NIS2 Belgium

NIS2 in Belgium

The original NIS1 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 was introduced to strengthen cybersecurity within the EU. Due to the increasing threat of cyber attacks, this directive was replaced by the NIS2 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022, which imposes stricter requirements and has a broader scope of application to increase the resilience of critical infrastructures against cyber attacks.

The NIS2 Directive was transposed into Belgian law by the Act of 26 April 2024 establishing a framework for the cybersecurity of network and information systems of general interest for public safety, and the Royal Decree of 9 June 2024 (together referred to as the Belgian NIS2 law).

On this page you will find everything you need to know about the impact of NIS2 in Belgium on your organisation and how you can prepare for the new cybersecurity requirements and compliance obligations under the Belgian NIS2 law.

Do you have questions about how NIS2 applies to your organisation in Belgium? Please contact us.

Scope of the Belgian NIS2 Law

To determine whether your organisation falls within the scope of the Belgian NIS2 law, three main criteria must be assessed: the services you provide, the size of your entity and the link with Belgium.

In principle, an organisation falls under the NIS2 law when:

  1. Your organisation provides services listed in Annex I or Annex II of the Belgian NIS2 law;
  2. Your organisation exceeds the threshold values for medium-sized enterprises; and
  3. Your organisation is established in Belgium.

Regardless of these criteria, the following entities are automatically subject to the NIS2 law:

  • Operators of critical infrastructure under the Law of 1 July 2011 on the security and protection of critical infrastructure, regardless of size;
  • Providers of essential services (PES) and digital service providers (DSP) as defined under the NIS1 law.

Sector classification under Annex I and Annex II

Annex I and Annex II, together with Chapter 2 “Definitions” of the Belgian NIS2 law, define the sectors that fall within scope. It is crucial to analyse which services your organisation provides in each relevant (sub)sector.

Annex I: Very critical sectors Annex II: Other critical sectors
Energy
• Electricity
• District heating and cooling
• Oil
• Gas
• Hydrogen 		Postal and courier services
Transport
• Air
• Rail
• Water
• Road 		Waste management
Banking Manufacture, production and distribution of chemicals
Financial market infrastructures Manufacture, processing and distribution of food
Health Manufacturing:
• Medical devices and in vitro diagnostic devices
• Computer, electronic and optical products
• Electrical equipment
• Machinery and equipment (n.e.c.)
• Motor vehicles, trailers and semi-trailers
• Other transport equipment
Drinking water Digital providers
Wastewater Research
Digital infrastructure
ICT service management (business-to-business)
Public administration
Space

If your organisation provides services listed above and also meets the size and establishment criteria, it will in principle fall within the scope of the Belgian NIS2 law.

Company size criteria

The size of the entity is a key determinant in classifying NIS2 obligations. As a general rule, an entity must be at least a medium-sized enterprise.

The European definition (Recommendation 2003/361/EC) classifies enterprises by number of full-time equivalents (FTE) and financial thresholds (annual turnover and/or annual balance sheet total).

Example: A company with 55 FTE (medium-sized), EUR 20 million turnover (medium-sized), and EUR 50 million balance sheet total (large) is still classified as a medium-sized enterprise.

Entity classification (Annex I–II × enterprise size)

Medium-sized enterprise Large enterprise
Annex I services Important entity Essential entity
Annex II services Important entity Important entity

Additional considerations when determining entity size:

  • Group structure: consolidated figures must be used.
  • Certain entities fall under the NIS2 law regardless of size:
    • Qualified trust service providers (essential)
    • Non-qualified trust service providers (important for SMEs; essential for large entities)
    • DNS service providers (essential)
    • TLD registries (essential)
    • Domain name registration services (for registration obligations)
    • Providers of public electronic communications networks (essential)
    • Providers of public electronic communications services (essential)
    • Critical infrastructure operators under the Law of 1 July 2011 (essential)
    • Authorities depending on the Federal State (essential)
  • The CCB may designate entities as essential or important even if they do not meet standard criteria.

Establishment in Belgium

Generally, the Belgian NIS2 law applies only to entities with an establishment in Belgium. However, the following entities fall within scope by exception:

  • Providers of public electronic communications networks or services offering them in Belgium;
  • DNS service providers, TLD registries, domain name registration service providers, cloud computing services, data centre services, content delivery networks, managed services, managed security services, online marketplaces, search engines or social networking platforms, if their main establishment or EU legal representative is located in Belgium;
  • Public authorities established by Belgium.

Additional designation of entities

Even if an organisation does not meet the above criteria, it may still fall under the Belgian NIS2 law if:

  • The CCB designates it as an essential or important entity; or
  • The organisation forms part of the supply chain of an NIS2 entity.

To assess whether your organisation falls under the Belgian NIS2 law, you can use the CCB’s NIS2 Scope Test Tool . For general explanation of entity types and size thresholds, see our About NIS2 page.

What does NIS2 mean for my organisation in Belgium?

The Belgian NIS2 law imposes a series of legally binding obligations on entities classified as essential or important. These obligations relate to registration, cybersecurity risk management, incident reporting and cooperation with supervisory authorities.

1. Registration of essential and important entities (Safeonweb@Work)

Entities falling within the scope of the Belgian NIS2 law must register with the Centre for Cybersecurity Belgium (CCB). Registration is completed through the Safeonweb@Work platform . Non-NIS2 entities are also encouraged to register, as this provides access to additional threat intelligence and cybersecurity support services. Only organisations registered in the Crossroads Bank for Enterprises (CBE), with a company or establishment number, can register online. Entities without a CBE number must contact the CCB directly via nis@ccb.belgium.be. Registration may be completed by a legal representative or an authorised employee through the Mijn eGov Rolbeheer platform.

Registration deadlines

By 18 December 2024 for:
  • DNS service providers
  • Top-level domain name registries
  • Domain name registration service providers
  • Cloud computing service providers
  • Data centre service providers
  • Content delivery network providers
  • Managed service providers
  • Managed security service providers
  • Online marketplaces
  • Online search engines
  • Social networking platforms
By 18 March 2025 for:
  • Essential and important NIS2 entities
  • Domain name registration service providers (general registration requirement)
Additional information is available on the Safeonweb@Work support page .

2. Implementing cybersecurity risk management measures

Essential and important entities must implement proportionate technical and organisational measures to protect their network and information systems from cyber threats. These measures must align with the entity’s risk exposure, operational scale and potential societal impact of service disruptions. The Belgian NIS2 law defines a baseline set of 11 mandatory cybersecurity measures:
  • Policy for risk analysis and information system security
  • Incident management
  • Business continuity and crisis management
  • Supply chain security
  • Secure acquisition, development and maintenance of network and information systems, including vulnerability handling
  • Policies and procedures for assessing effectiveness of cybersecurity measures
  • Cyber hygiene and cybersecurity training
  • Policies and procedures on cryptography and, where applicable, encryption
  • Personnel security, access control and asset management
  • Multi-factor authentication, secure communication and emergency communication systems (where applicable)
  • Coordinated vulnerability disclosure (CVD) policy
The European Commission’s Implementing Regulation 2024/2690 provides additional, sector-specific guidance for DNS providers, TLD registries, cloud and data centre providers, content delivery networks, managed service providers, managed security providers, online marketplaces, search engines, social networking services and trust service providers.

3. Reporting obligations for significant incidents

Essential and important entities must notify the national CSIRT – in Belgium the CCB – without delay when a significant incident occurs. They must also inform service recipients if the incident affects services within the sectors listed in Annex I or Annex II. A “significant incident” is any event that substantially affects the provision of services in Annex I or II sectors and:
  • has caused or may cause serious operational disruption or financial losses, or
  • has affected or may affect other natural or legal persons by causing significant material or immaterial damage.

Incident notification procedure

  1. Within 24 hours: submit an early warning via the CCB’s notification platform, including the suspected cause and any cross-border impact.
  2. Within 72 hours: submit an incident notification including an information update and an initial assessment.
  3. Submit an interim report if requested by the CCB or the relevant sectoral authority.
  4. Within 1 month: submit a final report containing:
    1. A detailed incident description and its consequences
    2. The likely threat type or root cause
    3. Applied and ongoing mitigation measures
    4. Cross-border impact, if applicable
  5. If the incident is still ongoing after one month, submit a progress report and a new final report after resolution.
Detailed criteria for identifying a significant incident are included in Implementing Regulation 2024/2690 . All organisations—whether NIS2 entities or not—may voluntarily report cyber threats, near-misses or significant incidents to the CCB.

4. Management obligations and responsibilities

Management bodies of essential and important entities are legally required to ensure compliance with the NIS2 law. Their responsibilities include:
  • Completing executive cybersecurity training to acquire the necessary knowledge and skills.
  • Approving the organisation’s cybersecurity risk management measures.
  • Monitoring the implementation and continuous improvement of these measures.
Management bodies may be held personally liable for non-compliance with the NIS2 law.

5. Cooperation with authorities

NIS2 entities must cooperate with the CCB and relevant sectoral authorities, including:
  • Sharing information on network and information system security
  • Providing documentation and evidence during inspections
  • Reporting incidents via the designated CCB platform
  • Participating in supervisory and follow-up activities

How to demonstrate NIS2 compliance in Belgium

To comply with NIS2 legislation in Belgium, entities that fall within the scope of NIS2 must be able to demonstrate that they have an appropriate level of cybersecurity. Depending on the classification of the entity, there are different procedures for such conformity assessment:

  • Essential entities: these entities are monitored both proactively and reactively and are required to undergo regular conformity assessments. They can choose from the following:
    • Obtain a CyberFundamentals (CyFun) certification (Essential level) or a CyFun verification (Important or Basic level) through a Conformity Assessment Body (CAB) authorised by the CCB;
    • Obtain ISO/IEC 27001 certification via an accredited CAB;
    • Undergo an inspection by the CCB inspection service or by a sectoral inspection service.

The certificates of conformity obtained in this way provide a presumption of conformity, which means that the entity is deemed to comply with the obligations of the NIS2 law until proven otherwise.

  • Important entities: in principle, these entities are only subject to reactive supervision after an incident or when there are indications of non-compliance. However, they may voluntarily opt for regular conformity assessment, comparable to essential entities, in order to obtain a presumption of conformity. In such cases, important entities can choose between CyFun and ISO/IEC 27001.

Below, the three options for conformity assessment in Belgium are explained in more detail so that you can determine which approach best fits your organization.

Would you like tailored guidance in choosing between CyFun, ISO/IEC 27001 or an inspection by the authorities? Contact a Brand Compliance expert to discuss the most suitable conformity assessment route for your organization.

CyberFundamentals label

The CCB has developed a framework consisting of concrete measures aimed at better protecting data, reducing the risk of the most common cyberattacks and increasing the cyber resilience of an organization.

Based on the severity of the threat to which an organization is exposed, a distinction is made between the starter level Small and three security levels Basic, Important and Essential. The CyFun Framework contains a set of control measures for each level.

To obtain the CyFun label, the following steps must be taken:

  1. Determine the CyFun security level by conducting a risk assessment. You can use the CyFun Selection Tool for this.
  2. Complete a Self Assessment and implement corrective measures.
  3. Have the Self Assessment and the implemented measures verified or certified by a CAB.
  4. Apply for the CyFun label via the Safeonweb@Work portal.

ISO/IEC 27001 certification

Another way to demonstrate compliance with NIS2 is to obtain ISO/IEC 27001 certification. ISO/IEC 27001 is the globally recognised standard for information security and describes the requirements for setting up, implementing, maintaining and continuously improving an Information Security Management System (ISMS).

The following steps must be taken to obtain ISO 27001 certification:

  1. Acquire the necessary knowledge about ISO/IEC 27001, for example through training courses.
  2. Implement the ISO 27001 management system in your organization in accordance with the standard requirements.
  3. Conduct internal audits.
  4. Have management assess the results of the internal audit and take corrective measures if necessary. Record the conclusion about compliance with the requirements in the management review.
  5. Contact an accredited CAB (Certification and Accreditation Body) to conduct an external audit.

Inspection by CCB or sectoral inspection service

An NIS2 entity can also submit directly to an inspection by the authorities, i.e. the CCB and/or the sectoral inspection service. This inspection may consist of on-site inspections, on-site supervision, ad hoc audits, security scans and requests for information and evidence.

Failure to respond adequately to requests from the inspection services may result in administrative fines being imposed on the NIS2 entity. A fee is charged for an inspection by the CCB or the sectoral inspection service.

When choosing between one of the three options above, it is important to take various factors into account. If your organization is looking for an internationally recognised, structured and future-oriented solution, it is generally advisable to opt for ISO/IEC 27001 certification. This certificate not only supports NIS2 compliance, but also provides overall information security management and reinforces trust among customers and partners.

For smaller organizations with a primarily national focus, the CyberFundamentals label may be the most appropriate option. This label is specifically designed for the Belgian market and is not intended for international use with customers or suppliers.

A CCB inspection is particularly useful for organizations that wish to be assessed directly by the authorities, without the intervention of a CAB.

How to choose and prepare for a conformity assessment

The overview below brings the three options together into a practical, step-by-step approach to NIS2 conformity assessment in Belgium.

  1. Determine your NIS2 classification
    Confirm whether your entity is classified as an essential or important entity under the Belgian NIS2 law and identify any sector-specific expectations from the CCB or sectoral authorities.
  2. Select the most suitable assessment route
    Decide whether a CyFun label, ISO/IEC 27001 certification or a direct inspection by the CCB or a sectoral inspection service best fits your risk profile, size and strategic objectives.
  3. Implement and document security measures
    Align your cybersecurity controls with the chosen framework (CyFun controls or ISO/IEC 27001 requirements) and document policies, procedures and evidence in a structured way.
  4. Perform internal verification
    Carry out internal reviews or self-assessments (such as the CyFun Self Assessment or internal ISMS audits) and remediate identified gaps before engaging external parties.
  5. Engage a CAB or the CCB/sectoral inspectorate
    Plan the external audit, verification or inspection and provide the requested documentation and evidence to demonstrate your level of NIS2 compliance.
  6. Maintain and improve your level of assurance
    Follow up on findings, implement corrective actions and prepare for periodic reassessments to retain your CyFun label or ISO/IEC 27001 certificate, or to demonstrate sustained compliance during future inspections.

Do you want support in preparing for CyFun or ISO/IEC 27001 in Belgium? Schedule an appointment with a Brand Compliance specialist to discuss how certification can support your NIS2 compliance strategy.

Sanctions under the Belgian NIS2 law

The Belgian NIS2 law provides for specific sanctions for entities that do not comply with their legal obligations. Depending on the nature and severity of the infringement, measures may range from administrative measures to substantial administrative fines.

Administrative measures

The Centre for Cybersecurity Belgium (CCB) can impose various administrative measures on non-compliant NIS2 entities, including:

  • Issuing formal warnings;
  • Appointing a supervisory officer to monitor compliance;
  • Temporarily suspending a certification or licence;
  • Temporarily prohibiting the performance of managerial functions;
  • Other supervisory measures deemed necessary by the CCB.

Administrative fines

Administrative fines are laid down in law and can range from EUR 500 to EUR 10,000,000. In the event of repeated infringements within a period of three years, these fines may be doubled.

For a complete overview of applicable administrative measures and fine levels, please refer to the CCB’s official information on NIS2 sanctions and enforcement.

Timeline for NIS2 obligations in Belgium

The Belgian NIS2 law enters into force on 18 October 2024. From this date, all NIS2 entities are required to implement the minimum set of cybersecurity control measures and to report significant incidents according to the prescribed procedure. Administrative bodies must also fulfil their statutory responsibilities and entities become subject to supervision by the competent authorities.

All entities must complete their registration via Safeonweb@Work no later than 18 March 2025. For certain categories, an earlier deadline applies: DNS service providers, top-level domain name registries, domain name registration service providers, cloud computing service providers, data centre operators, content delivery networks, managed service providers, managed security service providers, online marketplaces, search engines and social networking platforms must register by 18 December 2024.

Essential entities are additionally subject to recurring conformity assessment obligations. As described in the compliance section, they may choose between the CyberFundamentals Framework, ISO/IEC 27001 certification, or an inspection by the CCB or a sectoral inspection service.

1. CyberFundamentals Framework

1.1 Basic assurance level

Entities required to comply with the Basic level must obtain a Basic verification by an accredited and recognised CAB no later than 18 April 2026.

1.2 Important assurance level

Entities at the Important assurance level must obtain either a Basic or Important verification by 18 April 2026. If needed, they may achieve Basic verification first and obtain Important verification by 18 April 2027.

1.3 Essential assurance level

Entities at the Essential level must obtain Basic or Important verification by 18 April 2026 and must obtain Essential certification by 18 April 2027.

2. ISO/IEC 27001 certification

Entities opting for ISO/IEC 27001 must submit their scope and Statement of Applicability (SoA) to the CCB by 18 April 2026 and must be certified by an accredited CAB by 18 April 2027.

3. Inspection by the CCB or a sectoral inspection service

Entities opting for an inspection instead of certification must submit their CyFun Basic/Important self-assessment, or their ISO/IEC 27001 information security policy, scope, and SoA to the CCB. A progress report must be submitted by 18 April 2027.

Source: Safeonweb.be, consulted on 27/03/2025

Authorities responsible for NIS2 in Belgium

The Belgian NIS2 framework assigns supervisory, regulatory and enforcement responsibilities to several authorities.
The central authority is the Centre for Cybersecurity Belgium (CCB), supported by sectoral regulators where applicable.
Understanding which authority oversees your organisation is essential for compliance and reporting.

Centre for Cybersecurity Belgium (CCB)

The CCB acts as Belgium’s national cybersecurity authority and is responsible for:

  • supervision of essential and important NIS2 entities;
  • managing the Safeonweb@Work registration platform;
  • operating the national CSIRT for incident reporting;
  • conducting inspections, audits, on-site verifications and security scans;
  • issuing administrative measures and imposing administrative fines;
  • approving and recognising Conformity Assessment Bodies (CABs) for CyFun verification and certification.

Sectoral authorities

Depending on the sector in which an entity operates, sector-specific authorities may also exercise supervisory or inspection powers.
These authorities collaborate with the CCB to ensure compliance within their respective domains.
Examples include regulators in:

  • energy
  • transport
  • finance and banking
  • healthcare
  • digital infrastructure

Sectoral authorities may request documentation, conduct inspections or initiate corrective action in coordination with the CCB.

Federal authorities

Public authorities that fall under the Federal State are themselves classified as essential entities under NIS2.
They are supervised by the CCB and must comply with the same obligations related to:

  • risk management measures;
  • incident reporting;
  • governance responsibilities of administrative bodies.

Cooperation between authorities

The Belgian NIS2 system is designed to ensure close alignment between the CCB, sectoral regulators and relevant governmental bodies.
This cooperation strengthens national cybersecurity resilience and ensures uniform enforcement of the legislation.

Frequently asked questions about NIS2 in Belgium

Which organisations fall under the Belgian NIS2 law?

An organisation falls within the scope of NIS2 if it provides services listed in Annex I or Annex II, meets the size criteria for medium-sized enterprises and is established in Belgium. Certain entities (e.g. DNS service providers, trust service providers, operators of critical infrastructure) fall under NIS2 regardless of their size.

What is the deadline for registering with Safeonweb@Work?

Most NIS2 entities must register by 18 March 2025. For DNS service providers, cloud providers, managed service providers, online marketplaces, social networking platforms and similar service categories, the deadline is 18 December 2024.

What are the key cybersecurity measures required under NIS2?

Entities must implement a minimum set of eleven security measures, including risk analysis, incident management, supply chain security, cryptography, cyber hygiene, multi-factor authentication and coordinated vulnerability disclosure.

Which authority handles NIS2 incident notifications?

All significant incident notifications must be made to the CCB, which operates as the national CSIRT. Notifications must be submitted within 24 hours (early warning), 72 hours (incident report) and one month (final report).

How can my organisation demonstrate compliance with NIS2 requirements?

In Belgium, entities may choose between:

  • CyberFundamentals (CyFun) verification or certification;
  • ISO/IEC 27001 certification by an accredited CAB;
  • inspection by the CCB or a sectoral inspection authority.

Are management bodies personally liable under NIS2?

Yes. Administrative bodies are legally responsible for approving cybersecurity measures, monitoring implementation and completing executive training. They may be held liable in cases of non-compliance.

What sanctions apply for non-compliance?

Sanctions include administrative measures (warnings, temporary suspension of certifications or licences, supervisory appointments) and administrative fines ranging from €500 to €10,000,000. Repeated offences within three years may result in doubled fines.

Does NIS2 apply to organisations outside Belgium?

Yes, in specific cases. For example, providers of cloud services, online marketplaces or social networking platforms fall under the Belgian NIS2 law if they have their EU representative or main establishment in Belgium.

Can non-NIS2 organisations still be affected?

Yes. Non-NIS2 organisations may be impacted if:

  • they belong to the supply chain of an NIS2 entity, or
  • the CCB designates them as essential or important in specific circumstances.