Itdaily - ‘NIS2 is not the goal, but a means to audit processes’: Country IT Lead of Inetum Belgium speaks out

‘NIS2 is not the goal, but a means to audit processes’: Country IT Lead of Inetum Belgium speaks out

Roel Van den Brande - CIO Inetum

Inetum Belgium does not use NIS2 as an end point, but as a lever to thoroughly audit existing processes.

Inetum is a European IT service provider that supports companies in the areas of application development, cloud, cybersecurity, and data and AI. The Belgian branch recently obtained the ISO 27001 certificate, but IT Lead Roel van den Brande considers that a means, not a goal in itself. With nineteen countries, 120 locations, and a Security Operations Center in Spain, solid governance around information security is not a luxury but a necessity.

What does the IT environment you are responsible for look like?

Van den Brande: “The scope includes supporting approximately one thousand users in Belgium, with laptops, work environments, and the applications they need daily. Within that, there are two layers: on the one hand, the global applications offered by the group that all countries use, and on the other hand, local applications with a more limited footprint.”

“Inetum also has about twenty global shared service centers worldwide, which provide services in the areas of application development, cloud development, cybersecurity, and data and AI. These centers play a central role in the hybrid model, where local proximity is combined with global scale and impact.”

What are your main priorities at the moment?

Van den Brande: “The absolute top priority for IT is the migration from an outdated local ERP solution, Microsoft Dynamics AX, to SAP Public Cloud. The go-live is planned for later this year. That choice was made at the group level: with nineteen countries on different ERP systems, transparency about the business is simply not feasible.”

“In addition, NIS2 compliance is high on the agenda. Inetum Belgium very recently obtained the ISO 27001 certificate, but the work doesn’t stop there. By 2026, compliance must also be demonstrable through audits. A third priority is the further rollout of the global shared service centers for the local IT organization. And finally, there is AI, both for internal support functions and towards customers.”

Does the rest of the organization understand these priorities sufficiently? How do you get everyone on the same page?

Van den Brande: “A great deal of attention is paid to change management and communication. It is important that employees understand why certain initiatives are being taken and what the impact is on their daily operations. To achieve this, the IT organization works together with the communication department to get the right message to the right target group at the right time.”

“Sponsorship from senior management is crucial in this regard. For larger initiatives, sponsors from management commit to the objectives together with the implementation teams, which increases visibility towards the organization. Finding the balance between communicating too much and too little remains a point of attention, especially in an organization that is in full transformation.”

Does the IT department have access to enough people and resources to successfully complete the challenges?

Van den Brande: “The local team is supplemented by the global shared service centers, which take over part of the support activities. This is a deliberate group strategy to keep personnel costs manageable. For the specific expertise required, the right profiles can be relied upon.”

“In addition to personnel costs, the management of IT assets also requires constant attention. Active license management, monitoring of consumption-based services, and device management are essential to keep costs under control.”

Is the Future of the IT Environment in the Cloud, On-Premises, or a Combination of both?

Van den Brande: “We are going for maximum commitment to global tooling, supported by the global shared service centers. The goal is to rationalize the application landscape: not every country on its own ERP, CRM, or ITSM environment, but going as global as possible. Of course, this does not apply to all applications. There is always a local element that does not fully fit into that global picture.”

“For those local applications, it is always a case-by-case assessment. Some currently run in our own private sovereign cloud, which is also operated commercially. In addition, there is the option to choose the public cloud or use SaaS solutions. The choice depends on cost and data sensitivity: how sensitive is the data and is a private cloud necessary?”

What impact do regulations like NIS2 have on IT policy?

Van den Brande: “Obtaining the ISO 27001 certificate was an important step, but for me, it goes further than a certificate in itself. With nineteen countries, 120 locations, and a SOC in Spain that monitors incidents in Belgium, solid governance around information security is simply necessary.”

The certificate was a means to thoroughly audit existing processes.

Roel Van den Brande, Country IT Lead Inetum Belgium

“ISO 27001 was the means to thoroughly audit all existing processes, identify gaps, and take measures. The certificate is not an end point: annual audits must show that the organization continues to work on the points of attention. Information security is a continuous process, not a one-off exercise.”

How is your organization handling the AI hype?

Van den Brande: “As a tech company, Inetum implements AI solutions itself, advises customers on AI use, and we participate in Microsoft Frontier programs for early access to new features. There are also discussions with Anthropic about using their tools within a compliant framework. AI is not a hype for Inetum: three to four years ago, a Gen AI hub was started for employees, with information on fundamentals, business value, and risks.”

“Training evolved from general fundamentals to practical learning paths tailored to role and maturity, today focused on Microsoft Copilot, GitHub Copilot, and AI within ServiceNow and SAP. Internally, AI agents are being built to support support functions. In addition, employees in the business are given the tools and resources to realize AI projects for customers.”

Van den Brande: “The shift from generative AI to AI agents is the most concrete trend that is now landing. The first generations of applications are appearing, but many more generations will follow. In addition, the rise of AI-native SaaS platforms is a point of attention: these are built from the ground up based on AI capabilities, while classic SaaS solutions add AI on top of their existing model.”

Guarding the balance between innovation and the impact of AI on privacy and data will be one of the most important tasks.

Roel Van den Brande, Country IT Lead Inetum Belgium

“For SaaS platforms with complex workflows and heavy regulatory pressure, full AI disruption is less likely, but for solutions with lighter workflows, the risk is real. Finally, AI governance is a challenge that will require a lot of attention in the coming years. AI is evolving rapidly, new models and tools appear daily, to the extent that the regulatory framework is struggling to keep up. Guarding the balance between innovation and the impact on privacy and data will be one of the most important tasks.”