Help center

Authorities and regulators — Belgium

CCB: Centre for Cybersecurity Belgium. The competent Belgian authority for NIS2 — significant cyber incidents are notified here (24h / 72h / 1 month).
DPA: Data Protection Authority. The Belgian regulator for GDPR (in French: APD; in Dutch: GBA). Personal data breaches are notified within 72h. Don't confuse with Data Processing Agreement (also DPA).
CERT.be: Belgian Computer Emergency Response Team. CCB service that helps organisations hit by a cyber incident.

Authorities and regulators — France

ANSSI: Agence Nationale de la Sécurité des Systèmes d'Information. The competent French authority for NIS2 (transposed by the REN law of 30 April 2024). Receives notifications of significant incidents (24h / 72h / 1 month).
CNIL: Commission Nationale de l'Informatique et des Libertés. The French GDPR regulator. Personal data breaches are notified within 72h.
CERT-FR: French Computer Emergency Response Team, operated by ANSSI. Issues alerts and assists incident victims.
cybermalveillance.gouv.fr: Victim assistance platform (SMEs, individuals, local governments) — guidance and connection to vetted service providers.

Authorities and regulators — Luxembourg

HCPN: Haut-Commissariat à la Protection Nationale. Luxembourg's national cybersecurity authority — drives the national strategy and NIS2 transposition.
ILR: Institut Luxembourgeois de Régulation. Competent NIS2 authority for digital services and critical infrastructure. Receives notifications of significant incidents.
CNPD: Commission Nationale pour la Protection des Données. The Luxembourg GDPR regulator. Personal data breaches are notified within 72h.
CIRCL: Computer Incident Response Center Luxembourg. National CERT for the non-governmental private sector — assistance, alerts, MISP.
GovCERT.lu: CERT for Luxembourg public administrations and operators of vital importance.

Authorities and regulators — Netherlands

NCSC-NL: Nationaal Cyber Security Centrum. The central Dutch cybersecurity authority and NIS2 point of contact for essential entities.
CSIRT-DSP: CSIRT for Digital Service Providers. Receives NIS2 notifications specifically from cloud providers, marketplaces, and search engines.
AP: Autoriteit Persoonsgegevens. The Dutch GDPR regulator. Personal data breaches (datalek) are notified within 72h.
DTC: Digital Trust Center. Dutch government programme that helps SMEs with cybersecurity — alerts, guides, community.

European authorities

ENISA: European Union Agency for Cybersecurity. Publishes guidelines and frameworks and coordinates national CERTs.
EDPB: European Data Protection Board. Coordinates the national GDPR regulators (DPA, CNIL, CNPD, etc.).

Regulations and frameworks

NIS2: Network and Information Security Directive 2. EU directive (2022/2555) imposing cybersecurity obligations on essential and important entities — risk management, incident notification, governance.
GDPR / RGPD: General Data Protection Regulation (in French: Règlement Général sur la Protection des Données). EU regulation (2016/679) governing personal data processing.
ISO 27001: International reference standard for Information Security Management Systems (ISMS). Certifiable.

Roles and functions

DPO: Data Protection Officer. Person responsible for GDPR compliance within the organisation. Mandatory in some cases.
CISO: Chief Information Security Officer. Responsible for the security strategy.

Documents and procedures

DPIA: Data Protection Impact Assessment. Mandatory analysis for high-risk personal data processing.
DPA (agreement): Data Processing Agreement. Contract framing personal data processing by a subcontractor. Don't confuse with the regulator (Data Protection Authority).
IRP: Incident Response Plan. Document describing who does what during an incident.
BCP: Business Continuity Plan. Plan to keep the business running despite a major disruption.
DRP: Disaster Recovery Plan. Technical plan to restore systems after a major incident.
BIA: Business Impact Analysis. Analysis identifying critical processes and dependencies, prep for BCP / DRP.

Security technologies

MFA / 2FA: Multi-Factor / Two-Factor Authentication. Strong authentication combining password + a second factor (TOTP code, USB key, biometric).
TOTP: Time-based One-Time Password. 6-digit code that changes every 30 seconds (Google Authenticator, Authy...).
EDR: Endpoint Detection & Response. Next-gen antivirus that detects suspicious behaviour on endpoints (Defender, CrowdStrike, SentinelOne...).
SIEM: Security Information & Event Management. System that centralises logs and detects suspicious patterns (Splunk, Elastic, Wazuh, CrowdSec...).
DLP: Data Loss Prevention. Tools preventing leakage of sensitive data via email, USB, or cloud.
VPN: Virtual Private Network. Encrypted tunnel for remote access to the internal network.
RBAC: Role-Based Access Control. Model where rights are granted via roles (Admin, Manager, User...) rather than individually.
SSO: Single Sign-On. One login gives access to several applications (Azure AD, Okta...).

Attacks and threats

DDoS: Distributed Denial of Service. Attack saturating a service with massive request volume to take it down.
Phishing: Fraudulent email/SMS/call impersonating a legitimate source to extract credentials, transfers, or malicious clicks.
Vishing: Phone-based phishing (voice phishing). Often targets CFOs for urgent transfer requests.
Ransomware: Malware that encrypts your data and demands a ransom for decryption.

NIS2YOU terms

Tenant: A single isolated client organisation. Each tenant has its own data, users, and configuration. Your data is never visible to another tenant.
Owner / Admin / Risk Manager / Contributor / Auditor: The 5 NIS2YOU roles, from most powerful (Owner) to read-only (Auditor).
P / I (heatmap): Probability / Impact. The two axes for scoring a risk, each on a 1-5 scale.