, but if they act as a supplier to a larger organisation that is subject to certification and audit under NIS2, they will be confronted with these rules too.” 

Introducing a standardised approach will therefore also prove useful and necessary for smaller companies. Waterbley: “For public institutions and large companies, ISO-27001 has become the standard. However, this approach can be difficult to achieve for smaller organisations. To address this, they can call on a service provider to help them, or set up the necessary measures themselves via the CyberFundamentals Toolbox from Safeonweb@work.” 

She shares this message annually at numerous congresses and conferences that specifically target the self-employed and SMEs. "This group has little time, so you have to address them specifically, and show them that they must not only invest in protection, but also in a recovery plan in case they are affected.” 

She concludes, “In the coming years, we will focus our awareness campaign more on specific sectors, such as construction, energy and pharmaceuticals. The Cyber Security Coalition can play an important role in this, with its broad network and the practical expertise at its disposal."  

The NIS2, implemented into Belgian law on 18 October 2024, aims to strengthen cyber security across essential sectors. Its scope extends far beyond the NIS1, encompassing industries including energy, healthcare and transport as well as public administrations and smaller organisations critical to maintain societal functions.

“Businesses fall into two compliance categories: important or essential. Each tier mandates specific rules,” Noëmie Honoré, Global Cybersecurity Lead Belgium and Luxembourg at Wavestone, explains. “To achieve NIS2 compliance, Belgian organisations can align their cyber security practices with the globally recognised ISO27001 standard, or adopt the CyFun framework designed by the Centre for Cybersecurity Belgium, which offers a tiered security maturity system.”

The CRA, on the other hand, addresses a critical gap in the cyber security ecosystem: the security of digital products. “Covering hardware, software and their supporting components, CRA ensures that products meet stringent cyber security standards throughout their lifecycle. The regulation introduces distinct responsibilities for manufacturers, importers and distributors, emphasising product security, vulnerability management and the provision of clear user documentation,” Honoré adds. The regulation was approved in 2024 by the European Parliament, and is directly applicable in all member states. Businesses have until 2026 to achieve compliance.

Navigating compliance challenges

For Belgian businesses, these regulations come with significant challenges. The overlapping demands of the NIS2, CRA and other frameworks, such as the Digital Operational Resilience Act (DORA) and the AI Act, create a complex compliance landscape.

“Determining whether an organisation qualifies as ‘important’ or ‘essential’ under the NIS2, or differentiating between ‘critical’ and ‘non-critical’ products under the CRA, requires careful analysis. Additionally, the evolving cyber threat landscape, marked by ransomware, supply chain vulnerabilities and advanced and persistent threats, complicates compliance efforts. Limited expertise and resources, particularly for small and medium-sized enterprises, further exacerbate these difficulties.”

Despite these challenges, the potential benefits of compliance are substantial. Honoré explains, “It’s an opportunity for businesses to embed cyber security into their DNA. By aligning with these standards, organisations enhance their resilience but also build trust with stakeholders and gain a competitive edge in a market increasingly aware of digital security issues.” The CRA’s focus on product security offers manufacturers a chance to address vulnerabilities proactively, boosting market credibility. Meanwhile, the NIS2’s emphasis on broader organisational security is reducing the likelihood and impact of attacks in Belgium.

Approach and collaboration

To navigate this regulatory shift, Belgian businesses should take a structured approach. “Conducting comprehensive assessments of current cyber security practices, identifying gaps, and developing targeted action plans are crucial first steps. Enhancing cyber security maturity, strengthening supply chain security, and embedding incident response protocols into organisational processes will ensure readiness. Equally important is fostering a culture of cyber security awareness through continuous training and communication,” Honoré explains.

Collaboration will play a pivotal role in this transition. “By engaging with industry associations, government bodies such as the CCB and cyber security experts, the Cyber Security Coalition can access valuable insights and guide the Belgian organisations in their cyber compliance journeys. Progress is the main goal. These regulations should not be seen as mere checklists, but as tools to build a stronger, more secure digital ecosystem for everyone,” Noëmie Honoré concludes.

The NIS2 and CRA regulations mark a turning point for Belgian businesses, urging them to re-evaluate their cyber security strategies and adapt to a rapidly evolving landscape. Though the road to compliance may be demanding, the rewards - from enhanced operational resilience to increased stakeholder trust - promise a safer and more prosperous digital future.

The panel, which consisted of Christiane Kirketerp de Viron (Acting Director for Digital Society, Trust & Cybersecurity at the European Commission), Johan Klykens (Director of the Certification Authority for CCB), Steve Purser (an independent cyber security consultant), Marc Vauclair (technology manager at NXP Semiconductors) and Sebastien Deleersnyder (CTO of Toreon), was moderated by Liliana Musetan (Head of Unit at the Council of the European Union).

Christiane Kirketerp de Viron explained why the EU is at the forefront of cyber security regulations: “The fundamental logic should be that the software we buy and use -whether for government offices or businesses - is secure by design. However, the current market seems to be focused more on innovation and the rapid launch of new products and services than on cyber security. The goal of the NIS2 is thus to safeguard critical entities and their supply chains, while the Cyber Resilience Act (CRA) aims to stimulate and facilitate self-assessment within the industry.”

Good regulation, smart implementation

While these new regulations serve a higher purpose, the devil remains in the details. “New rules should be well-tailored and smartly implemented,” Johan Klykens remarked. “Europe has a very good model and the CRA certification scheme is straightforward. Hopefully it grows into a global system, because the more countries that adopt it, the more efficient it will become for everyone involved.”

At NXP Semiconductors, Marc Vauclair and his colleagues have been preparing for some time for the new CRA requirements. “Within our technology groups, we look ahead and have already been working for some time to comply with the CRA. As providers of chips to our customers, the need is to ensure that the hardware remains upgradeable in the field. This has a big impact on our product development. Ultimately, we are creating the building blocks for better cyber resilience.”

Compliance and risk management are intertwined

The panellists also discussed how to convince companies to comply with new cyber security regulations. “They need to understand what the legislation means for them specifically. Compliance is important, but they should also be looking at risk management,” according to Steve Purser. “That means cyber security experts have to be able to speak directly to the board, so the latter can support management decision-making and accelerate awareness throughout the organisation.”

A security culture is a key success factor. Sebastien Deleersnyder explained, “We’re seeing many new rules for organisations, and security-by-design is definitely the way forward for CRA compliance. This requires implementing a secure development lifecycle, from inception. Train developers on security coding and how to operate the systems safely in the field. If the DevOps team has a security mindset, you will succeed.”

Certification thus enhances cyber security but is not enough on its own: awareness remains critical. “We have been telling our people this for 20 years,” Marc Vauclair stated. “Our training programmes have been tailored to all the different roles in the company.” Sebastien Deleersnyder added: “We bring people together in ‘workshop mode’ to look into technical security vulnerabilities, but also at doomsday scenarios for our customers’ businesses. This can be an eye-opener for developers who hadn’t fully grasped the impact of what they were doing. After doing this, they really start to bother.”

Since 2001, the Federal Judicial Police has maintained a specialised section dedicated to serious online crime. The FCCU focuses on investigating attacks on critical infrastructure, organised international ICT crime and other cyber threats. “We work closely with the federal prosecutor and policy makers. And for ‘alpha cases’, where cyber criminals are testing a new modus operandi, we look into which investigation method is most appropriate,” Caroline Frère explains. 

In addition to the federal investigators, each judicial district has a Regional Computer Crime Unit (RCCU), which is also part of the Federal Police. “These colleagues focus mainly on hacking and ransomware at companies, in close cooperation with the local public prosecutors. We work hand-in-hand with the regional investigators. In principle, the investigation starts after a complaint is made to the local police. It is investigated by the RCCU; if it concerns a more widespread phenomenon, the FCCU will coordinate the investigation.” 

One major achievement has been the creation of a Quick Reaction Force (QRF) in 2019: a pool of regional and federal experts who can be deployed on an ad hoc basis. “In cases such as the wave of attacks on hospitals including CHWAPI and Vivalia, the RCCUs may not have sufficient personnel to investigate quickly enough. Then, the QRF can provide support on the ground in terms of analytical capacity, technical expertise and coordination.” 

Collecting traces and data is crucial 

Frère notes that companies often hesitate to file a complaint: “Understandably, this is not their first reflex. People are mainly concerned with getting their activities up and running again, and recovering as much data as possible. Some fear our actions will delay the reboot. But this is not the case: we do not seize servers and we work closely with incident response companies. Our goal is to collect the right traces, so that we have the data needed for further investigations. This is also very relevant for policy makers: what is not mentioned in the statistics, does not exist!” 

To ensure that the right information is collected for each report, the Federal Police has developed the CyberAid tool for the first-line police services. “Whether someone makes a report at the front desk of a police station or an officer documents a complaint during an intervention, we now have a structured method. We provide a manual and flowchart, as well as a form for the victims indicating what elements they need to collect to enable the investigation.” 

Because cyber crime is a significant cross-border phenomenon, the FCCU is in close contact with Europol and the Joint Cybercrime Action Taskforce (J-CAT), an international platform for exchanging information with countries inside and outside the EU. “We bring our intelligence to the table and receive relevant information from other countries, such as ransomware trends or impending attacks,” Frère explains. “We also participate in joint investigations. Last year, for example, Operation Magnus led to two data theft programmes being taken offline. A collaboration between the Belgian Federal Police, the Dutch police and the US FBI, it offers further proof that we are indeed achieving successes in the fight against organised cyber crime.” 

Belgium’s original computer crime law dates from 2001. At that time, Belgium was one of the first countries to implement the European Convention on Cybercrime. In 2015, under the initiative of Minister of Justice Koen Geens, the cyber legislation was rewritten. Philippe Van Linthout contributed to the drafting. “The law itself remains solid, but requires updating. We are being confronted by new online phenomena that cannot immediately be classified into an existing legislative box: banking, crypto and telecom claims, or claims based on the economic law code. That makes it difficult for us to draw up a good claim.” 

It's worthwhile to file a complaint 

Another challenge for the Justice Department is that too much remains hidden beneath the surface. “People sometimes report a fact to the Centre for Cybersecurity Belgium or to the FPS Economy, but a report is not an official complaint,” says Van Linthout. “We must therefore convince victims that it is worthwhile to file a formal complaint. In our Mechelen-Antwerp district, for example, there are judgments every week on bank card fraud. And if we are quick enough, we can sometimes recover money in the crypto world.” 

The investigating judge is all-too aware, however, that this is just the tip of the iceberg. “Perpetrators usually spend their profits very quickly, or the loot is immediately transferred to tax havens. We must be able to penetrate deeper and tackle the organisations behind all these cyber phenomena.” 

International cooperation and instruments such as the European search warrant have made it possible to track down international gangs. However, things can still be improved, notes Van Linthout: “A new European regulation should make it possible for me, as an investigating judge, to request information directly in other EU countries. Because the slowness of the administrative mill unfortunately often means that we are struggling to keep pace. For example, we are a popular target for Dutch cybercriminals. But the Netherlands is unable to meet our information requests, as our files are not a top priority for the police and judiciary there.” 

Justice needs tech profiles 

Over the past 25 years, Belgium has invested in capacity and expertise to detect and prosecute cybercrime. These efforts must continue unabated. “To give a simple example, as an investigating judge I am allowed to hack a computer or a mobile phone. But am I able to? We need the help of tech profiles if we want to keep up with developments. Recruiting additional competencies remains urgent,” says Van Linthout. “And we must certainly tap into the knowledge of Belgian researchers. Our country is top in cryptography; why can't we use that expertise more in our field?” 

The delicate balance with privacy 

There is also the delicate balance between privacy and cybercrime investigation. “The right to privacy is important, but it must be proportionate. We cannot build a file without data. Belgian legislation works to our disadvantage there. The 12-month retention period for terrorism crimes and 9 months for most other serious crimes is very short, while the limitation period for criminal offenses is much longer. So much evidence is thrown away, à charge and à décharge. I hear privacy lobbyists proclaim that the government is becoming too invasive in private life. But no one has a problem sharing their data online with giants like Google. If we want to tackle (cyber)crime, we must be able to access victims' data so that we can solve cases.” 

Finally, Van Linthout makes a passionate plea to increase awareness: “I am still amazed every day by the files that we receive and the amounts involved. We must make the population fully aware of the risks and prevent them from falling into the trap of phishing and hackers. Organisations such as the Cyber Security Coalition are doing a good job in this area, but we must scale up those efforts even further. After all, prevention yields the greatest benefits for all parties involved.” 

Mr. David Hickton, Founding Director of the Institute for Cyber Law, Policy, and Security University of Pittsburgh, delivered a keynote during this Coalition event, that brought together an eclectic mix of stakeholders. Joining him in a panel discussion were Mrs. Catherine Van de Heyning, public prosecutor, Mrs. Caroline Frère (FCCU), litigation lawyer Mr. Thomas Declerck (A&O Shearman) LLP) and assistant professor and researcher Mrs. Laura Drechsler (CITIP KU Leuven). This article wraps up the key takeaways from the panel discussion.

An ever-growing range of threats

Risks and attacks increase every year. In Belgium, corporate IT security audits reveal that 98% of companies report facing risks, 66% have suffered an attack in the last two years and, of these, 87% have suffered financial damage or loss of reputation due to cyberattacks. All this has consequences for both public and private companies.

There are even fears that a massive cyberattack could trigger a major global crisis on a scale comparable to the COVID pandemic - and we are not prepared for such an attack, leading to devastating consequences. What makes the situation even more challenging is that more and more objects are connected via the Internet of Things, meaning the risk of an exposure to attack multiplies. Also on the rise is the number of criminals with new strategies and technologies – for example, AI now allows voice recordings and images to be generated to create fake videos. 

The means to fight: institutions, laws, tools

In the event of such an attack affecting the internet and our systems, responsible governance in both private companies and public institutions means ensuring data integrity, service continuity and confidentiality.

Prevention remains the best defence, starting with the detection of vulnerabilities in systems. But it also means breaking down barriers: opening up a dialogue between public authorities and the business world. The Centre for Cybersecurity Belgium is the national authority responsible for supervising, coordinating and implementing solutions. But, in addition to national initiatives, we need European cooperation, which could take the form of a cyber defence agency.

Especially when it comes to AI and Quantum, because existing laws do not cover the use or consequences of these types of technologies. Above all, technologies evolve rapidly – and much faster than legislation. We need to anticipate, where possible, future technological developments so that an act identified as criminal today will also be criminal in the future.

Proportionate responses to the threat

The perpetrators of cybercrime, whatever form it takes, should go to prison for the damage caused. A theft, whether committed via the internet or in a physical shop, remains a theft and should be punishable. Therefore, it is necessary to gather a lot of evidence to accuse someone of criminal activity and it is important for companies to be able to report threats to authorities on an international level.

This includes ransomware cases. As a rule, companies should not pay ransomware. But if a company chooses to pay, the attack should still be reported. Also their contacts must be informed. This allows the company’s business circle to be on guard.

It is worth noting that while we are seeing more and more attacks, cybercriminal networks are also being dismantled more often. Certainly, because there is no shortage of tools to fight or punish cybercriminals or non-cooperating countries.

Do too many laws kill business?

The question is whether the law stands in the way of economic progress. Companies must now consider a range of legislation. Behind every piece of legislation, there are issues to understand. The purpose is to find the right balance between overabundance of laws and entrepreneurial freedom. At the same time, the business (customers, suppliers…) demands more security. Laws are therefore a necessary evil.

Faced with cybercrime that knows no borders, the authorities are fighting it without always having an appropriate and legal response that takes into account the borders and the right to sovereignty of each country.

Furthermore, in an era where companies become more powerful than governments, there is a way to enhance public-private cooperation. Yet there remains reluctance on the part of the private sector to be transparent regarding the cyberattacks.

In conclusion

There is no shortage of legal avenues in the fight against cybercrime - the question is how best to navigate them? Clearly, there is currently a lack of resources to effectively investigate and combat all threats and attacks. There is also a challenge in terms of implementing effective prevention in a democracy so that individual rights, such as privacy, are also safeguarded.

“Customers usually come to us after they have been hacked and it becomes clear that there is no solution via their cyber insurance,” Geert Baudewijns begins. “In an ideal scenario, a company has recent backups and can avoid paying a ransom. But our experience shows that 7 out of 10 victims end up paying for the keys to become operational again. Many feel they have no choice but to negotiate and make a payment in order to quickly resume their activities in full.”

Geert and his teams have led more than 450 negotiations. “Over the years, we have built up a lot of experience. This enables us to quickly assess the seriousness of the case and provide the affected organisation an indication of their options. For most customers, this is already reassuring. A cyber incident can always be solved, but the big question remains what the appropriate solution is…”

Paying cyber criminals remains controversial

Secutec is a Belgian company with 100 employees spread across offices in Europe, Canada and Australia. “As a negotiator for clients worldwide, we establish contact with the hackers and we investigate: what do they expect? Is it realistic? And then we negotiate how a deal can be reached. If we can close the case – usually with a payment – then we facilitate that, too. We trace the payment and follow up the release of the affected systems or data.”

Paying cyber criminals remains controversial, and many people find it unethical. “But if the customer is up against the wall, they have no choice but to negotiate. Of course, we proceed with caution: we check, double-check, triple-check… because there are also ‘fixers’ who have nothing to do with the incident but who follow the communication of hackers on the darknet and then approach victims themselves,” Geert knows. “That is precisely why you need negotiators who know their way around, who can quickly determine whether you are talking to the right person. Negotiating with hackers is a profession in itself.”

Full control is virtually impossible

Protecting IT systems from intrusion is more and more difficult, especially as networks become increasingly complex. “It is virtually impossible to fully control your network today. As soon as there is a vulnerability in the firewall, hackers start to exploit it. They have a kind of ‘bible' with IP addresses and technologies used, which allows them to strike quickly. Their goal is to obtain admin data that they can use at a later time. Once they have that data, they can penetrate the network weeks or months later. We therefore recommend that you always have an up-to-date XDR solution within your network, so that inappropriate activities can be detected immediately.”

One of the challenges Geert experiences is that business leaders often have limited knowledge of IT and cyber security. “That is why the Cyber Security Coalition is a valuable ecosystem. The more cyber security is discussed at a high level, the more it reaches the CEO and stays on the company’s radar. It is also crucial that we exchange experiences and work together, even with competitors. In cyber security you are never the best, you can never win the battle alone. Thanks to the Coalition, we can talk to each other in confidence,” concludes Geert Baudewijns.

Our country urgently needs more cyber professionals. Yet, too few students choose to study in this domain. “It’s a shame, because a career in cyber security is full of opportunities and challenges,” says Vincent Defrenne. So NVISO took a novel approach to spark interest in cyber security: a competition, that for years the Coalition has been sponsoring. “The Cyber Security Challenge is specifically aimed at students and is based on the Capture the Flag principle, in which complex assignments must be solved in groups of four. Various aspects are discussed, such as cryptography, network security, and secure web and mobile applications.”

2024 marked the competition’s 10th edition, and interest has been increasing year after year. “Our first Challenge had 250 students participating; last year there were more than 850. It’s an impressive turnout, especially when you consider that most participants are not majoring in cyber security," Vincent explains. “So we are clearly succeeding in our aim. After all, it is also our intention to give those who have never come into contact with cyber a first glimpse into this domain. The competition can be a revelation for them.”

A stepping stone to the workplace

NVISO pulls out all the stops for the Challenge. In addition to a strong dose of realism, the assignments have a high fun content. “Our partner companies help devise the assignments, because we want to give students a taste of what awaits them in practice,” Vincent explains. “We not only want to increase awareness of cyber security, but also create a community in which young talent comes into direct contact with potential employers. In this case, these are not HR managers, but cyber professionals who deal with the topic on a daily basis.”

During their assignments, the students work closely with the cyber experts. “This allows them to immediately experience what it is like to be on the work floor, making the experience all the more unique.” For the companies themselves, the Cyber Security Challenge offers an opportunity to see young talent in action, and guide and inspire them. “After the competition, the companies may also connect with all participants. This opens the door to further discussions or even concrete collaborations. For many of the students, this can be the first step towards an internship, traineeship or a first job in the sector.”

An extensive prize package

Team Hastur, affiliated with UCLouvain, won the 2024 competition. Their reward? A trip to the prestigious DefCon hacking conference in Las Vegas and an exclusive SANS training: one of the most renowned cyber security training courses. “But the prizes are not the main motivator for participants. The entire competition is an unforgettable experience, especially for the 150 competitors who make it to the final weekend. Not only do they have access to an exclusive job fair, they can also attend a networking dinner with numerous professionals,” concludes Vincent Defrenne.

In today’s digital age, we share data both consciously and unconsciously through activities such as posting photos on Instagram, connecting to public Wi-Fi, browsing TikTok, or providing addresses for online purchases. While "sharing is caring" is mostly the motto, it is worth asking whether we should take more care in protecting our personal information.

Data is often referred to as the new gold, a valuable commodity sought after by companies and organisations that collect and trade it for profit. From targeted advertising to significant privacy breaches, the impact of (un)conscious data sharing is increasingly apparent. Despite the growing amount of personal data being collected, many of us remain unaware of the footprints we leave behind and how this information is used.

An interactive EDUbox for the classroom

The EDUbox on Data and Privacy aims to bridge this gap. Through this teaching package, secondary school students can explore how data is collected and used, and how to better manage the balance between sharing and privacy. It was developed in collaboration with VRT, DNS Belgium, Knowledge Centre Data & Society, Amai, Digital For Youth, Cyber Security Coalition, imec, Mediawijs, Ik beslis, Gegevensbeschermingsautoriteit, the Flemish Human Rights Institute and Betternet.

EDUbox is an interactive educational concept developed by VRT to engage young people with important societal topics. Previous EDUboxes have covered themes such as social media, artificial intelligence, sustainability and democracy. They are designed to inform, inspire and empower young people to explore these subjects further. Each package includes text, audiovisual content, assignments and interactive tools, making it a valuable and free resource for teachers to achieve educational objectives.

Educating and empowering young people

Everything we do online leaves behind a trail of data. But this data can be misused. The EDUbox on Data and Privacy is an interactive teaching package designed to inform and educate secondary school students about the potential risks of data sharing.

Packed with expert insights, the EDUbox provides fact sheets, video materials, assignments and interactive tools. These resources help young people understand the concept of (online) privacy, how data is collected, the possible risks and how to maintain control over their own data.

What is inside the EDUbox Data and Privacy?

The EDUbox consists of five parts, which you as a teacher can go through with your students over two lessons.

In part 1, students take an online test and watch a video from Iedereen Beroemd to reflect on questions such as: What is (online) privacy? What information do I share, and what do I prefer to keep private? They evaluate their digital footprint and discuss in class how they already protect their data.

In part 2, students learn about different types of data, including direct, indirect, special and biometric data. They explore how data is collected, who has access to it, and what happens to it. Nils de Ridder from the Belgian Data Protection Authority explains why we should think carefully about accepting cookies and highlights the risks of sharing data.

In part 3, students are encouraged to make conscious decisions by stepping into the shoes of KLAAR presenter Anaïs Dockx. They make everyday choices on her behalf, such as whether to drive or use public transport, and discuss the implications for data and privacy.

In part 4, students explore the basics of data protection laws together. What are their rights? What obligations do companies have? Nils de Ridder explains the principles of the GDPR, and students receive practical tips for better safeguarding their privacy.

Want to know more? In Part 5, students are directed to further materials covering topics such as surveillance cameras, shared mobility, public Wi-Fi, beacons and sniffers. These resources are tailored to engage young learners.

Getting started

The EDUbox on Data and Privacy is available as an interactive website or a downloadable PDF from the EDUbox catalogue. Both formats are ideal for independent group work in the classroom. This EDUbox comes with a teacher’s guide, which includes additional information and suggestions for adapting the material to different classroom needs.

Founded in 1986, Interface3 is a Brussels initiative that seeks to create a diverse mix in the IT-sector. “We want to create role models who can each be very inspiring for other girls and women who want to take the plunge. When you see that the percentage of women in IT courses at colleges and universities has only decreased over the past few decades, you understand how important and necessary we are,” says Laure Lemaire, director of Interface3. 
 
This commitment has resulted in a training offer of a total of 13 courses, 8 of which are specific IT-courses. “All these trainings last a year and are very intensive. After the lesson period, with an average of 35 hours of classes per week, there is an 8-week internship at a company. By using this method, we hope to equip all participants with the skill set demanded by employers. Anyone who wants to follow one of these courses must be registered as a job seeker. For the participants, these programmes remain completely free,” she continues. 
 
Cybersecurity Training 

Because Interface3 clearly felt the growing need for skilled cyber profiles in recent years, the organisation started offering its own cybersecurity training two years ago. This initiative was primarily made possible thanks to the financial support of the Belgium Digital Skillfund. “At the end of the training, we want women to have the basic knowledge to recognise cyber threats, test systems for vulnerabilities, and understand the methodology of attacks,” explains training coordinator Ibtissam Derfoufi. 
 
To achieve this ambitious goal, strict admission requirements are imposed. “After an initial selection, the preliminarily selected candidates are given a one-week e-learning course. This helps us determine who can work sufficiently independently. Then follows a second selection test, after which we make our final selection of 15 candidates. This rigorous screening is crucial for the quality of the training,” says Derfoufi. 
 
The selected candidates are then immersed in a four-month programme. “This programme is very practice oriented. Women learn the tricks of the trade with us and can grow into fully-fledged penetration testers. At the end of this phase, the candidates can also participate in Capture the Flag, a worldwide concept that tests cyber skills through a game format. By allowing the women in our training to participate in this, we give them the chance to build their own name and network within the sector," Derfoufi explains. 
 
The power of reorientation  

Two years after the launch of this ambitious initiative, the results are clearly positive. Both the participants and the industry, which comes into contact with these women mainly through the concluding company internship, appreciate the high level,” says Lemaire. “In fact, I consider this our additional social mission: we want to show the corporate world the great added value of reorientation programmes. In practice, these are valuable workers, as they often have a much higher intrinsic motivation and have proven during the retraining that they can handle changes." 

This comes on top of the primary mission of strengthening gender diversity, including in the world of cybersecurity. “The societal value of this is beyond doubt. As a cybersecurity professional, it is important to be able to put yourself in the shoes of the hackers you are fighting against. Because this group is growing and becoming increasingly diverse, it is crucial that the defenders of tomorrow reflect this diversity as well,” says Derfoufi. 
 
In the coming years, the initiators hope to further raise the maturity level of this training. “The fact that the first generation of students, who completed the training a while ago, indicate that it has been a great added value for their career, shows that we are on the right track. But we are just at the beginning. For example, we have already made great strides in the level determination of our initial selection rounds compared to the very beginning, and we want to continue this trend,” they conclude unanimously. 
 

“Our goal is to facilitate access to the digital world,” begins Dimitri Verboomen, director of Libraries Without Borders (original name: Bibliothèques sans frontières). “This is essential because we live in a digital age. Access to this world means countless new opportunities. But for those who are excluded, the possibilities are significantly reduced. Studies by the King Baudouin Foundation show that this form of inequality affects about 40 percent of our compatriots today – about 4 million people.” 

Scope of training and courses 

To achieve this objective, the organisation, which has existed since 2017, has established several initiatives to train and support citizens of all ages with limited digital background towards digital autonomy and to introduce them to the risks and dangers of the digital world. Dimitri explains: “One of those initiatives, ‘Cyber Heroes,’ is an educational programme that teaches children to navigate the internet safely. We organise animations and trainings in and out of school for this. We try to approach cyber security from different angles, covering everything from phishing to preventive safety reflexes. We offer children, teachers and parents a set of activities to guide them through the safety challenges associated with internet use and digital citizenship.” 

“Since our launch, we have reached about 40,000 children and young people. Additionally, we train teachers in both Flanders and Wallonia. That group has since grown to just under 2,000. We are now increasingly focusing our activities on the out-of-school lives of young people and their parents, as the digital world plays a decisive role there as well,” he explains. 

On another spectrum, BSF works with adults to improve their digital skills and confidence in using new technologies. Through local partnerships, the association organises training and develops a community of Digital helpers. Called Digital Buddies, the volunteers can help citizens in need directly at their homes or during support sessions. “BSF helps create social links between communities and generations and therefore combat isolation and provide an immediate response to the participants who are usually in desperate need of help”, he continues.   

Increasing awareness and concern 

In recent years, much has changed for the better, including the general level of awareness around the dangers of the online world. “Especially in Wallonia, which initially lagged behind Flanders in this regard, there has been a clear catching-up movement,” says Dimitri. “With the increasing awareness, concern naturally rises as well, bringing us increasingly into the realm of online well-being. It’s obviously a very pertinent issue.” 

“Moreover, and perhaps even more importantly, we have noticed a significant gap among young people between what they know and what they do regarding online safety. For instance, they know it is important to use a strong password, but not all of them actually do it. The fact that surveys show that up to 25 percent of young people have fallen victim to hacking proves this.” 

The increased awareness also has a financial impact for the organisation. “We depend on various funding sources, ranging from public funds to private foundations, which make up the majority. Previously, we were almost exclusively funded by channels that did not publicly advertise their support, but this is changing. More and more funders see the value in publicly supporting efforts to enhance digital security and bridge the digital divide. This shows how the perception of this issue has changed.” 

Growth is not the (ultimate) goal 

Considering these evolutions, Bibliothèques sans Frontières has decided to formally join the Cyber Security Coalition later this year. “We firmly endorse the central objective of this umbrella organisation and believe that membership can add significant value for us, particularly through the tools and shared expertise,” Dimitri continues. 

In the coming years, Bibliothèques sans Frontières hopes the positive trends will continue, which will result in inevitable growth. However, that is not what it is working so hard to achieve. “The ultimate goal of our organisation is to disappear. That would mean the societal need we are addressing has been fulfilled. As long as this is not the case – and we are certainly talking about the long term – we will continue to strive,” Dimitri concludes with a smile. 

Johan Claessens: I am an IT professional by training. When my wife, who is a freelance photographer, noticed that certain clients were trying to hack her photos, it triggered me to focus on cyber security. I started as a CISO at water-link in response to the NIS regulation that requires every organisation providing essential services to effectively manage its cyber security. Being a drinking water company, we wanted to go beyond ‘the minimum’ compliance with the NIS regulations, and to ensure that our drinking water production is completely secured. In my CISO role, I am dedicated to this goal. 
 
What are the biggest threats for a company like water-link? 
 
water-link produces drinking water for 40% of the Flemish population. All these people buy water from us, trusting that their tap water is of the highest quality and meets the strictest European guidelines. We cannot risk our production coming to a standstill due to a ransomware attack, or our water quality being compromised because purification processes are sabotaged. We protect ourselves against all risks that threaten the direct production and distribution of drinking water. 
 
What are your main tasks as a CISO? 
 
They are very diverse. At one moment, I may be discussing technical configurations with IT people, at another discussing the security strategy and new projects with the board. I also negotiate with suppliers and evaluate new products. Plus, I have to drop everything when an incident occurs. It’s a varied and often unpredictable job. 
 
Within the sector federation AquaFlanders, we have a working group of drinking water company CISOs. We meet monthly to share knowledge, discuss incidents, and look at potential problems encountered when implementing our strategic roadmaps for improving the security of our organisations. As we are not in competition with each other, we are very open in sharing our findings and experiences around security. 
 
What are the main challenges you see for CISOs today? 
 
The most obvious challenge and threat is artificial intelligence. AI is an asset for cyber criminals - one they can effectively use in their attacks. But AI can also be useful for us, the defenders. The difference is that attackers can unleash AI without knowing the result in advance. We, on the other hand, must first go through an entire test procedure to ensure that we do not create any bad side effects.  
 
Another challenge is the geopolitical landscape. In the past, the main goal of an attack was to make money. Now we see more and more attacks linked to geopolitics. For example, the week before the municipal elections, many websites were hit by Distributed Denial-of-Service (DDOS) attacks. These send excessive traffic to a website to shut it down so that visitors no longer have access to the services, which can harm the organisation’s image. It appears these specific attacks were initiated by pro-Russian groups. 
 
What does the CISO of the Year award mean to you? 
 
Quite a lot! I am the first CISO at water-link, and this is also my first experience taking on a CISO role. I did not really have a frame of reference. Am I doing well? Or am I simply a one-eyed person in the land of the blind? The award is a confirmation that we are doing well! 

Reinaert Van de Cruys: During my IT education, we learned about security at school, but mainly through a defensive approach. Infiltrating a network is something we taught ourselves. One of my first ethical hacks was the website of a municipality in Limburg. It turned out to have a serious problem: I was able to access the data of ten thousand citizens. When you discover such a thing, it gives you a huge kick! In that sense, hacking is a bit of an adrenaline sport. (laughs)  
 
Nowadays, there are also security courses that take the offensive approach. You can study to become an ethical hacker, which is a good development. This role fulfils a monitoring task that must be executed. You can't just assume that IT administrators configure their firewalls properly and that everything will be fine. The independent ethical hacker who looks for errors and holes is an essential part of the cyber security ecosystem. 
 
Which activities does Fox&Fish carry out? 
 
We are very busy with customised training for end users, software developers and IT administrators. We turn it into a kind of magic show with live hacking demonstrations and an interactive quiz section. By making hacking very concrete and practical, we increase the involvement of our audience in cyber security. We also puncture the Hollywood image that hackers are wizards. We show our trainees that they are just using certain tricks and that it is possible to protect yourself against them. 
 
In addition, we perform classical ethical hacking: checking websites, applications and organisations. Breaking in, seeing what we find, and then delivering reports about it. 
 
How do you keep up with the latest developments?  
 
It’s challenging, because the cyber world is evolving incredibly quickly and customers expect – rightly - that we are always up to date with the latest trends. We use many, different sources, such as articles that appear on our online feed or tips and tricks from colleagues. There are also a few excellent podcasts about cyber security. ‘Dasprivé’ for example by Bart Van Buitenen and Tim Van Haeren. It’s the best choice to stay up to date in the field of privacy and GDPR. And I am lucky to regularly collaborate with a number of ethical hackers on a freelance basis. If you want to learn new hacking techniques, nothing beats a duo project with another hacker! 
 
What does this award mean to you? 
 
I was told that we received the award mainly because we make cyber security understandable for everyone: cutting through the jargon and thick reports, and providing very concrete and practical tips. In this way, we help increase cyber security awareness and convince more people of its importance. I believe this is crucial, and the award motivates us to focus even more on this area. 
 
In 2025, we will share videos with tips for end users, because we want to make more information available. Our ambition and our mission remain to take cyber security in Belgium to a higher level, both in the business world and with private individuals. 
 
Which achievement are you most proud of so far? 
 
I like to think back to the very first audit I did, five years ago. I was very nervous because it was my first official assignment as an ethical hacker, and it was for a well-secured multinational. The company had already implemented several security measures and done previous audits. I certainly wasn't going to find any low-hanging fruit!  
 
But only 20 minutes into the audit, I was in their systems - because the CFO had reused a password that had been leaked on the dark web. It was just there, for the taking. Sometimes it is just that simple. You can invest heavily in firewalls and training, but then a simple human inattention, such as an unprotected password, can be your downfall. This shows how we still sometimes make things very easy for hackers. It’s a message that grabs people's attention.  

Axel Legay started his career in the academic field, specialising in formal verification, testing and cyber security. As a pioneer in statistical model checking (SMC), he greatly influenced industrial verification practices. He has brought together Walloon researchers and economic stakeholders in Cyberwal.

When Legay was named Cyber Security Researcher of the Year at Belgium’s Cyber Security Awards in December, the jury cited his pioneering research, including advanced AI algorithms for malware detection. Reflecting on the honour, Legay states: “For me, CoronaAlert will always be my most important achievement, because it united people across regions, disciplines and institutions. It taught me that genuine progress arises when we collaborate, listen and trust one another, which requires different kinds of intelligence.” 

Belgium is increasingly being recognised for its cyber security efforts. How would you describe its current position in cyber security research? 

“Belgium is among the leading players in Europe. We have made significant progress, thanks to strong digital foundations and a willingness to adapt. Although we face complex administrative structures across regions, we are aligning priorities and moving towards a more integrated approach. That’s why we need to maintain political momentum as well as continue our investments in research and training programmes to produce skilled cyber security professionals.” 

What are the biggest priorities for Belgian cyber security research right now? 

“In my opinion: cross-regional collaboration, strengthening public-private partnerships, and enhancing education at every level. We need more structured, long-term investments to ensure that universities, businesses and governmental agencies work together efficiently. Bridging technical and legal aspects—ensuring that engineers understand regulations and policymakers grasp technology—is likewise crucial.” 

Why is cooperation between academia and the private sector so important? 

“It ensures practical, impactful results. For example, when we worked with Cisco on malware detection, they provided real-world data and deep industry insight, while the university brought cutting-edge machine learning algorithms. By combining high-level academic research (low Technology Readiness Level) with immediate industrial needs (high TRL), we created a valuable feedback loop that accelerated innovation on both sides.” 

Which threats do you foresee in the future? And how can we cope with them?  

“The threats are both technical and human. Critical infrastructures (including hospitals, energy grids and transportation networks) are increasingly interconnected and vulnerable. As digital devices proliferate — from smart homes to connected cars — the attack surface grows. Educating citizens, professionals and policymakers is essential. Cyber threats aren’t just technical challenges; they also stem from a lack of awareness and digital literacy.” 

Do you see Belgium becoming a top European cyber security leader? 

“Yes, absolutely. We are on track, and I believe Belgium can be in Europe’s top five for cyber security. By building an ecosystem that includes strong research, innovative companies, supportive public agencies and well-educated citizens, we can create a robust defence against evolving cyber threats.” 

Vanessa Ling: I graduated with a law degree and began my career as a lawyer at the Brussels Bar. After 10 years, I switched to a more commercial role in an international media group, which offered me an interesting mix of law and business. In 2012, I started working at Proximus as an executive advisor, joining the legal team in 2018 when the GDPR entered into force. For me, it was the right time to move back into law, in charge of consumer protection, media rights, IP protection and privacy.

Why are you passionate about privacy?

I fell into it in 2018, but I immediately saw the importance and complexity of this domain. Privacy is about the protection of a fundamental right, and at the same time it’s at the heart of everything we do as a telco, at the heart of our innovation. So it was a challenging job, but the freedom to design new processes, establish a governance and create a team, all from scratch, made it extremely interesting. Seven years on, the domain is still growing every day: privacy is a never-ending story. When I started, there was one person working on this topic; today, my team counts 10 lawyers, supported by external help.

What was your approach to embedding privacy in the organisation’s broader governance strategy?

We first set up a privacy governance body, with representatives of the business, risk management, security, data, and so on. During our monthly sessions, we discuss data-related subjects. We subsequently designed a privacy review process using Collibra. This helps ensure we have a good intake of all initiatives – there are over a 1000 new initiatives per year! We capture them in a process that is as automated as possible. The aim is to embed privacy in our project management, building the right culture and changing the mindset for our people who have yet another issue to manage in their project. One key to success has been our community of privacy ambassadors: 120 colleagues who have voluntarily taken on a role to help build a privacy culture.

What does the Privacy Professional of the Year award mean to you?

It’s a meaningful recognition. Privacy protection is a tough job for in-house experts, who face high pressure from the business and their objectives, while dealing with data regulation compliance. I also appreciate that the award stresses the collaboration with our cyber colleagues. Fabrice Clément, who represents Proximus on the Cyber Security Coalition board, encouraged me to apply. The award has allowed me to discover the Coalition’s network. I am looking forward to working more with the Privacy Focus Group in future.

What are the main challenges ahead in privacy protection?

We are facing more, and more complex, regulation. There is even some overregulation to a certain extent, with overlapping rules and contradictions: for instance, between the GDPR and telco sector-related legislation. In a rapidly changing technology environment, it is hard to remain competitive while complying with strict regulations. A typical example is fraud prevention and detection. In order to identity customers and protect their accounts, we require large amounts of personal data. In 2025, I fully intend to work more on advocacy, to gain more flexibility in protecting our customers. We need to explain this better to both Belgian and European regulators and policy makers.