The Merode, Brussels — 7 April 2026

Prepared by Nicolas Pettiaux mathematics teacher at the Athenee Royal de Ganshoren (Brussels), doctor in physics and master in management from ULB, scientific collaborator at ULB, president of the ASBL EduCode, official representative of Creative Commons in Belgium

The questions below are addressed by name to the five speakers at the conference. They are based on documented facts and verifiable sources. They aim to go beyond the usual promotional register of aviation sector panels in order to address the structural vulnerabilities, strategic dependencies and legal responsibilities that genuinely weigh on Belgian and European airport infrastructure.

Speakers:

• Arnaud Feist — CEO, Brussels Airport Company
• Laurent Jossart — CEO, Liege Airport
• Christophe Segaert — CEO, Brussels South Charleroi Airport
• Dieter Vranckx — Member of the Executive Board, Lufthansa Group
• Julien Vialade — Partner, BCG

On 20 September 2025, a cyberattack targeted the MUSE software provided by Collins Aerospace, a subsidiary of the American group RTX, used in more than 170 airports worldwide.¹⁾ Passenger check-in was carried out manually with handwritten boarding passes for several days; Brussels Airport asked airlines to cancel half of scheduled flights the following Monday.²⁾

Q1. Collins Aerospace had already been the victim of an attack by the Russian group BianLian in 2023 and had paid the ransom. Experts estimate that the data compromised in that first attack was likely used to prepare the second, and that the ransom demanded in the 2025 incident was between 5 and 10 million dollars.³⁾ How could Brussels Airport have renewed or maintained a critical contract with a provider whose security track record was already compromised and documented?

Q2. The Thales group counted 27 ransomware cyberattacks targeting the aviation sector between January 2024 and April 2025, a 600% increase in one year.⁴⁾ Given this explosion of attacks, why are critical check-in systems still entrusted to a single American provider, with no European sovereign redundancy?

Q3. Brussels Airport classified the cyberattack as “force majeure”, which exempted airlines from any financial compensation to passengers.⁵⁾ This legal qualification, convenient for operators, amounts to shifting the cost of a deliberately outsourced systemic risk onto passengers. Have you initiated recovery proceedings against Collins Aerospace, and if not, why not?

Q4. In April 2025, an e-gate failure had already immobilised non-Schengen flight passengers for 70 minutes.⁶⁾ The problem is therefore not isolated, but structural. What is your concrete plan to reduce this dependency on systems over which you control neither the code, nor the hosting, nor the subcontracting chain?

Q5. Passenger reservation and management systems (Amadeus, Sabre, Navitaire) are predominantly American and subject to the CLOUD Act. Do you have legal certainty that Belgian passengers' data cannot be accessed by US federal agencies without a European warrant?

Q6. The Court of Justice of the EU successively invalidated Safe Harbor and Privacy Shield. The current Data Privacy Framework is already being challenged. Do you have a continuity plan if this third agreement is also struck down?

Q7. PNR agreements impose the mass transfer of data to the United States. In the context of the new American administration and its political use of data, have you reassessed the risks associated with these mandatory transfers?

Cainiao, Alibaba's logistics subsidiary, made Liege its European hub as early as 2018.⁷⁾ In 2025, e-commerce parcel volumes jumped by 35%, with more than 1.35 billion parcels processed.⁸⁾ Customs can physically inspect only 0.006% of declarations, approximately 216 cases per day, and in some product categories, the non-compliance rate reaches 100%.⁹⁾

Q8. Belgian air exports have declined, resulting in a 60 million euro loss, while Chinese imports increased by 600 million euros over the same period.¹⁰⁾ Liege's model therefore rests on a structurally imbalanced flow that impoverishes the Belgian productive economy in favour of Chinese commerce. Do you publicly acknowledge this strategic choice, or do you continue to present this imbalance as a logistical success?

Q9. The European Commission is considering a flat-rate tax of 3 euros on imported parcels worth less than 150 euros, applicable from July 2026. If this tax comes into force, a significant share of traffic will shift from air to sea. Have you modelled the financial impact on the airport, and what proportion of your revenue currently depends solely on Chinese carriers?

Q10. Researchers warned from the outset that this development was taking place within the framework of extremely dependent relationships with foreign operators, making the airport highly vulnerable, and that with Alibaba “it will be the same thing” as with FedEx, which left Liege overnight, eliminating a third of jobs.¹¹⁾ What contractual clause concretely protects you against a sudden departure by Cainiao?

Q11. Belgium quietly paid a fine of 251 million euros in 2021 in connection with the fraudulent import of Chinese textiles at Liege Airport.¹²⁾ Who made the decision to pay in silence, and what structural measures have been put in place since then to prevent the airport from serving as a gateway for fraudulent goods at the scale of one billion parcels?

Q12. The agreement with Alibaba was signed without citizens being informed in advance and without any global impact assessment being conducted.¹³⁾ Alibaba is a company in which the Chinese state holds a strategic stake and whose subsidiary Alibaba Cloud used its facial recognition software to monitor the Uyghurs. How do you justify this dependency on an actor linked to a state that practises mass surveillance?

Q13. Liege has put itself forward as a candidate to host the future European Customs Authority (EUCA).¹⁴⁾ Is there not a fundamental contradiction in seeking the seat of a control authority while being structurally incapable of verifying more than 0.006% of the parcels passing through your platform?

Q14. Ryanair regularly threatens to leave Charleroi. What is the real negotiating margin of a regional airport against such a company, and what concrete counterparts (guaranteed jobs, minimum flight frequencies, termination penalties) are included in your current contract?

Q15. The low-cost model relies heavily on the casualisation of flight crew, notably through the use of bogus self-employment and umbrella companies. Legal proceedings are under way in several European countries. Has Charleroi assessed its joint liability as a platform hosting these operators?

Q16. The French tax on small parcels has already caused a diversion of Chinese flights towards Belgium.¹⁵⁾ If the European 3-euro tax comes into force in July 2026, do you anticipate substitution flows towards Charleroi, and is your infrastructure prepared to handle e-commerce freight?

Q17. The competition between Brussels Airport, Liege and Charleroi takes place within a few dozen kilometres. All three airports benefit from Walloon or federal public funding. Is a formal coordination of capacities conceivable, or is competition between Belgian public entities a permanent political choice?

Q18. Brussels Airlines belongs to the Lufthansa Group. Its automatic baggage drop system, independent of Brussels Airport's own system, allowed the airline to partially withstand the September 2025 cyberattack.¹⁶⁾ Is this resilience the result of a deliberate digital sovereignty strategy, or an architectural coincidence?

Q19. The closure of Russian airspace has redrawn routes to Asia, lengthening flight times and increasing costs. Have you quantified the annual extra cost for the Lufthansa Group, and to what extent does this affect the competitiveness of European carriers compared to Gulf operators not subject to the same constraints?

Q20. The Lufthansa Group is deploying artificial intelligence tools for slot optimisation, dynamic pricing and predictive maintenance. Are these tools developed in-house, hosted on European servers, and auditable by your own engineers? Or have you outsourced part of your operational sovereignty to American platforms?

Q21. Sustainable Aviation Fuels (SAF) represent less than 1% of fuel used. The ReFuelEU regulation sets increasing obligations. What is the real per-ticket cost that the Lufthansa Group estimates for these obligations by 2030, and will this cost be passed on in full to passengers?

Q22. BCG has advised many European airports and airlines on their digital strategies. Have you recommended or validated system architectures that created single-provider dependencies (of the Collins Aerospace type) now exposed by cyberattacks? If so, what is a consulting firm's responsibility for such choices?

Q23. Liege's economic model is now massively dependent on Chinese e-commerce and postal subsidies that constitute structural dumping. Has BCG modelled exit scenarios from this dependency, and if such scenarios exist, why are they not public?

Q24. The ecological transition of the aviation sector requires massive investment in SAF, hydrogen and tarmac electrification. Does BCG consider that the private sector can finance this transition alone, or that European public regulation mechanisms are inevitable? And if regulation is inevitable, why does the industry continue to systematically oppose it in the corridors of Brussels?

Q25. The concentration of the European airport digital systems market in the hands of three or four American actors (Collins Aerospace/RTX, SITA, Amadeus, Sabre) constitutes an identified systemic risk. Have you advised European airports on strategies to reduce this dependency, and what are the real obstacles to their implementation?

Q26. The European AI Act classifies real-time biometric recognition in public spaces as a high-risk use. Do your airports or airlines use such systems today, and under what precise legal basis?

Q27. The NIS2 Directive, which entered into force in October 2024, applies to critical airport infrastructure. Have you achieved full compliance, and who in your organisation is personally responsible and accountable for this?

Q28. Who controls the data of passengers passing through your airports, and is it hosted on European servers? Is the answer to this question accessible to the Belgian data protection authorities on simple request?

NIS2 (Network and Information Security 2, EU Directive 2022/2555) is the overhaul of the 2016 European directive on the security of network and information systems. It entered into force on 17 October 2024. The new directive primarily aims to build on NIS1's efforts to improve the security of organisations against growing cybersecurity risks, extend the scope to new sectors and organisations, and strengthen risk and incident management by imposing more stringent requirements.¹⁷⁾

NIS2 registration applies to all medium and large enterprises belonging to one of the 18 sectors defined in the directive.¹⁸⁾ These sectors cover energy, transport, health, water, digital infrastructure, financial services, waste management, postal services, food and chemicals – a significantly broader scope than NIS1.

Two categories are distinguished: Essential Entities (EE), subject to proactive supervision and mandatory audits; and Important Entities (IE), subject to lighter supervision.

The directive was transposed by the Law of 26 April 2024 and the Royal Decree of 9 June 2024, with the Centre for Cybersecurity Belgium (CCB) as the competent authority. Registration is mandatory via the Safeonweb@Work portal, with deadlines that passed in late 2024 and early 2025. By late November 2025, Belgium had registered 1,500 essential entities and 2,500 important entities.¹⁹⁾

1. Mandatory registration with the CCB via the Safeonweb@Work portal.

2. Risk management: a thorough cybersecurity risk analysis is mandatory, at least once a year for essential entities. Entities must adopt a coordinated vulnerability disclosure policy and develop a plan to address identified risks.²⁰⁾

3. Incident notification: significant incidents must be reported to the CCB on a tight schedule: initial warning within 24 hours, further information within 72 hours, final report within 30 days.²¹⁾

4. Personal liability of management: this is the major innovation compared to NIS1. Board members are personally liable, and regulators may temporarily bar management body members from exercising managerial responsibilities if the organisation persistently fails to remedy serious issues. Senior executives must attend cybersecurity training.²²⁾

5. Supply chain security: entities must conduct cybersecurity due diligence on their supply chain, assessing the security practices of their suppliers and service providers. This is precisely the obligation that should have led Brussels Airport to audit Collins Aerospace before entrusting it with its critical check-in systems.

6. Sanctions: administrative fines for non-compliance can reach 10 million euros or 2% of the entity's total worldwide turnover. Additional measures may be imposed: warnings, binding instructions, temporary suspension of certification or licence.²³⁾

The Collins Aerospace affair of September 2025 illustrates exactly what NIS2 seeks to prevent: a failure in the digital subcontracting chain. Under NIS2, Brussels Airport should have audited its provider before signing the contract, maintained an operational continuity plan independent of that provider, and notified the CCB of the incident within 24 hours. Question Q3 addressed to Arnaud Feist in this document is therefore directly grounded in positive Belgian and European law.

Document distributed under CC-BY-SA 4.0 licence — Nicolas Pettiaux — 7 April 2026