Shady ASIn 2022, Belgium found itself on the frontline of an escalating global cyber war. The Belgian Ministry of Foreign Affairs publicly accused Chinese state-sponsored hackers of cyberattacks against the Federal Defence and Interior Ministries. The Vivalia hospital group was paralyzed by ransomware, forcing a return to paper records. Public sector organizations, healthcare providers, municipalities, and universities all fell victim to successful cyberattacks throughout the year.
These are not isolated incidents. Europe saw a 26% increase in cyberattacks in 2022, and IBM's annual Cost of a Data Breach report put the global average cost at $4.35 million per incident — an all-time high. For Belgian businesses, especially SMEs that form the backbone of the Brussels economy, understanding and defending against these threats is not optional — it is a matter of survival.
The ransomware epidemic: Belgium under siege
Ransomware remained the most destructive threat in 2022. According to ENISA, ransomware accounted for 54% of cybersecurity threats in the healthcare sector alone. The attack on Vivalia in May 2022 demonstrated the devastating real-world impact: surgeries were postponed, patient records became inaccessible, and the entire hospital network was forced into manual operations for weeks.
Belgian organizations across sectors were targeted. KonBriefing Research documented successful cyberattacks hitting 9 public sector organizations, 6 healthcare institutions, 5 municipalities, 3 universities, and 2 social welfare organizations in Belgium during 2022. The actual number is certainly higher, as many private-sector attacks go unreported.
The economics of ransomware have shifted dramatically. Modern ransomware operators employ 'double extortion' — encrypting data while also threatening to publish it unless a ransom is paid. Average ransom demands have skyrocketed, and even organizations that pay often find their data partially corrupted or face repeated attacks. The median cost of a major security incident in the European health sector alone reached EUR 300,000, according to the ENISA NIS Investment 2022 study.
Phishing, social engineering, and supply chain attacks
Phishing remains the primary initial attack vector for the majority of breaches. The Anti-Phishing Working Group recorded over 10 million phishing attacks in the first quarter of 2022 alone, with the third quarter peaking at 1,270,883 attacks. SlashNext reported a 61% increase in phishing attack vectors using malicious URLs, totalling 255 million incidents globally. In the UK, 83% of businesses that suffered a cyberattack in 2022 identified phishing as the entry point.
Modern phishing has evolved far beyond the crude Nigerian prince emails of the past. Attackers now use sophisticated Business Email Compromise (BEC) campaigns, impersonating executives or trusted suppliers with near-perfect replicas of legitimate communications. AI-generated content is making phishing emails increasingly difficult to distinguish from authentic messages, even for trained professionals.
Supply chain attacks emerged as a critical and growing threat, accounting for 19% of all cybersecurity incidents in 2022. The logic is devastating: rather than attacking a well-defended target directly, attackers compromise a trusted supplier or software vendor, gaining access to all of their customers. The Toyota supply chain attack in March 2022 — where a ransomware attack on component supplier Kojima Industries forced Toyota to halt all Japan-based manufacturing — demonstrated how a single compromised supplier can cascade through an entire industry.
Belgian CCB recommendations and regulatory framework
The Centre for Cybersecurity Belgium (CCB) serves as the national authority for cybersecurity, coordinating national cyber strategy and providing guidance to businesses and citizens. The CCB operates the CERT.be incident response team and publishes regular threat advisories and best practice guidelines.
The CCB's core recommendations for Belgian businesses include implementing multi-factor authentication across all systems, maintaining up-to-date software through rigorous patch management, deploying network segmentation to contain potential breaches, establishing and regularly testing incident response plans, and conducting regular security awareness training for all employees.
Belgium's regulatory landscape for cybersecurity is shaped by multiple overlapping frameworks: the GDPR governs personal data protection, the NIS Directive (and its successor NIS2, effective from 2024) establishes security obligations for essential and important entities, and the Belgian Law of 7 April 2019 provides a national cybersecurity framework. Organizations in regulated sectors such as finance and healthcare face additional sector-specific requirements from regulators like the FSMA and FAMHP.
GDPR breach notification: what you must do in 72 hours
Under Article 33 of the GDPR, organizations must notify the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit) of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals' rights and freedoms. Where the breach poses a high risk to individuals, Article 34 additionally requires direct notification to the affected data subjects.
The notification must include the nature of the breach, categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach. Failure to report can itself result in significant fines — up to EUR 10 million or 2% of annual global turnover under Article 83(4) of the GDPR.
Belgian organizations have faced tangible enforcement. The Belgian DPA has imposed fines up to EUR 600,000 for GDPR violations, and EU-wide penalties can reach EUR 20 million or 4% of global annual turnover. Beyond financial penalties, a publicly reported breach causes reputational damage that can persist for years, eroding customer trust and business relationships.
Building practical defence layers
Effective cybersecurity requires a defence-in-depth approach — multiple overlapping layers that ensure no single point of failure can compromise the entire organization. Layer 1 — Perimeter Defence: Deploy next-generation firewalls, DNS filtering, and email security gateways with advanced threat protection. Ensure all external-facing services use TLS encryption and are monitored for anomalies.
Layer 2 — Identity and Access Management: Implement multi-factor authentication (MFA) for all users, not just administrators. Apply the principle of least privilege, ensuring users have only the access they need. Use a privileged access management (PAM) solution for administrative accounts. Layer 3 — Endpoint Protection: Deploy endpoint detection and response (EDR) solutions on all devices. Maintain rigorous patch management with a maximum 72-hour window for critical vulnerabilities.
Layer 4 — Data Protection: Encrypt sensitive data at rest and in transit. Implement data loss prevention (DLP) tools. Maintain regular, tested backups following the 3-2-1 rule: three copies, two different media types, one offsite. Layer 5 — Monitoring and Response: Deploy a Security Information and Event Management (SIEM) system. Establish a security operations capability — whether in-house or outsourced — that monitors 24/7. Develop and regularly test an incident response plan with defined roles, communication protocols, and recovery procedures.
Layer 6 — Human Defence: Conduct regular security awareness training with phishing simulations. Establish clear reporting procedures so employees know exactly what to do when they encounter suspicious activity. Remember: 85% of breaches involve a human element, making your people both your greatest vulnerability and your strongest defence.
How Shady AS can help
Shady AS SRL, based in Brussels, helps Belgian businesses build resilient cybersecurity postures. Our team conducts comprehensive security assessments, designs and implements defence-in-depth architectures, and provides ongoing monitoring and incident response support. We understand both the technical threat landscape and the Belgian regulatory environment, including GDPR, NIS2, and sector-specific requirements.
Whether you need a full security audit, help designing your incident response plan, or a trusted partner to manage your security operations, Shady AS has the expertise to protect your business. Contact us through our website to schedule an initial cybersecurity assessment and understand where your organization stands against today's threats.