How do you ensure efficient, ongoing compliance management?

One quarter of Belgian businesses had to contend with a cybersecurity incident in the past year. That is revealed by the 2025 Proximus NXT Cybersecurity ReportNew window . For the third consecutive year, over 40% of the respondents expect the number of cybersecurity incidents or their impact to increase further this year. Cybersecurity remains a top priority for Belgian businesses, especially in the light of new legislation such as NIS2.

Achieving and maintaining NIS2 compliance

“The NIS2 legislation is an important tool in raising the level of cyber resilience,” says Rolf Coucke, Security Strategy Lead at Proximus NXT. “With stricter rules and a broader scope, NIS2, like other standards such as DORA, compels businesses to proactively improve their digital security and guarantee the continuity of critical services. That has involved, and still involves, a lot of work, but the challenge of maintaining the implemented processes and security measures afterward will be at least as great."

Rolf Coucke, Security Strategy Lead at Proximus NXT

A Governance, Risk & Compliance (GRC) framework makes it possible to ensure permanent observance of the NIS2 guideline and other security requirements. “GRC integrates three dimensions of cybersecurity into one comprehensive approach. It unites all aspects of security management and prevents blind spots. In a world in which risks and regulations are constantly changing, a well-integrated GRC framework is therefore essential in remaining compliant and achieving strategic goals.”

Follow-up as bottleneck

Rolf sees the importance of compliance within the GRC triangle sharply increasing. “Compliance refers to monitoring of the measures taken and was already present in legislation such as DORA and NIS1. NIS2 is based on the principle that, depending on the type of entity, you are able to demonstrate that you have taken all the required measures, either proactively or after an incident. In addition, compliance goes beyond the legal obligations. Many businesses and organizations consider it an essential prerequisite for their business relations.

Compliance thus becomes a requirement for customers and suppliers. It is an existential factor in doing business effectively, not only within Europe but also worldwide. Security compliance is an important differentiator in landing deals.”

The way in which an organization implements compliance varies widely and depends, among other things, on the nature and scope of the activities. Various standards allow you to demonstrate that you, as an organization, fulfil the NIS2 requirements. “ISO 27001 is best known internationally as a standard for information security. The Centre for Cybersecurity Belgium (CCB) has also developed a certification program that is coordinated with the different levels of its own Cyberfundamentals framework.”

Many organizations make every effort to achieve such a certification for a certain period and call on external consultants in the process. According to Rolf, the challenge lies, however, in the follow-up after implementation and departure of the consultants. “The underlying organization is often inadequately prepared to ensure ongoing observance. The internal knowledge and availability are too minimal, so that the maturity built up quickly declines and compliance is jeopardized.

To give an idea, the average lifespan of a security governance profile in a business is 18 to 24 months. The evolving regulations and constantly changing threat landscape make it extra difficult to close that gap.”

Rolf Coucke, Security Strategy Lead at Proximus NXT

Focus on core tasks

Rolf sees a number of advantages for businesses and organizations. “With GRCaaS, the standard follow-up costs for compliance are sharply reduced. Thanks to the automation and accompanying support, the internal IT and security experts can focus better on their core tasks. In one stroke you also relieve the burden on the underlying business, inasmuch as the entire organization bears shared responsibility for monitoring all the security measures. Moreover, the improved overview simplifies preparing and conducting audits.

GRCaaS makes security clearly comprehensible up to the level of the CEO, through the IT employee and HR, and to the board of directors, with relevant dashboards. In addition, that takes place without major changes in terms of processes or structures.”

Rolf stresses that the greatest challenge in the field of compliance lies not in achieving a certain maturity, but in maintaining it. For a variety of reasons, he considers GRCaaS the right way to achieve that goal.