TL;DR: On average, a ransomware attack costs a Belgian SME between €20,000 and €200,000, depending on the size of the company and the duration of the downtime. Ransomware accounts for only 17% of the total bill. Downtime, repair costs and lost revenue make up the lion’s share. Prevention through an audit, pen test and awareness training costs a fraction of that damage and is subsidizable up to 50% through VLAIO.
Ransomware is no longer a distant memory. Almost half of all Flemish enterprises will be victims of a cyber attack in 2024 (VLAIO Cybersecurity Barometer). Yet many business owners underestimate the true ransomware costs. In fact, the bill goes far beyond the ransom. In this article, we calculate what an attack actually costs your SME, which cost items you don’t see coming, and why prevention is a better investment than recovery afterwards.
What does a ransomware attack cost for a Belgian SME?
The total ransomware cost consists of at least five components that combine to determine the final bill. The ransom itself is only a small part of the total: an average of 17% according to the Sophos State of Ransomware 2025 report. The rest disappears to downtime, remediation, legal fees and reputational damage.
Based on international figures (IBM Cost of a Data Breach Report 2025, Sophos) and Belgian data (Vanbreda Cyber Study 2025), the cost structure for a medium-sized SME looks as follows:
| Cost item | Share | Indicative SME (50-250 employees). |
|---|---|---|
| Downtime and lost productivity | 35% | €15.000 – €80.000+ |
| Recovery and technical remediation | 27% | €10.000 – €50.000 |
| Ransom (if paid) | 17% | €5.000 – €50.000 |
| Reputation damage and customer loss | 16% | Hard to quantify |
| Legal and compliance costs | 5% | €2.000 – €15.000 |
A nuance is important here. According to the Vanbreda Cyber Study 2025, in 81% of Belgian damage cases, the ultimate cost remained below €20,000, thanks to good prevention and rapid intervention. But in the 3% serious cases, the damage exceeded €1 million. The question is not whether your company will be attacked, but how well prepared you are.
Direct costs: ransom, recovery and forensics
Direct ransomware costs are the expenses that end up in your account immediately after an attack. These costs are the most visible, but are often not the most expensive part.
Ransom: The median ransom payment worldwide fell to about $115,000 by 2025, but amounts vary enormously by sector. In the manufacturing industry, strongly represented in West Flanders, the median was $3.35 million for larger companies. Importantly, 64% of victims refused to pay in 2025, up from 50% in 2022. And of the companies that did pay, only half got all their data back (Sophos 2025).
Forensic investigation and recovery: After an attack, an outside cybersecurity team must determine the cause, remove the malware and recover systems. For a medium-sized SME, these costs range from €10,000 to €50,000, depending on complexity. This includes system analysis, malware removal, backup recovery and closing the vulnerability through which the attackers got in.
Legal costs: Under the GDPR, you must report a data breach to the GBA within 72 hours. Under NIS2, even stricter reporting deadlines apply to the CCB: 24 hours for an early warning, 72 hours for a full report. Legal guidance on these procedures can quickly cost €2,000 to €10,000.
Indirect costs: downtime, lost sales and reputational damage
The indirect ransomware costs are often more drastic than the direct bill. They only become apparent in the weeks and months following the attack, but ultimately determine whether your business will recover from the blow.
Downtime is the biggest cost. The average recovery time after a ransomware attack is 24 days before all systems are fully operational again (Sophos 2025). In 2025, 53% of victims recovered within a week, but that still leaves nearly half with weeks of disruption. For an SME with 200 employees and an average payroll cost of €350 per day per employee, each downtime day represents about €70,000 in lost productivity, not including lost sales.
Loss of sales: If your ERP system, web shop or invoicing is unavailable for days or weeks, sales immediately drop. Customers switch to competitors, orders are cancelled and deliveries are delayed. For a manufacturing company with a daily turnover of €50,000, every day of downtime is an immediate drain.
Reputational damage: Customers, suppliers and partners question your reliability. This effect is difficult to monetize, but research shows that after a publicly known attack, companies attribute an average of 16% of their total damage to customer loss and reputation recovery.
Belgian companies hit by ransomware: what do we learn?
The Gemini data contains relevant case studies, but the most instructive examples come from our own backyard. These Belgian companies concretely illustrate how ransomware costs add up.
Picanol (2020): The Ypres-based loom manufacturer saw its entire production shut down for two weeks following a ransomware attack. 2,300 employees were temporarily technically unemployed. Direct costs were estimated at less than €1 million, but the opportunity cost of the interrupted production chain added to that. Picanol was able to recover without paying ransom, thanks to a three-stage backup system (local, central and manual offline). The lesson: tested, offline backups are worth literally millions.
Duvel Moortgat (2024): In March 2024, attackers immediately shut down the brewery’s production. The hackers claimed to have stolen 88 GB of data, including personal data of employees. The need to completely isolate IT systems led to downtime of filling lines and logistics systems. Restoration costs were estimated at millions of euros.
TVH (2023): Parts specialist TVH was hit by the LockBit group. The internal ordering system and website were unusable for weeks. Orders could not be processed. The impact on customer relations and the global supply chain was so great that TVH developed its own “downtime cost calculator” after the incident to make the costs transparent.
What these cases connect: the direct ransom costs were rarely the biggest problem. The weeks of downtime, lost production and disrupted customer relationships made up the real damage.
How does prevention compare to the ransomware cost of an attack?
The comparison between prevention costs and the damage of an attack is telling. The average recovery after ransomware is about 10 times more expensive than the investment in basic security (Sophos 2025).
| Investment | Annual cost (SME) | Versus attack damage |
|---|---|---|
| Cybersecurity audit | €4.000 – €8.000 | Identifies vulnerabilities before attackers find them |
| Pentest (infrastructure) | €3.000 – €8.000 | Test if your defenses hold up |
| Security awareness training | €5.000 – €12.000 | Prevents the most common attack vector (phishing) |
| Total prevention | €12.000 – €28.000 | |
| Average attack damage SME | €20.000 – €200.000+ | 2x to 15x the prevention investment |
Organizations with tested offline backups are 27 times less likely to pay ransom, according to research by the University of Twente. Multi-factor authentication alone reduces the risk of a successful attack by 82%.
Moreover, Flemish subsidies significantly lower the threshold. Via the KMO-portefeuille, you receive 45% (small enterprise) or 35% (medium-sized enterprise) back on cybersecurity advice. Via the VLAIO cybersecurity improvement program, the intervention can even reach 50%. So a €5,000 cybersecurity audit after subsidy costs only €2,750 for a small business. Compare that to an average attack damage of €20,000 to €200,000.
Specifically, how do you protect yourself? Read our practical guide to ransomware protection.
Does your cyber insurance cover ransomware damage?
Cyber insurance provides financial compensation, but not operational recovery. That distinction is crucial. According to the Vanbreda Cyber Study 2025, there are now 20 providers active in the Belgian market and premiums have stabilized. Still, 42% of insured companies found that their policy covered only a small portion of actual damages, mainly because indirect costs such as loss of reputation and revenue were underinsured.
Another remarkable fact: research by the University of Twente (2025) shows that having cyber insurance increases the average ransom amount by a factor of 2.8. For double extortion attacks (data encryption as well as data theft), this even rises to a factor of 5.5. Attackers know that insured companies are more likely to pay.
Insurance is a useful backstop, but does not replace prevention. Moreover, insurers are increasingly rejecting companies that do not practice basic hygiene, such as MFA and offline backups. Read more on this topic in our article on cyber insurance in Belgium.
Frequently asked questions about ransomware costs
Do I have to pay a ransom in a ransomware attack?
Payment is strongly discouraged. Of the companies that paid in 2025, only 50% got all their data back. Moreover, 27% of those who paid are attacked again shortly thereafter. Payment also funds criminal activity. Always start by consulting a cybersecurity expert and your first steps after an attack.
On average, how long does an SME lie idle after ransomware?
The average recovery time is 24 days to full operational capacity. In 2025, 53% of victims recovered within a week, but the remaining companies struggled with weeks to months of disruptions. Good backups and an incident response plan dramatically reduce recovery time.
What does recovery cost without paying a ransom?
Recovery without ransom costs a medium-sized SME on average between €10,000 and €50,000 in technical remediation, excluding downtime costs. That amount includes forensics, malware removal, system recovery and vulnerability plugging. Companies with tested backups recover faster and cheaper.
Is ransomware protection subsidizable through VLAIO?
Yes. Since February 1, 2026, the VLAIO SME portfolio has been reserved exclusively for cybersecurity consulting. You will receive a 45% (small enterprise) or 35% (medium enterprise) subsidy on audits, pen tests and awareness training. Through VLAIO cybersecurity improvement projects, the intervention can reach 50%.
How much does a cybersecurity audit cost compared to ransomware damage?
A cybersecurity audit for a medium-sized SME costs on average between €4,000 and €8,000. After VLAIO grant, you pay only €2,200 to €5,200. Compare that to an average ransomware damage of €20,000 to €200,000+. The audit identifies vulnerabilities that attackers use to get in.
Does my company fall under the NIS2 notification requirement after a ransomware attack?
If your company falls under NIS2 (more than 50 employees or more than €10 million turnover in an affected sector), you must report significant incidents to the CCB: an early warning within 24 hours and a full report within 72 hours. In addition, under GDPR, there is a separate duty to notify the GBA if personal data has been leaked.
The business case is clear
The ransomware cost for a Belgian SME averages between €20,000 and €200,000, with outliers exceeding €1 million. Prevention via an audit, pen test and awareness training costs €12,000 to €28,000 annually, up to half of which is subsidizable. The bill is simple: investing in security is not only cheaper than repairing, it is the only approach that guarantees your business continuity.
Do you want to know what your company is concretely risking? A cybersecurity audit identifies your vulnerabilities and provides a concrete roadmap. Schedule a no-obligation consultation and find out how Cyberplan protects your organization.
