Cybercrime (to) skyrocket(s)
Alarming statistics seem to warrant increased measures to combat cybercrime in Europe. Data platform Statista expects the cost of cybercrime worldwide to reach close to a staggering 24 trillion USD by 2027, which is eight times the cost in 2020. In a rapidly evolving threat landscape ransomware attacks show a significant 57.8% increase year over year. Online fraud has doubled in the past year, highlighting the growing sophistication of cybercriminals. Distributed Denial of Service (DDoS) attacks are still a persistent threat, with an average of 10 such attacks occurring monthly in Belgium alone. Espionage continues to be a major concern, and the fast development of new technologies like artificial intelligence will be leveraged for malicious activities. The outlook is bleak, and experts consulted by Statista believe the situation will not improve any time soon.
What is going wrong?
Twenty years after the foundation of the European Union Agency for Cybersecurity (ENISA), the cybersecurity threat in the EU seems hardly under control. Several reasons are to be considered. Firstly, poor government governance and leadership have resulted in a fragmented approach to cybersecurity, with each country having its own model and often shifting responsibilities, leading to inconsistent protection measures. Moreover, the internet was initially not designed with security in mind; it was created to be open, free, and anonymous, which has left a vulnerable foundation for modern technology. And despite the growing threats, basic security measures such as two-factor authentication (2FA), are still not widely implemented, while security is often perceived as a burden and an additional cost rather than a solution.
NIS2 to the rescue
Addressing current issues is crucial to enhancing the EU’s cybersecurity resilience, and NIS2 aims at precisely doing that. It pushes countries to organize a national cybersecurity authority and to clearly define a strategy, roles and responsibilities, based on a central directive. NIS2 is actually an updated European Union directive building on the original NIS (Network and Information Security) Directive from 2016, the first EU-wide legislation on cybersecurity. The NIS2 Directive introduces stricter requirements and broader coverage to include more entities relevant for the functioning of our society. It already came into force on January 16, 2023, and EU member states had until October 17, 2024, to transpose it into national law.
Implementing NIS2 in Belgium: new opportunities
Belgium is one of the few EU countries to have successfully implemented NIS2. Key to the new Belgian approach is a common framework for all sectors. This framework expands the early warning system to include up to 2,500 companies, compared to the current 150. Rapid vulnerability scans will enable companies to identify their weaknesses, and a solution for supply chain challenges is available. Additionally, while NIS2 requires reporting, the government has committed to providing assistance and using its acquired knowledge to help NIS entities enhance their resilience.
Sectors and classification
In total the NIS2 Belgian law covers 18 sectors, divided in two ‘Annexes’: sectors of high criticality and critical sectors. Classifying entities in this framework is not always straightforward, as some companies offer a variety of products and services that cover more than one sector.
Annex 1 or the highly critical sectors covers essential services and operators that are considered to have a high impact on the economy or society if they were to experience a cyberattack. This includes industries such as energy, transport, healthcare, and finance. Within the highly critical sectors, a distinction is made between essential and important entities. Both important and essential entities have to take the measures, the only difference is that the essential entities need to demonstrate their compliance ex-ante, while this obligation does not exist for the important entities. Large entities tend to fall under the essential category, while small entities will get the label important.
Annex 2, on the other hand, covers services and operators that are considered to have a medium impact on the economy or society, including sectors such as telecommunications, media, and water supply.
Important milestones and concepts of the Belgian NIS2
As mentioned, as of October 18, 2024, entities are obliged to start implementing the new NIS2 regulation, and to report signification incidents to the CCB. By March 18, 2025, entities need to be registered via atwork.safeonweb.be. The next milestone is the verification deadline on April 18, 2026, which is 18 months after the law is in effect. By that time, entities will have needed to establish measures equivalent to the CyberFundamentals level basic. The Cyber Fundamentals framework provides a tool to perform a risk assessment, identifying for each company size what the generic threats are, their probability of occurrence, and their impact on their sector and defines the proportionate measures in accordance with the risk assessment. After this verification period, the law foresees a full year for essential companies to complete their certification by April 18, 2027.
It is important to highlight that NIS entities are legally responsible to ensure their supply chain. So, if they work with suppliers, these can demonstrate compliance through the use of the same labels. Obviously, a supplier can use its label to offer services across various sectors.
The Cyber Fundamentals framework is central to the NIS2 Belgian law adherence. It is a norm specific for Belgium, but Belgian authorities are working on getting it recognized on an EU level, even though that does not mean it will be recognized specifically for NIS2 compliance by all EU countries. Belgium’s approach is innovative and has attracted interest from other countries.
Advantages of the NIS2 Belgian framework
The NIS2 Belgian framework offers several advantages. Firstly, organizations across various sectors can benefit from a low-cost, efficient approach to risk assessment and security planning. This unified framework streamlines compliance efforts and enables an evaluation of supply chain cyber security levels. With the effective supervision of Conformity Assessment Bodies, organizations can ensure adherence to standards and maintain a high level of security. Additionally, the framework provides clear guidelines for executive and board members’ responsibilities. Through cross-sector education, training, and exercises, organizations can enhance their cybersecurity capabilities and build a more resilient ecosystem. Moreover, international recognition of this framework is growing, facilitating collaboration and knowledge sharing across borders.
A cornerstone for Belgian cybersecurity
The NIS2 law marks a pivotal moment for Belgian cybersecurity. With its implementation, over 2,500 companies will be required to enhance their security measures, which will have a significant impact.
The CCB’s specialized services will provide instrumental support in identifying and addressing risks. Furthermore, the increased reporting of incidents will enable a more proactive and effective response to cyber threats. A crucial shift in mindset is also essential, as cybersecurity must become an integral part of routine business practices. A final, imperative message is to prioritize basic measures such as multi-factor authentication (MFA), as it addresses a substantial part of security breaches.
While the NIS2 law may not encompass every cybersecurity challenge, it serves as a robust foundation for a more secure digital future. By diligently implementing its provisions and keeping a vigilant approach, Belgium can continue to confirm itself as a leader in cybersecurity within the European Union.
More information on the Belgian NIS2
https://atwork.safeonweb.be/nis2
