NIS2 - 2 Countries, 1 Directive, Very Different Answers
| 0 comments ]

Belgium published first, France went deeper. Belgium's CCB released CyFun well before the October 2024 NIS 2 transposition deadline, built on NIST CSF and officially mapped to ISO 27001/27002. France's ANSSI published ReCyF, but as of March 2026 the underlying legislation still has not passed - making it a technically superior but legally unenforceable framework.Bottom line: ISO 27001-certified organisations in Belgium are largely compliant with a manageable gap list. The same organisations in France still have significant work ahead - and no hard deadline yet to do it by.

Table of Contents

  1. Introduction
  2. Belgium - The Head Start (4 Level Architecture, Control Counts, ISO27002 clusters, What are key measure and why do they matter, self-assessment)
  3. France - The Thorough Approach (The objective and means architecture, still waiting for the law, ISO Alignement ANSSIs own assessment
  4. ISO27002 Mapping as a common Anchor
  5. The Divergences
  6. Practical Impliaction

Part I: Introduction - One Directive, Two Answers

When the EU adopted NIS 2 (Directive 2022/2555) in December 2022, it set a clear expectation: member states had until October 17, 2024 to transpose its requirements into national law. What followed, at least across the Franco-Belgian border, is a study in contrasting regulatory cultures, institutional histories, and practical philosophies.

NIS 2 expanded covered sectors from 7 to 18, lowered size thresholds, made supply chain security and multi-factor authentication explicit obligations, and - most significantly - introduced Article 21's detailed list of required risk management measures. What the directive deliberately does not do is specify how each measure should be implemented. That granularity was left to member states, producing genuine policy diversity: two technically credible frameworks that are compatible at the technical level but structurally different in regulatory philosophy, timing, and practical demands.

The timeline below tells the story at a glance. Belgium formalised an existing, mature framework and published its official cross-framework mapping nine months before the deadline. France is still working through its legislative process 18 months after that same deadline.

Article content

Figure 1 : NIS2 Transposition timeline. Belgium met the Octobre 2024 deadline, France Transposing law remains a bill of March 2026.


Read more »


Cyber Incidents Have Exploded 650% — But Why?
| 0 comments ]

Introduction

For years, we’ve all heard it: “Cyber threats are on the rise.” But how much is hype, and how much is reality ?

According to the IRIS 2025 report by Cyentia, it’s not hype. Since 2008, the number of publicly reported cyber incidents has increased by over 650%, climbing from 450 to nearly 3,000 per quarter.

But here’s the nuance that matters: this rise isn’t just about more attacks. It’s also about how attackers evolve, how we detect threats, and how regulation drives transparency. From the stealthy era of APTs to the ransomware boom and the pandemic’s IT transformation, every major spike has a cause.

As risk managers and CISOs, this isn’t just trivia—it’s critical context. Understanding these shifts helps us future-proof our strategies, rather than plan for a past that no longer exists.

Read more »


CIO World - Navigating Threats in Fintech
| 0 comments ]

Europe's Most Influencial CISOs of the year 2024

The below is an interview originally conducted by CIO-World, in which I was recognized as one of Europe’s Most Influential CISOs of 2024. The discussion goes beyond technical security and focuses on leadership: the core capabilities a CISO needs today, how regulatory frameworks can be used as strategic enablers of resilience, and how security leaders can operate credibly and effectively within the C-suite. It also explores the growing convergence of technology, governance, and compliance.

The original can be found at CIO-World.

As financial technology (FinTech) evolves rapidly, it faces an increasing number of cyber threats. Cybercriminals are constantly finding new ways to exploit weaknesses in payment systems, putting billions of dollars and countless identities at risk. A staggering statistic reveals that up to 75% of customers worldwide now use at least one FinTech service, a number projected to grow as more people embrace digital payments and online banking.

Source: CIO World 

Meet Thierry Zoller, the Chief Information Security Officer at J.P. Morgan Mobility Payments Solutions S.A. (Red. now Julius Baer) , whose mission is to stay one step ahead of these digital predators. With nearly three decades of experience in cybersecurity, Zoller brings a unique blend of technical expertise and strategic vision to one of the world’s largest financial institutions. His journey from a curious teenager in Luxembourg to a leading figure in global information security is an example of the power of passion and perseverance.

Thierry’s fascination with technology began early, driving him to explore the inner workings of systems and networks. This curiosity led him to dive deep into reverse engineering and system vulnerability analysis, skills that would become invaluable in his future roles.

His career has been marked by a series of high-profile positions, including Head of Security Risk and Compliance Europe for Amazon and CISO for Amazon Payments. These experiences have honed his ability to navigate the complex intersection of technology, finance, and security.

At J.P. Morgan, he faces his most challenging task yet: securing the future of mobile payments in an increasingly cashless world. His approach combines futuristic technology with a deep understanding of human behavior, recognizing that the weakest link in any security system is often the user.

Thierry’s impact extends far beyond his corporate role. As a prolific blogger and researcher, he has coordinated the disclosure of over 100 vulnerabilities and released numerous free security tools. His work has been cited in books and peer-reviewed papers, cementing his status as a thought leader in the field.

The 45-year-old security expert’s commitment to knowledge sharing has been a cornerstone of his career. This philosophy drives his continued efforts to educate and empower the next generation of cybersecurity professionals, contributing significantly to the global information security community.

Read more »


Towards N-th Party Risk Management
| 0 comments ]

N-Th Party Risk (Thierry ZOLLER)
The responsibilities of vendors, suppliers, and service providers have grown increasingly important in the dynamic digital economy. The growing digitalisation and reliance on third-party entities significantly enhances business operations while concurrently introducing a spectrum of security risks. 

Recognising these challenges, regulatory supervisors have been actively creating frameworks over the years to make sure that financial entities in particular appropriately handle and mitigate the risks of security incidents that could directly affect their operations.

The adoption of specific guidelines by the European Banking Authority (EBA) in marked a substantial acceleration of the shift towards a more security-conscious approach when interacting with third parties. These guidelines were a significant advancement in highlighting the important security aspects to take into account while working with third parties. 

However, with the recent final Regulatory Standards published, the Digital Operational Resilience Act (DORA) is further evolving the requirements and expectations in light of multiple high-profile breaches involving third parties and the supply chain. The entry into force of this European Regulation, which takes effect in January 2025, marks the beginning of a new era in third party security management. 

It signals a time when strict compliance and proactive risk management are more important than ever in third-party contacts, and it also emphasises the significance of operational resilience and indicates a heightened response to the changing threat landscape.

While researching the state of the Art in "Third Party" risk management I came across an Report recently published by Wade Baker, Ph.D. and the Cyentia Institute titled “Risk to the Nth-Party Degree: Parsing the Tangled Web".

In true Cyentia Institute fashion the report is a data driven and provides plenty of opportunity for the data science geeks amongst us to rejoice - for the others it's one of the first publicly available reports providing us with data analysis on the matter with.

The Report highlights a crucial aspect that is often overlooked in risk management: vendor risk extends beyond direct third parties.

What really is "third party" risk ?

Read more »


The importance of Psychological Safety in Cybersecurity
| 0 comments ]


What is Psychological Safety ?

Psychological safety is a concept that refers to an individual's perception of the consequences of taking an interpersonal risk in a work environment. It involves feeling safe to express oneself without fear of negative consequences to self-image, status, or career. In a psychologically safe team, members feel accepted and respected. This environment allows for open communication, creativity, and innovation, as individuals feel comfortable sharing their ideas, questions, concerns, and mistakes without fear of ridicule or retribution.

Amy Edmonson - TED Talk (Building a psychologically safe workplace)
https://www.youtube.com/watch?v=LhoLuui9gX8


Read more »