Why do legal and accounting firms need SASE?
Law firms and accounting practices handle some of the most sensitive data in any sector. Professional secrecy is a legal obligation, not a preference, and it applies regardless of where data is stored or accessed. Multi-site operations, hybrid work, and trainee BYOD create access control challenges that traditional VPNs cannot solve granularly. Platforms like Jimber unify secure access, web protection, and site connectivity in a single console, giving small IT teams the oversight that professional secrecy and NIS2 demand.
Picture the reality inside a mid-market law firm or accounting practice. Partners access case files from courtrooms, client boardrooms, and home offices. Trainees rotate between branches with personal laptops. A shared printer in the reception area sits on the same network segment as the document management system. Five office locations are stitched together with ageing VPN tunnels that grant anyone who connects access to everything.
That is not a hypothetical. It is the norm for firms with 50 to 400 staff across 3 to 15 locations. And it is a compliance problem that compounds every time the firm grows, merges, or takes on a new partner.
This post explains why professional services firms face unique security risks, what a data breach actually costs beyond the headline fine, how SASE addresses each challenge with a specific component, and where NIS2 and professional secrecy obligations overlap.
The unique security challenges of professional services firms
Professional secrecy sits at the centre of everything. In Belgium, Article 458 of the Criminal Code makes it a criminal offence for lawyers, accountants, and auditors to disclose information obtained in the course of their profession. The Orde van Vlaamse Balies (OVB) and the l’Ordre des Barreaux Francophones et Germanophone (OBFG) expect practitioners to take reasonable measures to prevent unauthorised access. That obligation extends to cloud storage, remote access, and every device that touches client data.
This is not just about ticking a compliance box. A firm’s reputation is built entirely on trust. The moment a client suspects their confidential information might be exposed, they move to another firm. No marketing campaign recovers that.
Beyond secrecy, the operational setup of most firms creates specific security gaps.
Multi-site sprawl. A firm with eight offices typically has eight separate firewall configurations, eight sets of VPN credentials to manage, and eight opportunities for misconfiguration. Consistency is almost impossible to maintain manually.
Hybrid work at client premises. Lawyers attend court, visit clients, and work from home. Accountants spend days at client offices during audit season. Each location is a different network with different risk levels. Traditional VPNs give these users the same broad network access regardless of where they are or what they need to reach.
Trainee and freelance BYOD. Belgian law firms regularly employ stagiaires who use their own devices. Interim accountants and freelance tax advisors bring personal laptops. These devices are outside the firm’s endpoint management, yet they access client dossiers daily.
Document management systems. Platforms like iManage and NetDocuments are the operational backbone. They hold every client file, every piece of privileged correspondence, every financial record. A security breach that reaches the DMS is not a partial incident. It is total exposure.
Shared devices nobody thinks about. Multifunctional printers scan to email and store documents in local memory. Meeting room displays connect to the network. IP phones sit on the same VLAN as workstations. None of these devices can run an endpoint security agent.
What a data breach means for a law firm (beyond the fine)
The financial cost of a breach in professional services is steep. Industry data from IBM’s 2025 Cost of a Data Breach report shows that breaches in financial and professional services sectors consistently exceed six million dollars on average, well above the global mean. But for law firms and accounting practices, the real damage is structural.
Disciplinary proceedings. Bar associations and professional bodies can suspend or disbar practitioners who fail to protect client confidentiality. For a partner, that is not a fine. It is the end of a career.
Personal liability. Under Belgian law, the managing partner or board member who failed to implement adequate security measures can be held personally responsible. NIS2 reinforces this with explicit management liability provisions.
Client flight. Research consistently shows that more than 80% of financial services clients would consider moving their assets after a data breach at their service provider. Law firms face the same dynamic. The relationship is built on trust, and trust does not survive a public breach notification.
Loss of competitive advantage. Larger clients now include cybersecurity requirements in their procurement processes. An accounting firm that cannot demonstrate adequate controls loses tenders to competitors who can. This is the supply chain effect of NIS2 filtering down to professional services.
Regulatory cascade. A firm that handles data for NIS2-regulated clients (banks, energy companies, healthcare providers) may find itself classified as a critical supplier. That brings additional reporting obligations and audit requirements, none of which a legacy VPN setup can satisfy.
The professional services sector accounted for roughly 13% of all reported cyber incidents in recent years, with business email compromise and ransomware as the primary attack vectors. Phishing emails disguised as court summons, tax authority notifications, or client documents are particularly effective in this sector because they mirror legitimate daily communications.
How SASE solves each of these challenges
The mapping below shows how each SASE component addresses a specific professional services challenge.
| Challenge | SASE component | What it solves |
|---|---|---|
| Remote work at client sites and courts | ZTNA | Identity-based access to case files and DMS without VPN. Users reach only the applications their role requires. |
| Multiple office locations with separate firewalls | SD-WAN + FWaaS | Secure, fast connectivity between all offices. One policy set enforced everywhere from a single console. |
| Trainee and freelance BYOD laptops | Device Posture Check | Only devices meeting security requirements (OS patches, disk encryption, active antivirus) can access client data. |
| Phishing via legal documents and invoices | SWG | Inspects all web traffic, blocks malicious links and downloads. Browser isolation executes risky content in a cloud container. |
| Shared printers, IP phones, meeting room displays | NIAC hardware | Inline isolation for agentless devices. Each device communicates only with its approved destination. A compromised printer cannot reach the DMS. |
| Consistent policy and audit trail across all offices | Single Management Console | One interface for policies, logging, and monitoring. Jimber’s single console lets a two-person IT team manage security for twelve offices. |
| End-to-end encryption for privileged communications | Built-in encryption | All traffic between users, sites, and services is encrypted by default, meeting professional secrecy requirements for data in transit. |
The practical advantage for professional services firms is consolidation. Instead of managing separate products for VPN, web filtering, firewall, and site connectivity, each with its own console and licensing cycle, SASE delivers all of these from one platform. A Belgian wealth management firm reduced security costs by 58% after consolidating its fragmented security stack into a single SASE platform. The dynamics for law firms and accounting practices are identical: multiple offices, sensitive client data, small IT teams, and a pressing need for audit-ready controls.
NIS2 and professional secrecy: the compliance overlap
Professional secrecy and NIS2 might seem like separate obligations, but they converge on almost every technical control.
Both require strict access control. Professional secrecy demands that only authorised individuals access client information. NIS2 Article 21 requires identity-based access controls with least-privilege enforcement. ZTNA delivers both in a single configuration.
Both require logging and audit trails. Bar associations expect firms to demonstrate that access to client files is controlled and monitored. NIS2 requires incident detection capabilities and evidence of security measures. Jimber’s built-in logging covers the audit trail requirements for both obligations from one console.
Both require encryption. Privileged communications must be protected in transit and at rest. NIS2 expects encryption as a proportionate security measure. SASE platforms encrypt all traffic by default.
Both require incident response. Professional bodies expect firms to notify affected clients when confidentiality is compromised. NIS2 imposes a 24-hour initial notification window to national authorities. A centralised platform with unified logging makes both response timelines achievable, rather than spending the first twelve hours figuring out which of five separate tools holds the relevant evidence.
Both require supply chain oversight. NIS2 Article 21.2.d requires organisations to assess and manage security risks from their technology suppliers. Professional bodies increasingly expect the same diligence. A SASE platform with EU jurisdiction, like Jimber’s Belgian-headquartered infrastructure, avoids the CLOUD Act exposure that comes with US-based vendors. The European SASE alternatives guide covers why data sovereignty matters for this choice.
The practical result: implementing SASE to meet NIS2 simultaneously satisfies most of the technical requirements that professional secrecy demands. One project, two compliance frameworks addressed. The NIS2 compliance checklist for IT managers covers the full set of controls.
What Belgian professional bodies expect
The OVB and OBFG have not published prescriptive technical standards for cybersecurity, but the direction is clear. Both organisations expect practitioners to take “reasonable measures” to prevent unauthorised access to client data, and those expectations are tightening.
The Instituut van de Bedrijfsrevisoren (IBR) and the Institute for Tax Advisors and Accountants (ITAA) are more explicit. The IBR’s “Ambities 2030” action plan identifies digitalisation as a core priority, and from April 2026, multi-factor authentication becomes mandatory for access to the IBR portal. The ITAA has similarly emphasised digital integrity and secure client data handling as professional obligations.
These are leading indicators. When a professional body mandates MFA for its own portal, it signals that the same expectation will soon extend to how practitioners handle client data.
For firms preparing for this shift, the zero trust principles that underpin SASE, verify explicitly, enforce least privilege, assume breach, validate device posture, and evaluate continuously, provide a framework that meets both current and emerging requirements. The device posture checks for NIS2 guide explains how to implement the device-level controls that auditors will look for.
Flemish firms also have a financial incentive. The reformed KMO-portefeuille, from February 2026, limits advisory subsidies exclusively to cybersecurity. Small enterprises can claim 45% back on eligible cybersecurity advisory costs, with a €7,500 annual ceiling. Mid-sized firms receive 35%. This makes 2026 the most cost-effective year to implement SASE, with nearly half the advisory costs subsidised.
How SASE integrates with legal and accounting workflows
Professional services firms run specific applications that any security solution must accommodate without friction.
Document management systems. iManage and NetDocuments are accessed via browser and thick client. ZTNA publishes these applications through identity-based policies. A lawyer at court accesses iManage the same way they would in the office, with the same security controls applied automatically. No VPN connection required, no “all-or-nothing” network access.
Practice management and billing. Systems like CoyoteERP, Cicero, and various time-tracking tools are increasingly cloud-hosted. SWG applies consistent security policies to all SaaS traffic, while CASB capabilities provide visibility into which cloud applications staff actually use, including unsanctioned ones.
Email and Microsoft 365. Legal correspondence flows through Outlook and Teams. SWG inspects links and attachments in real time. Browser isolation can render suspicious attachments in a secure container, preventing a malware-laced “court summons” from ever reaching the endpoint.
Scanning and printing. Multifunctional printers that scan to network shares or email are common in every office. Jimber’s NIAC hardware can onboard these devices without agents, restricting their network communication to approved destinations only. A compromised printer cannot become a pivot point to reach the DMS or financial systems.
For firms evaluating how all these components fit together architecturally, the SASE architecture guide walks through data flow, deployment models, and how single-pass inspection works in practice.
Frequently asked questions
Does cloud-based SASE comply with professional secrecy obligations?
Yes, provided the platform encrypts all data in transit, enforces identity-based access controls, and processes data within EU jurisdiction. Professional secrecy under Article 458 requires reasonable measures to prevent unauthorised access. A SASE platform with built-in encryption, Zero Trust access, and European data residency meets that standard more comprehensively than a collection of on-premise appliances with inconsistent configurations across offices.
Can we secure trainee and freelance laptops without installing agents?
Partially. For managed devices, the SASE agent provides full posture checking and policy enforcement. For BYOD devices where installing software is not feasible, browser-based access with scoped permissions provides a controlled alternative. For shared devices like printers and meeting room displays, NIAC hardware provides inline isolation without requiring any software on the device itself.
How does SASE handle document management systems like iManage?
ZTNA publishes iManage (or NetDocuments, or any other DMS) as an application accessible through identity-based policies. Users authenticate with their identity provider, the platform checks device posture, and access is granted to the DMS only. They never join the corporate network. This means a compromised personal device cannot scan the rest of the network, even if it has valid iManage credentials.
Do law firms fall under NIS2 in Belgium?
Most mid-market law firms are not directly classified as essential or important entities under NIS2. However, firms that serve NIS2-regulated clients (banks, energy companies, healthcare providers) are increasingly treated as critical suppliers. Article 21.2.d requires those regulated clients to assess and manage the security practices of their supply chain, which includes their legal and financial advisors. In practice, this means NIS2 compliance expectations are filtering down to professional services firms through client requirements rather than direct regulation.
What is the cost of implementing SASE for a professional services firm?
Specific pricing depends on user count, number of sites, and the components required. The consolidated approach typically reduces total security spend compared to managing separate products for VPN, web filtering, firewalls, and site connectivity. A comparable professional services firm, a Belgian wealth manager, achieved a 58% reduction in total security costs after consolidation. Flemish firms can additionally claim 35-45% back on eligible cybersecurity advisory costs through the KMO-portefeuille.
Can a two-person IT team manage SASE across multiple offices?
Yes. That is the core operational advantage. A single management console replaces the need to manage separate firewall configurations, VPN concentrators, and web filtering appliances at each location. Policies are defined once and enforced everywhere. Jimber’s platform is designed for exactly this scenario: mid-market organisations with small IT teams managing distributed environments.
Ready to see how a single SASE platform handles professional secrecy, NIS2 compliance, and multi-site security from one console? Book a demo and walk through the setup for a professional services firm with your specific number of offices and users.
