There is a moment in every security conversation where we stop talking about risk and start talking about reality.
For Belgian companies, that moment has already passed.
Not because of a single catastrophic event. But because of something more uncomfortable: a continuous stream of incidents, leaks, ransomware claims, supplier compromises, and data extraction that now forms a steady baseline rather than an exception.
And yet, most organisations still describe cyber incidents as "events".
A The baseline has shifted — and it's measurable
The Centre for Cybersecurity Belgium (CCB) recorded 635 incident notifications in 2025, a ~70% increase year-on-year, with 556 confirmed cyber incidents alone.
That growth is not just "more reporting". It reflects three structural changes:
- Mandatory reporting pressure (NIS2 / DORA)
- Better detection inside organisations
- And, most importantly: more real attacks
We are not dealing with a spike. We are dealing with a new equilibrium. And that equilibrium includes:
- Account compromise as the dominant entry vector
- Phishing at industrial scale
- Ransomware that increasingly includes data theft as default
B Case studies
Case 1 Fountain — ransomware is no longer just encryption
In March 2026, Belgian listed company Fountain confirmed a ransomware attack with data exfiltration. What matters is not the brand, but the pattern:
- Intrusion
- Data access
- Extraction
- Public claim by a ransomware group
- "No significant financial impact expected" (at least initially)
The shift is subtle but fundamental: companies are no longer just losing availability — they are losing control over information asymmetry. And that asymmetry is what attackers monetize later.
Case 2 Healthcare — when suppliers become the attack surface
One of the most revealing Belgian incidents of 2026 wasn't a single hospital breach. It was a multi-hospital collapse through a shared supplier.
A ransomware incident affecting AZ Monica triggered broader investigation showing at least five Belgian hospitals impacted via shared patient registration software, with ~71,000 records exposed or found on the dark web.
This is the uncomfortable truth of modern ecosystems: you do not need to be breached to be compromised. You only need to be integrated.
Case 3 Municipal and public sector incidents
In April 2026, the municipality of Temse disabled IT systems following suspicious activity linked to a cyberattack investigation. This fits a broader pattern:
- Local government disruption
- Temporary shutdown of administrative services
- Investigation-led uncertainty
- No immediate clarity on data exposure
Public sector incidents increasingly follow a predictable arc:
- Detection of anomaly
- Shutdown "out of caution"
- Investigation
- Gradual confirmation of scope
- Delayed disclosure of impact
For citizens, the result is frustration. For attackers, it is success even without confirmed data theft — because disruption itself has value.
Case 4 The silent majority — SMEs and underreported impact
Beyond high-profile incidents, data from Belgian business surveys shows a more uncomfortable reality:
But the real issue is not the percentage. It is the interpretation. Most SMEs still classify incidents as "IT problems", "email issues", or "temporary disruptions" — not as credential compromise, data exposure, or supplier-chain infiltration.
C What attackers are actually extracting in 2026
Across Belgian incidents in 2025–2026, the extracted data types are consistent:
Identity data
- Names, email addresses, phone numbers, login credentials
Authentication data
- Password hashes, session tokens, MFA bypass vectors (often indirectly via phishing)
Operational data
- Internal documents, ticketing systems, supplier dashboards, configuration files
Sensitive sector data
- Healthcare records (hospital-related breaches), customer telecom data (e.g. SIM-related identifiers)
D The real threat model — slow accumulation, not sudden breach
If there is a misconception that still dominates boardrooms, it is this: "We will notice when something big happens."
But modern cyber incidents don't behave like that. They behave like:
- Credential harvesting over weeks
- Low-noise persistence in SaaS systems
- Gradual privilege escalation
- Delayed monetization
E Why Belgium is particularly exposed
Belgium sits in a structurally interesting position:
- High density of EU institutions
- High concentration of SMEs
- Heavy dependence on external SaaS and cloud ecosystems
- Strong regulatory environment (NIS2 / GDPR enforcement pressure)
That combination creates a paradox: high compliance maturity, but uneven operational maturity. Meaning: policies exist, awareness exists — but execution depth varies dramatically. Attackers exploit that gap.
F The uncomfortable conclusion
If you map Belgian cyber incidents in 2026, a pattern emerges. It is not a landscape of isolated breaches. It is a connected system of repeated exposure points:
- Identity systems repeatedly compromised
- Suppliers repeatedly reused across sectors
- Phishing still dominating initial access
- Data repeatedly extracted and repackaged later
It is: "Which part of us has already been used, quietly, without us noticing yet?"
Closing reflection
Security conversations often end with solutions. But awareness begins elsewhere. It begins with accepting that breaches are not rare events anymore, that data extraction is the default objective, and that most organisations are not dealing with incidents — but with continuity of compromise risk.
Belgium is not an outlier in Europe. It is a mirror. And what the mirror shows in 2026 is simple:
G Named incidents: the 2026 record
The chapters above outline patterns. This one names names. These are confirmed or credibly reported Belgian incidents from 2025–2026, with known scope, threat actors, and sector context.
G1 Orange Belgium — 850,000 telecom accounts (July 2025)
In July 2025, attackers gained access to 850,000 Orange Belgium customer accounts. The data published in early 2026 included:
- Full names and phone numbers
- SIM card numbers and PUK codes
- Tariff plan data
Responsibility was claimed by the Warlock ransomware group, though Orange Belgium did not publicly confirm the attribution. What makes this incident structurally dangerous: SIM + PUK combinations are a direct enabler of SIM-swap attacks, allowing account takeovers across banking, identity, and enterprise platforms long after the breach itself.
G2 AZ Monica, Antwerp — ransomware disrupts critical care (January 2026)
A ransomware attack on AZ Monica hospital in Antwerp resulted in:
- Seven critical-care patients transferred to other hospitals by the Red Cross
- Cancellation of radiological exams, medical imaging, and chemotherapy
- Days-long disruption to emergency intake and ambulance routing
This was not a novel attack vector. It was a confirmed worst-case scenario that the sector had modelled but not fully prepared for. The dwell time before detection remains undisclosed.
G3 ChipSoft supply chain — three hospitals, one vendor (April 2026)
Dutch healthcare software vendor ChipSoft was hit by ransomware in April 2026. The blast radius reached Belgium immediately, taking down patient portals at:
- Hospital aan de Stroom
- Hospital Oost-Limburg
- Hospital Delta
Affected platforms: medical record access, appointment management, and healthcare document retrieval — all platforms holding sensitive patient data for tens of thousands of patients. None of these hospitals were directly attacked. All three lost operational access through a single shared dependency.
G4 Efficy CRM — 43 GB leaked (March 2026)
Belgian CRM vendor Efficy had 43 GB of data exfiltrated and published by threat group Coinbasecartel. Discovery date: March 30, 2026. Efficy serves mid-market and enterprise clients across Belgium and Europe — meaning the downstream exposure extends well beyond the vendor itself into its entire client base.
This is the vendor-as-multiplier pattern: a single B2B software company becomes a pivot point for dozens of organisations that trusted it with customer and operational data.
G5 Qilin ransomware — healthcare double-strike (March 2026)
Within a 24-hour window in late March 2026, ransomware group Qilin claimed two separate Belgian healthcare targets:
- Louise Medical Center — March 26, 2026
- Fondation Boghossian — March 27, 2026
The 24-hour gap between two unrelated healthcare victims is not coincidence. It reflects deliberate sector targeting: healthcare organisations share infrastructure, insurance profiles, and supplier ecosystems — making them efficient targets for groups running parallel campaigns.
G6 NoName057(16) — OpBelgium DDoS campaign
Pro-Russian hacktivist group NoName057(16) launched a coordinated DDoS campaign under the label OpBelgium, targeting Belgian institutions following Belgium's decision to supply Caesar artillery to Ukraine. Confirmed targets included:
- Parliament of Wallonia
- ENGIE Electrabel — Nuclear Plant Doel
- National Social Security Office (ONSS/RSZ)
- citydev.brussels
- Brussels Institute of Statistics and Analysis
- Wallonia-Brussels Federation
- Centre for European Policy Studies (CEPS)
The Centre for Cybersecurity Belgium (CCB) pre-warned targeted organisations via public announcements, allowing some to implement DDoS mitigation before the wave hit. The group announced attacks in advance on its own channels — treating disruption as a public performance as much as a technical objective.
G7 Van Eycken — Akira ransomware (January 2026)
Belgian company Van Eycken was claimed by the Akira ransomware group on January 22, 2026. Akira is known for double-extortion: encrypt first, exfiltrate second, publish if unpaid. The incident adds to a pattern of Belgian SMEs and mid-sized companies appearing on ransomware group leak sites without prior public disclosure.