Belgian cities and municipalities no longer operate from a single town hall. Libraries, sports centres, social services, and technical departments are spread across dozens of locations. Each site needs secure connectivity. Each employee expects to work from anywhere. And with NIS2 enforcement now fully active, cybersecurity is a personal liability for executives facing regular audits. The traditional approach of installing firewalls at every location and routing traffic through a central data centre simply does not scale.
This guide explains how a Secure Access Service Edge (SASE) architecture addresses the specific challenges of local government IT. You will find practical scenarios, a phased implementation roadmap, and a clear view of which components solve which problems.
How to implement SASE in a local government
- Audit your current infrastructure and map all locations, users, and applications
- Start with SD-WAN at locations where connectivity is a bottleneck or MPLS contracts are expiring
- Replace VPN access with Zero Trust Network Access for employees handling sensitive citizen data
- Deploy Secure Web Gateway for consistent web filtering across all sites and public wifi
- Use NIAC hardware to isolate IoT devices like cameras, access systems, and smart meters
- Centralise policy management in one cloud console with unified logging for NIS2 evidence
Why traditional network security falls short for municipalities
A typical Belgian municipality manages between 20 and 50 public facilities. In the Brussels region, this includes an average of 43 sports facilities per municipality alone. Add libraries, social housing offices, administrative annexes, and technical depots. Each location needs network access for staff. Many also offer public wifi for citizens.
The hub-and-spoke model, where all traffic routes through a central firewall before reaching the internet, creates unacceptable latency for cloud applications. Modern SaaS tools like Microsoft 365 perform poorly when every packet must travel to headquarters first. Staff in libraries and sports centres experience slow connections. Citizens using public wifi complain about speed. IT teams spend their time troubleshooting performance instead of improving security.
Installing dedicated firewalls at every location solves the performance problem but creates new ones. Configuration drift becomes inevitable. Smaller sites often lack the technical staff to maintain appliances properly. Updates get delayed. Misconfigurations accumulate. And the costs add up quickly, both for hardware and for the expertise required to manage it.
NIS2 is no longer coming. It is here.
NIS2 became Belgian law in October 2024. The CCB registration deadline passed in March 2025. Audits are now happening. Local governments classified as important or essential entities face active enforcement, and several Belgian organisations have already received formal warnings for compliance gaps.
Board members and executives carry personal liability for cybersecurity compliance. Fines for non-compliance can reach 10 million euros or 2% of global turnover for essential entities. More importantly, the reputational damage from a breach affecting citizen data is difficult to recover from.
The practical requirements are now well established: documented risk analysis, incident response procedures with 24-72 hour reporting windows, business continuity planning, and supply chain security assessments. Organisations that scrambled to meet initial deadlines are now discovering that maintaining compliance requires ongoing visibility and control. A SASE platform provides the centralised logging, policy versioning, and audit trails that auditors expect to see. When the CCB requests evidence of access controls or incident containment capabilities, the answer comes from a single console rather than scattered across dozens of appliances.
Traditional security versus SASE for distributed locations
| Aspect | Traditional model | SASE approach |
|---|---|---|
| Control plane | Hardware-based, managed per device | Software-based, single cloud console |
| Traffic routing | Static, often hairpinned through HQ | Dynamic, application-aware |
| Bandwidth | Fixed, often expensive MPLS | Flexible, multiple transport options |
| Security model | Perimeter-based, network trust | Zero Trust, identity-based |
| Cloud access | Backhauled, high latency | Direct internet breakout |
| Audit readiness | Manual evidence collection | Automated compliance reporting |
Which SASE components solve which municipal challenges
SD-WAN for site connectivity
SD-WAN replaces or supplements expensive MPLS connections with encrypted tunnels over standard internet links. Traffic routes intelligently based on application type and real-time network conditions. A VoIP call from citizen services gets priority over a background backup job. Libraries can use fibre, coax, or 5G connections without complex configuration.
The cost savings are significant. Most organisations see 30-50% reduction in connectivity costs while increasing available bandwidth. Zero-touch deployment means new sites can be connected in hours rather than weeks.
Zero Trust Network Access for staff and hybrid work
Traditional VPNs grant broad network access once connected. An employee who authenticates can often reach systems far beyond their job requirements. ZTNA inverts this model. Access is granted per application, verified continuously, and scoped to the minimum necessary.
For a social worker visiting a client at home, this means secure access to the case management system without exposing the entire municipal network. Device posture checks verify that the laptop meets security baselines before granting access. If the device falls out of compliance, access revokes automatically.
Secure Web Gateway for internet protection
A Secure Web Gateway inspects all internet traffic, blocking malicious sites and enforcing acceptable use policies. This protects both staff and citizens using public wifi in libraries.
Many Belgian libraries still rely on open networks or shared passwords for public access. This creates liability risks and exposes users to threats. SWG provides category-based filtering and threat protection without requiring complex per-site configuration. Policies follow users regardless of location.
Firewall as a Service for consistent policy
FWaaS moves firewall functionality to the cloud. Instead of maintaining physical appliances at each sports centre or depot, policies are enforced centrally. This eliminates configuration drift and ensures every location meets the same security baseline. Updates happen automatically without on-site visits.
NIAC hardware for IoT and agentless devices
Modern municipal facilities contain numerous connected devices that cannot run security agents: CCTV cameras, access control systems, smart meters, building automation. These devices often ship with weak security and become entry points for attackers.
Network Isolation Access Controllers create a secure bridge between these devices and the rest of the network. Traffic from an IoT sensor routes only to its designated collector. A compromised camera cannot pivot to reach the citizen database.
Three municipal scenarios and how SASE addresses them
The library as a digital hub
A library serves two distinct user groups with different security requirements. Staff need access to the lending system and administrative applications. Citizens expect free wifi for browsing, research, and digital services.
SASE provides software-defined segmentation that keeps these environments separate even when sharing the same internet connection. Staff authenticate through ZTNA and access only their permitted applications. Citizens connect to a filtered network where SWG blocks known threats and inappropriate content. The municipality maintains clear logs for accountability without exposing staff systems to public traffic.
Sports centre with IoT integration
A modern sports complex includes energy management sensors, security cameras, digital access systems, and often public wifi. Each category of device has different trust requirements and communication patterns.
NIAC hardware places each device type in its own isolated segment. Sensors communicate only with their energy monitoring platform. Cameras reach the video management system and nothing else. If an attacker compromises a poorly secured camera, they cannot move laterally to access booking systems or citizen data.
Hybrid work and crisis response
Municipal staff increasingly work from home or from citizen locations. During crisis situations, key personnel must access sensitive systems from wherever they happen to be.
ZTNA provides consistent security regardless of location. A staff member working from home receives the same protection and access controls as if they were in the town hall. There is no difference in user experience between office and remote connections, and no performance penalty from routing through a central VPN concentrator.
A phased implementation roadmap
Phase 1: Assessment and planning. Conduct a gap analysis against NIS2 requirements. Inventory all locations, applications, and user groups. Present findings to the college of mayor and aldermen, as their understanding of personal liability is essential for budget approval.
Phase 2: Network modernisation. Deploy SD-WAN at locations with connectivity bottlenecks or expiring MPLS contracts. Use zero-touch provisioning to accelerate rollout. Immediate benefits in performance and cost provide quick wins for stakeholder buy-in.
Phase 3: Zero Trust access. Replace VPN access with ZTNA, starting with staff who handle sensitive citizen data. Implement device posture checks as a gateway to access. This phase significantly improves security posture without disrupting end user workflows.
Phase 4: Security consolidation. Integrate SWG and FWaaS to protect internet traffic and enforce consistent policies. Retire physical firewall appliances at satellite locations. Configure NIAC for IoT device isolation.
Phase 5: Continuous improvement. Use the visibility from centralised logging to optimise policies. Prepare audit evidence packages. Monitor emerging requirements around AI governance and data sovereignty as the EU AI Act takes effect.
The Belgian support ecosystem
Belgian local governments benefit from several support mechanisms that facilitate SASE adoption. Digitaal Vlaanderen coordinates ICT initiatives including SecureDNS, available through existing framework contracts. The VVSG provides cybersecurity toolkits based on NIST frameworks and operates the Cyber Response Team for both proactive support and incident response.
Audit Vlaanderen offers cofinancing for ICT security audits, covering up to two-thirds of basic audit costs. This provides a low-risk starting point for municipalities still working to close compliance gaps.
Frequently asked questions
Does SASE work with heritage buildings where cabling is restricted?
Yes. SD-WAN operates over any available connection, including 5G mobile links. Sites with cabling restrictions can use wireless options without compromising security. The software-defined approach means security policies apply regardless of the underlying transport.
How does this help with NIS2 compliance?
SASE provides centralised logging, policy versioning, and access controls in a single platform. This simplifies evidence collection for auditors. Identity-based access with continuous verification demonstrates the least privilege principle required by NIS2. Organisations already subject to audits report that unified platforms significantly reduce preparation time.
Can we implement this with limited IT staff?
Cloud-managed SASE reduces operational overhead compared to managing distributed appliances. Zero-touch deployment accelerates site rollout. Many municipalities work with managed service providers who handle day-to-day operations while internal staff focus on policy and governance.
What about public wifi liability?
SWG protects users on public networks from known threats while maintaining appropriate logging. The municipality can demonstrate reasonable security measures without monitoring individual browsing activity. Standards like WPA2 Enterprise or Publicroam can be integrated for safer authentication.
How long does implementation take?
A phased approach delivers value within weeks. SD-WAN at initial sites can be operational in days. ZTNA for priority user groups follows within a month. Full deployment across all locations typically takes 6-12 months depending on scope and complexity.
What about data sovereignty requirements?
European SASE providers like Jimber ensure data processing stays within EU boundaries. As data sovereignty requirements tighten under various EU regulations, this becomes increasingly important for public sector organisations handling citizen data.
Simplify security for your distributed services
Managing dozens of locations with limited IT resources requires a different approach than enterprise security models designed for large central offices. SASE consolidates network and security functions into a single platform that scales with your municipality, not against it.
Jimber delivers Real SASE with a European focus, transparent pricing, and implementation support designed for organisations that need security to work without endless projects.
Book a demo to see how a unified platform can secure your libraries, sports centres, and hybrid workforce from one console.
