The Centre for Cybersecurity Belgium (CCB) reported a sharp rise in cyber incidents and reporting activity in 2025, reflecting a more transparent but increasingly pressured threat environment. The surge is closely tied to the rollout of the NIS2 directive, which has driven broader participation from critical sectors and significantly increased incident disclosures, with reporting volumes rising by roughly 80% as organizations become more aware of obligations and detection improves.
At the same time, the data suggests the uptick does not necessarily indicate a proportional rise in attacks, but rather a clearer view of an already active threat landscape. Belgian organizations are facing a mix of cybercrime, state-linked activity, and supply chain risks, with attackers increasingly targeting operational disruption and data theft while exploiting interconnected systems. The findings point to a shift from underreporting to visibility, even as geopolitical tensions and regulatory pressure expose the scale and complexity of cyber risk across critical infrastructure and enterprise environments.
CCB disclosed on Thursday that a total of 635 incidents were reported, representing a 70% increase, including 556 confirmed cyber incidents, up 58% year over year. Account compromise emerged as the most common threat with 144 reported cases, while ransomware incidents stood at 105, remaining relatively stable in volume but increasing in impact. At the same time, nearly 10 million suspicious phishing emails were reported through the Safeonweb platform, highlighting the scale of ongoing phishing activity.
Account compromise and phishing continue to serve as the primary entry points for attackers. Most reported incidents involved credential theft and abuse, reinforcing the persistence of identity-based attacks. Phishing remains central to cybercrime operations, with campaigns becoming more industrialized and sophisticated.
Attackers are increasingly combining email with messaging platforms to create urgency, using CEO fraud scenarios to trigger rapid payments, and deploying hands-on-keyboard techniques such as ClickFix and FileFix to trick users into executing malicious actions themselves. Despite growing awareness, these trends underscore that human-targeted attacks remain among the most effective and scalable methods of compromise.
The cybersecurity agency data shows that ransomware incidents remained relatively stable, with 105 reported in 2025 compared to 109 in 2024. However, their impact has intensified. Attackers increasingly combine data encryption, data exfiltration and escalating extortion tactics. Following the takedown of LockBit, the ecosystem has fragmented, with groups such as Qilin, Akira, and Clop among the most active targeting Belgian organisations.
Belgium was among the European countries most frequently targeted by pro-Russian hacktivist groups, primarily through DDoS (distributed denial-of-service) attacks. In 2025, the group NoName057(16) launched five coordinated campaigns, often timed to coincide with geopolitical events, and in some cases publicly announced target lists in advance. Despite the frequency and visibility of these attacks, their real-world impact remained limited.
This resilience is largely attributed to the CCB’s ‘Red Button’ coordination procedure, which enables rapid, real-time response and close collaboration between affected organizations, internet service providers, hosting providers, and government authorities. The approach has proven effective in mitigating service disruptions, demonstrating that strong preparedness and coordinated response can significantly reduce the impact of large-scale cyber operations, even as attack volumes increase.
The CCB identified a major shift in 2025 around the speed of exploitation. The average time between vulnerability disclosure and active exploitation dropped to just five days, with nearly one-third of vulnerabilities exploited within 24 hours. This significantly reduces the effectiveness of traditional, calendar-based patching cycles and underscores the need for faster, risk-driven prioritization.
The report also highlights bigger systemic risks, particularly across supply chains and identity security. Supply chain incidents, in which attackers compromise widely used providers or software components, can create cascading one-to-many impacts across multiple organizations. At the same time, malware trends show that credential theft is becoming increasingly central to attack strategies, with remote access tools and infostealers often serving as the initial entry point for broader, more complex intrusions.
When it came to incident response, CCB combined reactive measures with proactive defence strategies. It carried out 103 emergency response operations, including forensic support, while issuing 32,005 targeted ‘spear warnings,’ a 42% increase year over year. The agency also expanded its DDoS mitigation capabilities through the Red Button coordination procedure. At the same time, it strengthened awareness efforts, with nearly 10 million suspicious phishing emails reported via the Safeonweb platform and more than 13,000 participants engaged across 15 sessions through its Connect and Share programme.
Looking ahead, the CCB anticipates persistence of the same core threat categories: account compromise, ransomware and DDoS, with attackers leveraging increased automation and artificial intelligence to scale their operations.
The recommendations are practical and focused on execution: strengthen identity security controls, adopt risk-based rapid patching, improve DDoS resilience, tighten management of third-party supplier risks, and sustain investment in user awareness and incident response preparedness.
Last March, the CCB noted that since the implementation of the NIS2 legislation last October, 2,410 organizations from critical sectors have registered, contributing to a total of over 4,500 organizations across various sectors. The initiative signifies the launch of the most extensive cybersecurity initiative in the country’s history. According to an estimate based on figures from the FPS Economy, approximately 2,500 organizations fall within the scope of NIS2. Consequently, it can be concluded that the vast majority have timely aligned themselves by registering.
