Belgium’s cyber threat landscape in 2025 was marked by a dual trend: a sharp rise in hostile activity and a significant increase in incident reporting.
The Centre for Cybersecurity Belgium (CCB) recorded 635 incident notifications, nearly +70% compared to 2024. Of these, 556 were cyber-related (+58% year-on-year). While stricter reporting requirements under NIS2 and DORA and improved detection capabilities played a role, the figures also reflect sustained and growing pressure on organisations across all sectors.
Key figures at a glance
• 635 total incidents reported (+70%)
• 556 cyber incidents (+58%)
• 144 account compromise cases (top threat)
• 105 ransomware incidents (stable but more impactful)
• ~10 million phishing emails reported via Safeonweb
Account compromise and phishing: still the primary entry point
The most frequently reported incidents were account compromises (144 cases), largely driven by credential theft and abuse.
Phishing continues to be a central enabler of cybercrime, and its scale is striking. The Safeonweb “BePhish” platform processed nearly 10 million suspicious emails in 2025, underlining the industrialisation of phishing campaigns.
Attackers are evolving their techniques:
- Combining email with messaging platforms to increase pressure
- Using CEO fraud scenarios to trigger urgent payments
- Introducing “hands-on-keyboard” tactics such as ClickFix and FileFix, tricking users into executing malicious commands themselves
Given the significant media attention around phishing, these findings reinforce that human-targeted attacks remain one of the most effective and scalable entry points.
Ransomware: fewer cases, greater impact
While ransomware incidents remained relatively stable (105 in 2025 vs. 109 in 2024), their impact has intensified.
Attackers increasingly combine:
- Data encryption
- Data exfiltration
- Escalating extortion tactics
Following the takedown of LockBit, the ecosystem has fragmented, with groups such as Qilin, Akira, and Clop among the most active targeting Belgian organisations.
DDoS attacks: frequent, visible but effectively mitigated
Belgium was among the European countries most frequently targeted by pro-Russian hacktivist groups, primarily through Distributed Denial-of-Service (DDoS) attacks.
Notably:
- Group NoName057(16) launched five coordinated campaigns in 2025
- Attacks were often timed around geopolitical events
- Target lists were sometimes publicly announced in advance
Despite the frequency of these attacks, their real-world impact remained limited.
This is largely thanks to the CCB’s “Red Button” coordination procedure, which enables:
- Rapid, real-time response coordination
- Close collaboration between victims, ISPs, hosting providers, and authorities
- Effective mitigation of service disruptions
This demonstrates that preparedness and coordination can significantly reduce the visible impact of large-scale cyber operations, even when attack volumes increase.
Faster attacks, less time to react
A major shift in 2025 concerned speed. The average time-to-exploit window between vulnerability disclosure and active exploitation dropped to five days, while nearly one-third of vulnerabilities were exploited within 24 hours.
This leaves little room for traditional calendar-based patching cycles and reinforces the need for rapid, risk-driven prioritisation.
Systemic risks: supply chain and credential theft
The report also highlights broader structural weaknesses. Supply-chain incidents, where attackers compromise a widely used provider or software component, can create one-to-many effects across multiple organisations at once.
Malware trends show that credential theft is increasingly central. Remote access tools and infostealers often serve as the first step in larger intrusions.
CCB response: scaling defence and awareness
The CCB combined incident response with proactive defence:
- 103 emergency response operations, including forensic support
- 32,005 targeted “spear warnings” (+42%)
- Expanded DDoS mitigation via the Red Button procedure
- Increased awareness through:
- Safeonweb phishing reporting (10 million suspicious emails reported in 2025)
- Connect & Share programme (15 sessions, 13,000+ participants)
Looking ahead
The CCB anticipates persistence of the same core threat categories: account compromise, ransomware and DDoS, with attackers leveraging increased automation and artificial intelligence to scale their operations. The fundamental recommendations remain practical: strengthen identity security controls, implement risk-based rapid patching, enhance DDoS resilience, manage third-party supplier risks, and maintain sustained investment in user awareness and incident response preparedness.