The latest Baromètre de la Transformation Numérique published by l’Agence du Numérique sends a shockwave across Wallonia: 46% of companies operate without any form of cybersecurity policy. This number, already deeply worrying at a regional level, should be read not as a local anomaly but as a symptom of a larger European imbalance.
What happens today in Wallonia is not an isolated structural weakness. It is a reflection of a much broader challenge across Europe: the existence of vast pockets of organisations — SMEs, local authorities, subcontractors, digital newcomers — that remain dangerously unprepared, precisely at the moment when the European Union is imposing the most ambitious cyber regulation in its history.
The Walloon figure is not merely a statistic. It is a mirror in which many European regions could see themselves if they had the courage to measure cyber maturity with the same honesty. And it is a mirror that reveals a truth we prefer not to acknowledge: Europe’s cyber resilience will not be determined by its strongest actors, but by its weakest ones.
Wallonia as a Warning Signal, Not an Outlier
Wallonia’s 46% rate of companies with no cyber policy at all is alarming for several reasons. It shows that almost half of all companies lack formal governance, have no documented risk management approach, no incident response procedure, and, in many cases, no clear understanding of what constitutes critical digital assets.
But the most important lesson is not Wallonia itself — it is what Wallonia reveals about Europe. Similar patterns exist in parts of France, Italy, Spain, Portugal, Greece, Eastern Europe, and even within regions of Germany or the Netherlands where SMEs dominate the economic landscape.
The European Union frequently quotes averages — average maturity, average investment per sector, average adoption rates — but averages hide asymmetry. Beneath the surface lies a dangerous segmentation: a population of organisations that are highly mature, regulated, well-resourced and well-advised… and a vast ecosystem of SMEs, subcontractors, public institutions and micro-enterprises that lack both resources and expertise.
Wallonia’s 46% is simply one of the first figures to reveal the size of the iceberg. And this is what should concern us.
Europe’s Real Problem Is Not Its Leaders, but Its Laggards
In Europe, we often celebrate the cyber excellence of leading companies: the banks that deploy advanced SOCs, the operators of essential services that follow robust standards, the major industrial groups that align with ISO 27001 or IEC 62443. This narrative is comforting but deeply misleading.
The reality is that Europe operates as a network, where the security of one depends on the security of all. A sophisticated cybersecurity posture at the top of the chain is worthless when suppliers, subcontractors or local partners remain unprotected.
This fragmentation is precisely what attackers exploit. Ransomware operators, cybercriminal groups and state-backed actors have understood that targeting the weakest links offers the best return on investment. An unprotected SME becomes an entry point to a multinational; a vulnerable municipality becomes a gateway to a national information system; a subcontractor becomes the ignition point for a sector-wide crisis.
This vulnerability is not theoretical. It has already materialised in numerous European incidents where the smallest actor became the initial vector for massive disruptions.
Wallonia’s data simply illuminates a European truth: cybersecurity is no longer about protecting organisations individually, but about protecting entire ecosystems. And ecosystems collapse at their weakest points, not their strongest.
NIS2: A European Regulation Threatened by Local Weaknesses
The adoption of NIS2, the EU’s most ambitious directive on cybersecurity, marks an important milestone. It expands the number of obligated entities from roughly 15,000 to more than 160,000, introduces strict governance principles, imposes accountability on leadership, and raises the standard for risk management, supply chain security, incident reporting and crisis communication.
However, NIS2 introduces a paradox:
While the requirements are European, the readiness is local.
A directive is only as strong as the ability of organisations to comply with it. And herein lies the problem: when nearly half of a region’s companies have no cyber policy, compliance becomes a distant objective.
NIS2 presupposes:
- the existence of structured leadership
- a risk-based approach
- documented processes
- a capacity for incident reporting
- supply chain supervision
- mandatory training
- executive accountability
Yet, in many regions — Wallonia included — the basic scaffolding for these requirements simply does not exist. The continent cannot move at a uniform speed. And this uneven readiness is the Achilles’ heel of European cyber resilience.
If NIS2 is to succeed, it is not the top 20% of mature actors that must accelerate. It is the bottom 40% — the companies that, like the 46% in Wallonia, lack even the foundations.
The Continental Danger of Leaving Half the Economy Unprotected
The absence of a cybersecurity policy is more than a compliance issue. It is a threat multiplier. When economic systems grow increasingly interconnected — through cloud adoption, digital transformation, supply chain automation, cross-border data flows — regional vulnerabilities become continental risks.
A company without governance cannot detect an intrusion early, cannot report it quickly, cannot contain it effectively, and cannot communicate transparently.
It becomes a blind spot in a network that relies on early detection and collective response.
The cybercriminal ecosystem does not recognise regional borders or linguistic boundaries.
If Wallonia remains vulnerable, Belgium becomes vulnerable.
If Belgium remains vulnerable, Europe’s digital supply chain becomes vulnerable.
And if Europe is vulnerable, its digital sovereignty is at risk.
This is why the 46% figure must be interpreted as a structural alarm: vulnerabilities at the periphery destabilise the centre.
A European Response Must Begin with the Least Prepared
If we accept the premise that Europe’s security depends on its weakest actors, then cybersecurity strategies must shift from focusing on excellence to focusing on inclusion.
Europe should not measure progress only by celebrating its champions. It must track — and correct — the gaps that define its fragility.
This means adopting a new paradigm: cyber resilience as a social contract, not a technical luxury. Every company, every local authority, every essential service provider — regardless of size — must reach a minimum level of cyber hygiene.
This minimum threshold should not be optional. It should not be left to market forces or voluntary adoption. It should become a shared obligation, supported by policy, funding, and continental coordination.
This is the only way NIS2 can fulfil its ambitions: by lifting the bottom of the pyramid, not by pushing only the top.
Europe Needs a Cyber Resilience Strategy That Does Not Leave Regions Behind
Europe’s digital future cannot be built on an uneven foundation. If regions like Wallonia, Andalusia, Bavaria, Lombardy or Occitanie show major gaps, these are not regional problems — they are European ones.
The EU must therefore embrace a strategy that includes:
- properly funded regional support structures
- harmonised cyber guidance for SMEs
- scalable security frameworks accessible to all
- cyber risk education integrated across sectors
- transparent maturity benchmarks
- public–private alliances capable of supporting the least mature actors
Europe needs to move from a model of “security by excellence” to a model of security by solidarity.
Conclusion: The Walloon Statistic Is Not Local — It Is European
The figure released by l’Agence du Numérique — 46% of companies in Wallonia with no cybersecurity policy — should be read as one of the clearest warnings issued this decade. It indicates not only a regional maturity gap, but a continental systemic vulnerability.
Europe must therefore understand what this data truly means.
It means that NIS2 compliance is at risk.
It means that supply chains are fragile.
It means that attacks will increasingly target the unprepared.
It means that digital sovereignty cannot coexist with structural inequality in cyber readiness.
If Europe wants to be resilient, it must focus not only on raising standards for the best prepared, but on enabling the least prepared to stand.
A chain does not break at its strongest link.
It breaks where no one expects it: where the policy is absent, where governance is weak, and where cybersecurity remains a distant priority.
The future of European cyber resilience will depend on the courage to confront this imbalance — and the determination to correct it, starting now.