VLAIO helps you invest on cybersecurity. Brussels fines you if you don’t

Cybersecurity is not a back-office issue. It’s a board-level responsibility. That’s the underlying message of the new Cybersecurity Barometer, recently published by VLAIO, the Flemish Agency for Innovation and Entrepreneurship. The numbers are concerning: over 40% of Flemish companies experienced a cyberattack in the past year, with nearly 1 in 10 attacks proving successful.

While the risks are mounting, so is the opportunity to act. The Flemish Government has significantly expanded its support framework for companies looking to improve their cyber maturity. Whether you’re just starting with risk assessments or preparing for a full-scale transformation, subsidies are now available to back your cybersecurity investments with real financial support.

Cybersecurity Isn’t Cheap, But It’s Subsidised

To help SMEs get started or accelerate on the cybersecurity front, an array of subsidies are available to SMEs:

• Cybersecurity Improvement Projects (“Cybersecurity Verbetertrajecten”): These are action-oriented, subsidised initiatives where SMEs partner with approved service providers to define and implement a concrete cybersecurity roadmap. Projects often include risk analyses, policy creation, technical controls, and training, with subsidies covering up to 50% of project costs.
• SME Growth Subsidy (“KMO-groeisubsidie”): For businesses undergoing a broader digital or strategic transformation. This subsidy allows companies to invest in external advice or in-house expertise related to cybersecurity readiness and long-term capacity building. Up to €50,000 in support is available, at a 50% aid rate.
• KMO-Portefeuille: In addition to project-based subsidies, Flemish SMEs can also make use of the KMO-portefeuille, a structural aid scheme that reimburses part of the costs for external advice and training, including legal advice (e.g., on the applicability cybersecurity rules) and cybersecurity-related services. Companies can receive up to 30% support, capped at €7,500 annually, for services provided by approved providers. This instrument is especially useful for smaller or earlier-stage companies taking their first steps in cyber risk awareness and compliance readiness.

Taken together, these instruments allow SMEs to move from baseline awareness to strategic cyber readiness, with public support reducing the upfront cost.

Cyberattacks Don’t Knock. Regulators Won’t Either.

Governmental support is welcome. However, in parallel, EU and Belgian regulations are turning cybersecurity into a legal obligation. In recent years, multiple far-reaching instruments have been implemented, bringing new compliance duties, risk management standards, and liability triggers for companies across sectors. Here’s a look at some of the main legislative Acts and Directives in play at the moment:

Network and Information Systems Directive (“NIS2 Directive”)

As of 18 October 2024, the Belgian NIS2 law is in effect, imposing binding cybersecurity obligations on a broad range of organisations. This law transposes the EU’s NIS2 Directive and significantly expands the scope of regulated entities to include not only traditional critical infrastructure but also sectors such as digital services, manufacturing, healthcare, and professional services.

Key obligations under the NIS2 Law include:

• cyber risk management and governance frameworks;
• supply chain due diligence and contractual assurances;
• mandatory incident notification;
• executive-level accountability, with potential personal liability for non-compliance.

Organisations must register with the Centre for Cybersecurity Belgium (CCB) via the Safeonweb@Work portal by 18 March 2025, a deadline which has already passed.

To learn more on NIS2, read our dedicated blogpost here.

Digital Operational Resilience Act (“DORA”)

DORA entered into application on 17 January 2025, creating a harmonised cybersecurity regime for financial institutions and critical ICT providers.

DORA requires:

• Risk-based ICT governance and internal control frameworks;
• Periodic threat-led penetration testing;
• Robust contractual provisions in ICT outsourcing agreements;
• Mandatory incident reporting, business continuity and recovery plans.

DORA doesn’t just affect banks and insurers; it will also apply to third-party technology providers serving the financial sector. ICT suppliers should assess whether their services might bring them within the scope of direct or indirect compliance obligations.

To learn more on DORA, read our dedicated blogpost here.

Cyber Resilience Act (“CRA”)

The CRA officially entered into force on 10 December 2024. This landmark regulation introduces mandatory cybersecurity requirements for nearly all hardware and software products with digital elements placed on the EU market, including IoT devices, enterprise software, and connected consumer tech.

The regulation aims to close the gap between product safety and cybersecurity. For the first time, manufacturers and distributors of digital products are legally required to build security into the lifecycle of their offerings, from design and development through to post-market support.

Key obligations under the CRA include:

• performing cybersecurity risk assessments prior to placing products on the market;
• ensuring secure development practices, including vulnerability protection against known exploit paths;
• maintaining up-to-date technical documentation;
• implementing processes for security updates and patch notification mechanisms;
• reporting actively exploited vulnerabilities and security incidents to ENISA.

The CRA applies not just to manufacturers, but also to importers and distributors, who bear responsibility for ensuring that products they place on the EU market comply with the new rules.

The Common Denominators

Aside from the above-mentioned rules, products and services are often subject to specific legal / cyber requirements (such as the recent evolutions in requirements for radio equipment). While each instrument targets different stakeholders and systems, they share a few common threads companies should act on now:

• Risk-based approach: Companies must assess their cybersecurity risks and implement proportionate mitigation measures.
• Due diligence in the supply chain: Security obligations no longer stop at the company’s door—third-party contracts and vendor controls matter.
• Incident readiness: Whether under NIS2, DORA or CRA, organisations are expected to detect, report and respond to incidents within tight timeframes.
• Board-level responsibility: Both NIS2 and DORA explicitly impose compliance duties on the management body with potential liability for failure to act. While the CRA does not mention personal accountability, it requires organisation-wide processes that inevitably fall under executive oversight.

Non-compliance isn’t just theoretical. Fines can reach €10 million or 2% of global turnover, with board liability and reputational damage as very real risks.

Cresco: Your Legal Firewall

We assist clients in turning cybersecurity requirements into concrete legal action. From compliance frameworks to contract updates and board briefings, we help businesses stay ahead of both regulators and attackers.

TechReg Checklist

Want clarity on your regulatory obligations? Our tailored TechReg Checklist maps which EU rules apply to your tech, explains why, and gives you clear, practical next steps. Delivered as a concise legal memo: no generic advice, just what matters to your business.