DDoS attacks are hitting Belgian companies harder and harder. In 2025, Cloudflare detected 47.1 million DDoS attacks worldwide, an increase of 121%. Belgium is in the top 10 most targeted countries. This guide explains how, as a Flemish company, you protect your digital availability with five concrete layers of protection, what the NIS2 law expects from you, and which VLAIO grants reduce the investment.
Your website is suddenly inaccessible. Customers can’t order. Employees can’t get to their cloud applications. The phone is ringing red hot. Not ransomware, not a data breach, but a DDoS attack flooding your servers with millions of fake requests.
For many Flemish companies, this scenario feels far away. But the reality is different. By 2025, DDoS attacks accounted for 77% of all cyber incidents in the European Union, according to the ENISA Threat Landscape report. Belgium is specifically targeted by pro-Russian hacktivist groups in retaliation for supporting Ukraine.
In this article, you will discover what protective measures you can take today, what the Belgian NIS2 law expects of you, and how VLAIO grants make the investment affordable.
What is a DDoS attack and why does it affect your business?
A distributed denial of service (DDoS) attack floods your servers with millions of simultaneous requests from thousands of hacked devices, called a botnet. The goal is not to steal data, but to make your digital services completely inaccessible to legitimate users.
There are three types of DDoS attacks:
| Type of attack | What is happening. | Target |
|---|---|---|
| Volumetric attack | Internet connection becomes saturated with massive amounts of data traffic | Bandwidth |
| Protocol attack | Network protocols are misused to overload servers or firewalls | Network layer (L3/L4) |
| Application layer attack (L7). | Fake requests mimic legitimate Web site traffic and exhaust the Web server | Web applications |
The technical scale of attacks is reaching records unthinkable just a few years ago. In November 2025, Cloudflare recorded an attack of 31.4 Terabits per second (Tbps), more than 700% more powerful than the largest attacks in 2024. The Aisuru botnet, composed of hacked Android TVs, launched attacks at more than 200 million requests per second.
What this specifically means for your business: a traditional firewall alone is no longer enough.
How hard is Belgium hit by DDoS attacks?
Belgium is among the most targeted countries in Europe. The CCB (Center for Cybersecurity Belgium) recorded a 58% increase in cyber-related incidents in 2025. DDoS swapped places with spear-phishing for third place in the ranking of most reported incident types in 2025.
The attacks are not random. Pro-Russian groups such as NoName057(16) are systematically targeting Belgium in retaliation for its NATO position and military support to Ukraine. In March and April 2025, some 130 Belgian organizations were added to their target list. The Constitutional Court, Beobank, the Province of Liege and the Federal Police were all affected.
In November 2025, Proximus customers experienced persistent Internet outages that resulted in professional and financial damage to thousands of Belgian companies. Not because those companies themselves were targeted, but because their Internet provider was affected.
Therein lies the real risk for Flemish SMEs: you don’t have to be a political target to suffer damage. When your Internet provider or cloud environment is hit, your business comes to a standstill.
What does a DDoS attack cost your business?
The financial impact of a DDoS attack goes beyond what you might expect at first glance. Recent data from Splunk and Oxford Economics points to an average cost of approximately 13,000 euros per minute of downtime by 2025, an increase of 150% in ten years.
| Cost item | Estimate per incident |
|---|---|
| Direct mitigation costs (IT hours, emergency consulting). | €48,000 to €410,000 |
| Revenue loss per hour (company with €5M annual sales) | €3.000+ |
| Loss of business opportunities and contracts | In 33% of victims |
| Increase in insurance premiums | In 26% of victims |
| Impact on credit rating | In 29% of victims |
SMEs are often more vulnerable than large enterprises. Whereas a multinational company can reroute traffic to another data center, a medium-sized company typically leans on a single Internet connection or dedicated cloud environment. Meanwhile, 89% of network layer attacks in 2025 end within 10 minutes, faster than an IT administrator can manually analyze the situation.
The result: the damage is often done before anyone can intervene.
The five layers of protection against DDoS attacks
Effective DDoS protection is not a matter of a single solution, but of multiple layers that reinforce each other. Below are the five layers that make up a robust defense.
Layer 1: upstream filtering at your Internet service provider
Your first line of defense starts with your ISP. Proximus NXT offers a “diversion/reinjection” architecture where only attack traffic is diverted to a scrubbing center, while legitimate traffic flows through. Telenet Business partners with Akamai and Arbor Networks for similar filtering.
Concrete action: ask your provider what DDoS protection is active by default and what options are available at an additional cost.
Layer 2: cloud-based DDoS mitigation
For businesses with critical online services, cloud solutions provide an extra layer of protection. Cloudflare, Akamai Prolexic and AWS Shield filter attack traffic before it reaches your network. Cloudflare offers basic protection against volumetric attacks even in the free plan.
Concrete action: evaluate whether your Web site and Web applications are behind a CDN with built-in DDoS protection.
Layer 3: network segmentation
By dividing your corporate network into protected zones, you limit the impact of an attack to the affected segment. Production systems, office workstations, servers and guest Wi-Fi belong in separate zones. Segmentation prevents an attack on one part of your network from taking everything down.
Concrete action: have a cybersecurity audit performed that maps your current network topology and identifies segmentation opportunities. Cyberplan conducts these audits for Flemish companies and provides a concrete roadmap.
Layer 4: automatic detection and rate limiting
Given the speed of modern attacks (peak volume within 35 seconds), manual intervention is hopeless. Automatic detection systems that recognize suspicious traffic patterns and apply rate limiting are indispensable. Web Application Firewalls (WAF) specifically protect against application layer attacks (L7).
Concrete action: verify that your firewalls and WAF are configured for automatic DDoS detection.
Layer 5: incident response plan
Does your team know what to do when systems become inaccessible? A clear playbook makes the difference between controlled action and panic. The plan describes who takes what action, how you communicate with customers and vendors, and when to bring in outside help.
Concrete action: establish a DDoS-specific scenario within your incident response plan. Cyberplan guides companies in creating and testing these scenarios.
What does the NIS2 law require around DDoS protection?
The Belgian NIS2 law (Law of April 26, 2024) imposes a duty of care on organizations in critical sectors. Article 21 specifies the mandatory risk management measures. The law does not mention “DDoS protection” literally, but the obligation to ensure availability and business continuity actually forces organizations to implement measures against DDoS attacks.
The CyberFundamentals (CyFun) framework, the practical guide to NIS2 compliance in Belgium, translates this into concrete controls by level:
| CyFun level | Number of checks | DDoS relevance |
|---|---|---|
| Basic | ~34 | Basic incident procedures and network security, stops approximately 82% of common attacks |
| Important | ~110 | Active monitoring and business continuity, direct DDoS mitigation required, covers approximately 94% of attack patterns |
| Essential | ~140-200 | Advanced threat detection and continuous monitoring similar to “always-on” DDoS protection |
Important: Essential entities must submit their first conformity assessment to the CCB by April 18, 2026. Directors may be held personally liable for negligence.
What VLAIO grants reduce the investment?
The Flemish government is making professional DDoS protection financially accessible through two grant programs.
SME portfolio (since Feb. 1, 2026, exclusively for cybersecurity):
- Small businesses: 45% subsidy
- Medium-sized enterprises: 35% subsidy
- Maximum: €7,500 per year
A cybersecurity audit that exposes your DDoS vulnerabilities is fully eligible for this grant.
VLAIO Cybersecurity Improvement Projects:
- 50% subsidy on assisted pathways
- From initial analysis (START) to solving complex security problems (PLUS)
- DDoS protection strategies and CyFun controls are integral part
Concrete math example: a €4,700 cybersecurity audit costs only €2,585 for a small business after subsidy. Thus, the investment is lower than the average cost of a single hour of downtime.
How does Cyberplan help your business?
At Cyberplan, we combine technical depth with a tailored approach to Flemish businesses. Our cybersecurity audit maps how resilient your organization is against DDoS attacks and other cyber threats. You get a concrete roadmap with priorities: from network segmentation to incident response, from provider configuration to monitoring.
With a team of 22+ certified cybersecurity experts (OSCP, CISSP, CEH, CISM) and experience with 300+ clients, we translate complex technical risks into understandable language and concrete actions. As a registered VLAIO partner, we also guide you through the grant application process.
Want to know how resilient your business is? Book a no-obligation introductory interview and find out within 30 minutes where your biggest risks lie.
Frequently asked questions about DDoS protection
Can an SME fully protect itself from DDoS attacks?
Complete immunity is impossible, but you can significantly increase your resilience. A combination of upstream filtering at your provider, cloud-based mitigation and network segmentation stops the vast majority of attacks. The investment outweighs the cost of a successful attack.
How long does an average DDoS attack last?
Most network layer attacks (89%) last less than 10 minutes. However, politically motivated campaigns by groups such as NoName057(16) can persist for several days due to the rotation of attack vectors and botnets. The short duration of common attacks makes automatic detection essential.
Is DDoS protection covered by the NIS2 obligations?
Yes. The Belgian NIS2 law requires organizations to ensure the availability of their services and business continuity. The CyberFundamentals framework translates this into concrete controls that include DDoS mitigation, as early as the Basic level.
What does professional DDoS protection cost for a Flemish company?
Costs vary widely depending on your infrastructure and desired level of protection. A cybersecurity audit as a starting point costs on average around €4,700 for a medium-sized company (after deducting SME portfolio). Cloud-based protection ranges from free (Cloudflare basic plan) to several hundred euros per month for advanced solutions.
Are DDoS attacks only a risk for large companies?
No. SMEs are actually more at risk of serious damage because they have less redundancy in their IT infrastructure. Moreover, SMEs are indirectly affected when their ISP or cloud platform is targeted. The November 2025 attacks on Proximus affected thousands of Belgian companies that were not themselves targets.
What should I do first to better protect my business?
Start with a cybersecurity audit that identifies your current resilience. In addition, check with your ISP to see what DDoS protection is active, and make sure your corporate network is segmented. Cyberplan will help you with each of these steps and guide you through the VLAIO grant application process.
