2024: ACTIVITY REPORT OF THE CYBER SECURITY COALITION

Europe’s legislative efforts have been setting the example since the NIS1 entered into force in 2016, as the first EU-wide cyber security legislation. Christiane Kirketerp de Viron, Acting Director for Digital Society, Trust & Cybersecurity at the European Commission, explains, “Our internal market is intrinsically connected. This implies that the weakest link can pose a risk for the whole market. Therefore, we needed to agree on what a good level of cyber security entails and how to achieve it.”

The regulatory efforts have yielded noticeable results. “The NIS1 has led to most critical entities adopting risk management procedures and other measures, increasing cyber security maturity. We also see a clear impact in incident reporting. The NIS2 introduced Boardroom responsibility, prompting C-suite level interest. As a result, the demand for training is on the rise.”

Because the threat landscape and risks continue to evolve at a rapid pace, the EU has taken multiple legislative initiatives to better protect critical infrastructure, businesses, public institutions and citizens. “The Cyber Resilience Act, for instance, is a legal framework published at the end of 2024 that focuses on product security. Everyone agreed that security was not at the heart of product development and innovation, which instead focussed mostly on speed and getting to the market as quickly as possible. Now the cyber security requirements for both hardware and software are clear, imposing security by design, after-sales patching and a lifecycle approach, to name a few,” Kirketerp de Viron states.

Keeping up with and complying with new regulations is a tough job for SMEs and other smaller organisations. “There is a lot of good will among SMEs, who acknowledge they need to do better to protect their businesses. This is the reason we have foreseen transition periods to comply with new rules, and why we insist on standardisation. The latter plays an extremely important role in making things simpler and more straightforward for companies. So, my advice is: use the standards and take advantage of all the tools the Member States have put in place for SMEs - with financial help from the EU.”

The final piece of legislation that is currently being rolled out, the Cyber Solidarity Act, is meant to better protect the EU as a whole in times of very sophisticated attacks. “We want to improve the detection, analysis and response to cyber threats. To deal with this in an efficient way, we need to work together. That is why the Cyber Solidarity Act includes a proposal for a European alert system, composed of national and cross-border Security Operations Centres and the use of advanced technologies such as AI to identify threats faster and better. Furthermore, we want to enhance our preparedness for and response to cyberattacks. And we have foreseen a mechanism of mutual support when a Member State is affected by an incident,” Kirketerp de Viron concludes.

Séverine Waterbley is President of the FPS Economy and a Cyber Security Coalition board member. Her many contacts give her a solid perspective of the evolution in cyber security awareness in our economy: “It is clear that our companies are much more aware of the risks than 10 years ago. But with more than 100 incidents reported every day, we must continue to convince self-employed people and SMEs to better prepare.” 

Recovery plan: 13 projects, €12 million  

The FPS Economy has therefore launched the website mijnzaakcyberveilig.be / mapmecybersecurisee.be, with an online QuickScan for SMEs that helps them identify the first steps they can take in cyber security. For personalised advice to further improve their cyber security, they can turn to the CyberScan. “More than 600 self-employed people and SMEs with fewer than 50 employees have already carried out the CyberScan,” says Waterbley.  

“In addition, as part of the post-COVID recovery plan, we have invested 12 million euros in 13 projects that contribute to increasing the cyber security maturity of our SMEs.” The selected projects include a training programme from the NSZ/SNI and Safeshops.be on webshop cyber security, a programme for Brussels-based SMEs from CyberWayFinder, and a basic cyber security training for contractors developed by the federation FABA/FEGC. 

Standardised approach for SMEs 

European directives, such as the NIS2, CRA and CSA, are imposing a growing number of rules, with the aim of increasing our economy’s cyber security. “We need to give the private sector the necessary time to implement it all. It’s critical that they develop strategies and cyber security action plans now. Sometimes it seems a bit far-fetched for SMEs, but if they act as a supplier to a larger organisation that is subject to certification and audit under NIS2, they will be confronted with these rules too.” 

Introducing a standardised approach will therefore also prove useful and necessary for smaller companies. Waterbley: “For public institutions and large companies, ISO-27001 has become the standard. However, this approach can be difficult to achieve for smaller organisations. To address this, they can call on a service provider to help them, or set up the necessary measures themselves via the CyberFundamentals Toolbox from Safeonweb@work.” 

She shares this message annually at numerous congresses and conferences that specifically target the self-employed and SMEs. "This group has little time, so you have to address them specifically, and show them that they must not only invest in protection, but also in a recovery plan in case they are affected.” 

She concludes, “In the coming years, we will focus our awareness campaign more on specific sectors, such as construction, energy and pharmaceuticals. The Cyber Security Coalition can play an important role in this, with its broad network and the practical expertise at its disposal."  

The NIS2, implemented into Belgian law on 18 October 2024, aims to strengthen cyber security across essential sectors. Its scope extends far beyond the NIS1, encompassing industries including energy, healthcare and transport as well as public administrations and smaller organisations critical to maintain societal functions.

“Businesses fall into two compliance categories: important or essential. Each tier mandates specific rules,” Noëmie Honoré, Global Cybersecurity Lead Belgium and Luxembourg at Wavestone, explains. “To achieve NIS2 compliance, Belgian organisations can align their cyber security practices with the globally recognised ISO27001 standard, or adopt the CyFun framework designed by the Centre for Cybersecurity Belgium, which offers a tiered security maturity system.”

The CRA, on the other hand, addresses a critical gap in the cyber security ecosystem: the security of digital products. “Covering hardware, software and their supporting components, CRA ensures that products meet stringent cyber security standards throughout their lifecycle. The regulation introduces distinct responsibilities for manufacturers, importers and distributors, emphasising product security, vulnerability management and the provision of clear user documentation,” Honoré adds. The regulation was approved in 2024 by the European Parliament, and is directly applicable in all member states. Businesses have until 2026 to achieve compliance.

Navigating compliance challenges

For Belgian businesses, these regulations come with significant challenges. The overlapping demands of the NIS2, CRA and other frameworks, such as the Digital Operational Resilience Act (DORA) and the AI Act, create a complex compliance landscape.

“Determining whether an organisation qualifies as ‘important’ or ‘essential’ under the NIS2, or differentiating between ‘critical’ and ‘non-critical’ products under the CRA, requires careful analysis. Additionally, the evolving cyber threat landscape, marked by ransomware, supply chain vulnerabilities and advanced and persistent threats, complicates compliance efforts. Limited expertise and resources, particularly for small and medium-sized enterprises, further exacerbate these difficulties.”

Despite these challenges, the potential benefits of compliance are substantial. Honoré explains, “It’s an opportunity for businesses to embed cyber security into their DNA. By aligning with these standards, organisations enhance their resilience but also build trust with stakeholders and gain a competitive edge in a market increasingly aware of digital security issues.” The CRA’s focus on product security offers manufacturers a chance to address vulnerabilities proactively, boosting market credibility. Meanwhile, the NIS2’s emphasis on broader organisational security is reducing the likelihood and impact of attacks in Belgium.

Approach and collaboration

To navigate this regulatory shift, Belgian businesses should take a structured approach. “Conducting comprehensive assessments of current cyber security practices, identifying gaps, and developing targeted action plans are crucial first steps. Enhancing cyber security maturity, strengthening supply chain security, and embedding incident response protocols into organisational processes will ensure readiness. Equally important is fostering a culture of cyber security awareness through continuous training and communication,” Honoré explains.

Collaboration will play a pivotal role in this transition. “By engaging with industry associations, government bodies such as the CCB and cyber security experts, the Cyber Security Coalition can access valuable insights and guide the Belgian organisations in their cyber compliance journeys. Progress is the main goal. These regulations should not be seen as mere checklists, but as tools to build a stronger, more secure digital ecosystem for everyone,” Noëmie Honoré concludes.

The NIS2 and CRA regulations mark a turning point for Belgian businesses, urging them to re-evaluate their cyber security strategies and adapt to a rapidly evolving landscape. Though the road to compliance may be demanding, the rewards - from enhanced operational resilience to increased stakeholder trust - promise a safer and more prosperous digital future.

The panel, which consisted of Christiane Kirketerp de Viron (Acting Director for Digital Society, Trust & Cybersecurity at the European Commission), Johan Klykens (Director of the Certification Authority for CCB), Steve Purser (an independent cyber security consultant), Marc Vauclair (technology manager at NXP Semiconductors) and Sebastien Deleersnyder (CTO of Toreon), was moderated by Liliana Musetan (Head of Unit at the Council of the European Union).

Christiane Kirketerp de Viron explained why the EU is at the forefront of cyber security regulations: “The fundamental logic should be that the software we buy and use -whether for government offices or businesses - is secure by design. However, the current market seems to be focused more on innovation and the rapid launch of new products and services than on cyber security. The goal of the NIS2 is thus to safeguard critical entities and their supply chains, while the Cyber Resilience Act (CRA) aims to stimulate and facilitate self-assessment within the industry.”

Good regulation, smart implementation

While these new regulations serve a higher purpose, the devil remains in the details. “New rules should be well-tailored and smartly implemented,” Johan Klykens remarked. “Europe has a very good model and the CRA certification scheme is straightforward. Hopefully it grows into a global system, because the more countries that adopt it, the more efficient it will become for everyone involved.”

At NXP Semiconductors, Marc Vauclair and his colleagues have been preparing for some time for the new CRA requirements. “Within our technology groups, we look ahead and have already been working for some time to comply with the CRA. As providers of chips to our customers, the need is to ensure that the hardware remains upgradeable in the field. This has a big impact on our product development. Ultimately, we are creating the building blocks for better cyber resilience.”

Compliance and risk management are intertwined

The panellists also discussed how to convince companies to comply with new cyber security regulations. “They need to understand what the legislation means for them specifically. Compliance is important, but they should also be looking at risk management,” according to Steve Purser. “That means cyber security experts have to be able to speak directly to the board, so the latter can support management decision-making and accelerate awareness throughout the organisation.”

A security culture is a key success factor. Sebastien Deleersnyder explained, “We’re seeing many new rules for organisations, and security-by-design is definitely the way forward for CRA compliance. This requires implementing a secure development lifecycle, from inception. Train developers on security coding and how to operate the systems safely in the field. If the DevOps team has a security mindset, you will succeed.”

Certification thus enhances cyber security but is not enough on its own: awareness remains critical. “We have been telling our people this for 20 years,” Marc Vauclair stated. “Our training programmes have been tailored to all the different roles in the company.” Sebastien Deleersnyder added: “We bring people together in ‘workshop mode’ to look into technical security vulnerabilities, but also at doomsday scenarios for our customers’ businesses. This can be an eye-opener for developers who hadn’t fully grasped the impact of what they were doing. After doing this, they really start to bother.”