LANDSCAPE OF CYBERSECURITY REGULATIONS

The Complex Landscape of Cybersecurity Regulations

 by Erik Valgaeren, Lawyer at Stibbe

In today’s rapidly digitising world, the cybersecurity landscape is no longer just a technical concern—it's a legal and strategic imperative. At the BE-CEC conference in Brussels on March 27, 2025, Erik Valgaeren, a leading IT and cybersecurity lawyer at Stibbe, provided a sobering yet empowering perspective on how businesses can navigate the ever-expanding web of cybersecurity regulations. His central message was clear: the regulatory burden may be growing, but with clarity and strategic intent, companies can not only comply but emerge stronger and more resilient.

Real-World Incidents: Wake-Up Calls for Business
Valgaeren opened with a stark reminder—cyber threats are not theoretical. Belgium has seen high-profile cases such as the Proximus breach, allegedly involving state-sponsored espionage by the British intelligence agency GCHQ, and the cyberattack on aviation supplier Asco. These are not isolated incidents but symptomatic of a broader trend: cyberattacks are persistent, targeted, and increasingly sophisticated.

In these crises, Stibbe, Valgaeren’s firm is often on the front lines—not only providing legal counsel but managing compliance fallout and reputational risk. The takeaway is simple: if you wait for a breach to prepare, you're already too late.

From GDPR to the Cyber Resilience Act: A Tangle of Acronyms with a Common Purpose
Valgaeren dissected the increasingly crowded regulatory environment, which many businesses find daunting. Yet, he emphasized that these regulations share a common goal: reinforcing digital trust and resilience.

• GDPR remains the cornerstone of data protection, mandating “appropriate technical and organizational measures”—effectively making cybersecurity a legal must.
• NIS2 significantly broadens the scope of mandatory cybersecurity risk management and reporting to include sectors such as energy, chemicals, and digital infrastructure.
  
• DORA, targeting financial entities, mandates operational resilience, including third-party risk oversight.
• The AI Act and Cyber Resilience Act extend these principles to AI systems and all digital products, respectively, introducing security-by-design and post-market surveillance obligations.

What’s more concerning is not just the volume of rules, but the rigor of enforcement. Regulatory authorities are growing in both power and assertiveness. As Valgaeren warns: “Compliance missteps now carry real legal and financial consequences.”

Grey Areas, Big Risks
One of the thorniest challenges is ambiguity. Because EU directives like NIS2 require national implementation, interpretations can vary across member states. Valgaeren gave real-world examples of businesses puzzled about their obligations—like a firm with solar panels wondering if it falls under “energy sector” rules, or a cleaning product manufacturer unsure if it’s covered by NIS2.

Other complex areas include:

• DORA: Which third-party vendors must be audited?
  
• GDPR: Who is the controller vs. processor in multi-layered IT ecosystems?
  
• AI Act: What exactly constitutes "high-risk" AI?
• Group Structures: How does parent-subsidiary liability work under NIS2?

These aren’t academic questions—they have direct implications for compliance, liability, and risk exposure.

M&A: The Cyber Blind Spot
Valgaeren highlighted a frequently overlooked vulnerability: cyber readiness in mergers and acquisitions. While businesses routinely assess legal, financial, and operational risks, they often neglect cybersecurity due diligence. In today’s threat environment, that’s a costly omission. Acquiring a company with poor cyber hygiene can mean inheriting latent breaches, regulatory liabilities, and reputational fallout.

Charting a Way Forward: From Chaos to Control
Despite the growing complexity, Valgaeren offered a pragmatic blueprint for businesses:

• Know the Scope – Conduct a regulatory impact assessment to understand which laws apply to your operations.
• Build Internal Expertise – Outsourcing helps, but organizations need in-house knowledge to make informed decisions.
• Prioritize Governance – Cybersecurity is not just IT’s job. It demands collaboration across legal, compliance, and executive teams.
• Strengthen Contracts – Clear, well-structured vendor agreements and policies reduce risk and ambiguity.
• Embrace Standards – Frameworks like ISO 27001 offer both protection and a shield in case of legal scrutiny.
• Review Insurance – Cyber insurance is a useful layer but must be part of a broader strategy.
• Educate Continuously – Compliance isn’t a one-time task. Ongoing training is essential.

And above all, Valgaeren reminded attendees of a fundamental legal principle: the duty of due care. Known in civil law as the obligation of the bonus pater familias (a good family father), this principle means businesses are expected to act prudently. Regulatory compliance is, in many ways, simply formalizing that basic expectation.

Conclusion: From Regulation to Opportunity
Valgaeren closed on a positive note: “Cybersecurity compliance isn’t about fear—it’s about responsibility, resilience, and readiness.” Companies that take cybersecurity seriously aren’t just checking regulatory boxes—they’re gaining trust, protecting assets, and securing their long-term future.

In an age where digital risks can derail entire enterprises, navigating the regulatory storm isn’t just smart business. It’s essential leadership.