Almost 60% of SMBs do not know if they need to comply with new EU Cybersecurity regulations
Ahead of Cybersec Europe 2025, Proximus NXT has released its sixth annual cybersecurity report, conducted in collaboration with its affiliate Proximus NXT Luxembourg. According to the report, 56% of very large companies reported an increase in cybersecurity incidents in 2024, and almost six in 10 Belux SMBs do not know or are not sure if they need to comply with the NIS2 regulation.
For the sixth consecutive year, Proximus NXT and Proximus NXT Luxembourg surveyed how companies in Belgium and Luxembourg deal with cybersecurity. More than 190 CEOs, CIOs, and other decision-makers on the topic participated, resulting in the report: 'The impact of cybersecurity threats on companies in the Belux'.
Very large companies report an increase in cyber incidents whereas SMBs don't always know
The percentage of very large companies (> 2000 employees) that have suffered an incident in the last 12 months has increased from 45% in 2023 to 56% in 2024. A cybersecurity incident is defined as any event that has impacted the confidentiality, integrity and availability of an organization's information systems and/or has led to a loss of productivity, legal consequences, reputational damage, data loss, etc.
Among SMBs, 5% report that they do not know if they have been affected by a cyber incident in the past 12 months. Among companies with fewer than 10 employees, this percentage is even 9%. The smaller the company, the higher the reported uncertainty on having experienced a cybersecurity incident in 2024. For reference: according to most recent Statbel data: 95.9% of Belgian companies are micro-enterprises so the potential impact cannot be neglected.
Proximus' report also shows that SMBs affected by a cybersecurity incident do not always know exactly what caused the incident. Around one in eight (13%) of affected SMBs were unsure whether the reported cybersecurity breaches were intentional or accidental. This contrasts with larger businesses, which typically know the cause of their cybersecurity incidents.
The impact of cybersecurity incidents cannot be underestimated
The report also reveals the multifaceted impact of cybersecurity incidents on companies in the Belux: 56% of respondents reported costs and resources linked to the reporting of incidents, while 33% experienced reduced productivity and a quarter of affected companies incurred reputational damage. 40% of respondents experienced disruption to their activities. In most cases, however, this lasted for less than a week.
Cyber incidents can lead to critical financial losses, operational disruptions, and legal liabilities. Understanding the economic impact of these threats is essential for enterprises striving to safeguard their assets and maintain customer trust.
For reference: among large companies, every company affected achieved complete certainty on the cause of the incident. It might seem trivial, but this percentage is very telling. It shows that cybersecurity maturity among SMBs is lower, especially in terms of detection and response capabilities. If you don't know the cause, how you can learn, adapt or improve the cybersecurity processes and policies?
The EU NIS2 Directive indirectly impacts many Belux SMBs but 60% are unaware of their compliance
Almost six in 10 Belux SMBs do not know or are not sure if they need to comply with the NIS2 regulation, which came into force in October 2024. The EU Directive requires organizations to adopt strict security of critical infrastructure and personal data. The goal is to strengthen the security of network and information systems and ensure the resilience of society and the economy in relation to cybersecurity.
The NIS2 Directive requires organizations operating within 18 sectors to comply as soon as an entity employs at least 50 employees or has an annual turnover (or balance sheet total) of more than 10 million euros, but that is not all. Organizations covered by NIS2 regulations are supposed to oversee the quality of cybersecurity measures of their direct suppliers and service providers. The fact that a company does not meet the general criteria of the scope of the law does not mean that it is automatically exempt from the NIS2 requirements.
The NIS2 Directive should be seen as an opportunity to strengthen organizational resilience. It's designed to help businesses better protect themselves in an increasingly complex digital landscape. At Proximus, NXT, our diverse team of specialists—backed by a robust ecosystem of security partners—is here to support business customers in enhancing their cyber resilience. When needed, we guide organizations through every step of the NIS2 compliance journey and help ensure ongoing adherence. This expert guidance is delivered by seasoned Proximus NXT professionals through our CISO-as-a-service offering.
The full report can be found here.
