NIS2 Belgium: what you need to know about compliance and certification

NIS2 Belgium

The original NIS1 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 was introduced to strengthen cybersecurity within the EU. Due to the increasing threat of cyber attacks, this directive was replaced by the NIS2 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022, which imposes stricter requirements and has a broader scope of application to increase the resilience of critical infrastructures against cyber attacks.

The NIS2 directive was transposed into Belgian law by the act of 26 April 2024 establishing a framework for the cybersecurity of network and information systems of general interest for public safety and the Royal Decree of 9 June 2024.

On this page you will find everything you need to know about the impact of NIS2 on your organisation and how you can prepare for the new regulations.

Affected sectors and entities

In order to determine whether your organisation falls under the Belgian NIS2 law, there are several criteria regarding the services offered, the size of the entity and the location of the entity. In principle, the entity falls under the NIS2 law when:

  1. Your organisation provides services within a sector that is included in appendix I and appendix II of the NIS2 law;
  2. Your organisation exceeds the threshold values for medium-sized enterprises; and
  3. Your organisation is established in Belgium.

Regardless of these criteria, the following organisations are automatically subject to the NIS2 law:

  • Operators of critical infrastructure according to the law of 1 July 2011 on the security and protection of critical infrastructure, regardless of their size.
  • providers of essential services (PES) or digital service providers (DSP), as described in the NIS1 law that supersedes the size thresholds

Criteria 1: services provided

Annexes I and II and Chapter 2 ‘Definitions’ of the law describe the sectors that fall under the NIS2 law. It is therefore very important to thoroughly analyse the services you provide to third parties per (sub)sector.

Annex I: Very critical sectorsAnnex II: Other critical sectors
Energy
• Electricity
• District heating and cooling
• Oil
• Gas
• Hydrogen		Postal and courier services
Transport
• Air
• Rail
• Water
• Road		Waste management
BankingManufacture, production and distribution of chemicals
Financial market infrastructuresManufacture, processing and distribution of food
HealthManufacturing
• Medical devices and in vitro diagnostic medical devices
• Computer, electronic and optical products
• Electrical equipment
• Machinery and equipment n.e.c.
• Motor vehicles, trailers and semi-trailers
• Other transport equipment
Drinking waterDigital providers
Waste waterResearch
Digital infrastructure 
ICT service management (business-to-business) 
Public administration 
Space 

If your organisation provides a service from the above overview and also meets the other two criteria with regard to company size and the link with Belgium, the organisation falls within the scope of the NIS2 law.

Criteria 2: company size

In addition to the services provided, the size of the entity also plays a role in determining whether or not it falls within the scope of the NIS2 law. In principle, the entity should be at least a medium-sized enterprise.

According to the European definition, outlined in Recommendation 2003/631/EC, companies are categorised into three groups based on the number of employees (measured in full-time equivalents (FTE) and their financial data (annual turnover and/or annual balance sheet total):

To determine the size of an organisation, the number of persons employed within the entity is first determined. Then the annual turnover and the annual balance sheet total are checked. The company can choose to either meet the threshold for annual turnover or for the annual balance sheet total. Either of these can exceed the threshold without impacting the SME status.

For example: A company with 55 FTE (medium-sized), an annual turnover of 20 million euros (medium-sized) and a balance sheet total of 50 million euros (large) is classified as a medium-sized enterprise.

Criteria 1 combined with criteria 2 leads to a subdivision between essential and important NIS2 entities:

 Medium-sized enterpriseLarge enterprise
Annex I servicesImportant entityEssential entity
Annex II servicesImportant entityImportant entity

The following points should be taken into account when determining the size of the entity:

  • If the entity is part of a group, the consolidated data should be used when calculating the size of the business.
  • Certain entities fall under the scope of the NIS2 Act regardless of their size:
    • Qualified trust service providers (essential)
    • Non-qualified trust service providers (important for micro, small or medium-sized enterprises and essential for large enterprises)
    • DNS service providers (essential)
    • TLD name registries (essential)
    • Domain name registration services (only for the registration obligation)
    • Providers of public electronic communications networks (essential)
    • Providers of public electronic communications services (essential)
    • Entities designated as operators of critical infrastructure in accordance with the Act of 1 July 2011 on the security and protection of critical infrastructure (essential)
    • Authorities that depend on the Federal State (essential)
  • Furthermore, the national authority for cybersecurity (CCB) can designate an entity as essential or important in certain circumstances within the framework of the NIS2 law.

Criteria 3: established entity in Belgium

In principle, the Belgian NIS2 law can only apply to entities with an establishment in Belgium. However, the following entities are subject to the NIS2 law by way of exception:

  • Providers of public electronic communications networks or providers of public electronic communications services that offer their services in Belgium;
  • DNS service providers, top-level domain name registries, entities providing domain name registration services, providers of cloud computing services, providers of data centre services, providers of content delivery networks, providers of managed services, providers of managed security services, as well as providers of online marketplaces, online search engines or platforms for social networking services, if they have their main establishment in Belgium or their legal representative for the EU in Belgium in case they have no establishment within the EU;
  • Public authorities established by Belgium.

In addition to the three criteria above, when analysing the scope of the NIS2 law, it should be taken into account that a non-NIS2 organisation can still be affected by the NIS2 law if the CCB designates the entity as an essential or important entity or if the non-NIS2 organisation belongs to the supply chain of an NIS2 organisation.

To determine whether an entity falls within the scope of the Belgian NIS2 law, the CCB’s NIS2 Scope Test Tool can be used.

What does NIS2 mean for my company in Belgium? (obligations) Security Measures & compliance duties

The Belgian NIS2 law imposes several obligations on entities that are considered essential or important. These obligations concern:

1. Registering the essential or important entity on Safeonweb@Work

If your entity falls within the scope of the NIS2 law, you must register it with the CCB. You can do this via the online registration platform. In addition, non-NIS2 entities are also advised by the CCB to register in order to benefit from additional services in the context of identifying and limiting cyber threats.

Only organisations that are registered with the Crossroads Bank for Enterprises (CBE) and have a company number or establishment number can register via the online platform. If the entity does not have a CBE number and needs to register as an NIS2 entity in Belgium, it should contact the CCB via nis@ccb.belgium.be.

Registration can also be carried out by a legal representative of the organisation or by an employee who is assigned the necessary special role on the Mijn eGov Rolbeheer platform.

The deadline for submitting the registration depends on the type of entity.

Registration must be submitted by 18 December 2024 at the latest by:

  • DNS service providers
  • registries for top-level domain names
  • entities providing domain name registration services
  • providers of cloud computing services
  • providers of data centres
  • providers of content delivery networks
  • providers of managed services
  • providers of managed security services
  • providers of online marketplaces;
  • providers of online search engines; and
  • providers of social networking platforms.

The deadline for registration is no later than 18 March 2025 for:

  • Essential and important entities
  • Providers of domain name registration services

Please also indicate what information must be provided or is a reference to the relevant website sufficient?

You can find more information on the Safeonweb@Work website to answer all your questions regarding the registration of your entity.

2. Implement control measures for cybersecurity risks

Essential and important entities must take appropriate measures to protect their network and information systems against cyber threats. This includes both technical and organisational measures aimed at limiting risks, preventing incidents and minimising the impact of cyber incidents on customers and other services. It is important that the measures are proportional to the risks an organisation faces, as well as the size of the organisation and the potential impact of incidents on society and the economy.

The NIS2 legislation prescribes an approach that takes all forms of threats into account and protects both network and information systems as well as physical infrastructure. The NIS2 law includes a set of 11 cybersecurity measures that must at least be met:

  • Policy for risk analysis and security of information systems
  • Incident management
  • Business continuity and crisis management
  • Supply chain security
  • Security in the acquisition, development and maintenance of network and information systems, including the response to and disclosure of vulnerabilities
  • Policies and procedures to assess the effectiveness of measures for managing cybersecurity risks
  • Cyber hygiene and training in the field of cybersecurity
  • Policies and procedures on cryptography and, where appropriate, encryption
  • Security aspects with regard to personnel, access policy and asset management
  • Where appropriate, multi-factor authentication, secure communication and secure emergency communication systems within the entity
  • Policy for the coordinated disclosure of vulnerabilities

In the implementing regulation 2024/2690, the European Commission has elaborated the above minimum cybersecurity measures for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, providers of content delivery networks, managed services providers, managed security services providers, online marketplaces, online search engines, social networking services platforms and trust service providers.

3. Reporting obligations

Important and essential entities are obliged to inform the national CSIRT, in Belgium this is the CCB, if a significant incident occurs. In addition to the CCB, they must also inform the recipients of their services if the significant incident affects the provision of services concerning the (sub)sectors of Annexes I and II.

A significant incident is defined in the NIS2 law as ‘any incident that has significant consequences for the provision of one of the services in the sectors or subsectors of annexes I and II of the law and that:

  • has caused or may cause a serious operational disruption of one of the services in the sectors or subsectors of annexes I and II or financial losses for the entity concerned; or
  • has affected or may affect other natural or legal persons by causing significant material or immaterial damage.

The significant incident is reported by the essential and important entity to the CCB according to the following procedure:

  1. without delay and within 24 hours after becoming aware of the significant incident, the entity submits an early warning via the CCB’s notification platform, stating the suspected cause and any cross-border consequences;
  2. The entity shall communicate an incident report containing an information update and an initial assessment of the incident without delay and within 72 hours after it has become aware of the significant incident.
  3. The entity shall submit an interim report at the request of the CCB or the relevant sectoral authority.
  4. No later than one month after the incident report, the entity must submit a final report stating:
    1. A detailed description of the incident, as well as its severity and consequences;
    2. The type of threat or root cause that probably led to the incident;
    3. Applied and ongoing risk mitigation measures;
    4. The cross-border impact of the incident, if applicable.
  5. If the incident is still ongoing one month after the incident report, the entity must submit a progress report and a final report within one month of the incident being resolved.

In the implementing regulation 2024/2690, the European Commission has defined the criteria for a significant incident for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, providers of managed services, providers of managed security services, providers of online marketplaces, online search engines and platforms for social networking services, and providers of trust services.

Finally, all entities, regardless of whether they fall within the scope of the NIS2 Act, can voluntarily report (significant) incidents, cyber threats and near-incidents to the CCB via the notification platform.

4. Management obligations and responsibilities

The administrative bodies of entities that fall within the scope of the NIS2 Act must fulfil several obligations:

  • Follow training to ensure they have sufficient knowledge and skills to identify risks and to assess control measures and their impact on their services.
  • Approve the cybersecurity control measures.
  • Monitor the implementation of the control measures.

The administrative bodies are liable for non-compliance with the NIS2 Act.

5. Co-operate with the authorities

NIS2 entities must cooperate with the CCB and sectoral authorities. This concerns the exchange of information about the security of network and information systems, reporting incidents, cooperation with the inspection service, etc.

How do I demonstrate compliance with NIS2 requirements in Belgium? (supervision and sanctions) Enforcement & penalties

To comply with NIS2 legislation in Belgium, entities that fall within the scope of NIS2 must be able to demonstrate that they have an appropriate level of cybersecurity. Depending on the classification of the entity, there are different procedures for such conformity assessment:

  • Essential entities: These entities are checked both proactively and reactively and are obliged to undergo regular conformity assessments. They can choose from the following:
    • Obtain a CyberFundamentals (CyFun) certification (Essential level) or a CyFyn verification (Important or Basic level) through a Conformity Assessment Body (CAB) authorised by the CCB.
    • Obtain ISO/IEC 27001 certification via an accredited CAB
    • Have an inspection carried out by the CCB inspection service or by a sectoral inspection service.

The certificates of conformity obtained in this way provide a presumption of conformity, which means that the entity is deemed to comply with the obligations of the NIS2 Act until proven otherwise.

  • Important entities: In principle, these entities are only subject to reactive supervision after an incident or if there are indications of non-compliance. However, they can voluntarily opt for regular conformity assessment, comparable to essential entities, in order to obtain a presumption of conformity. In such a case, important entities can only choose between CyFun and ISO/IEC 27001.

Below, the three possibilities in Belgium with regard to conformity assessment are explained, so that you can determine which approach suits your organisation:

CyberFundamentals label

The CCB has developed a framework consisting of concrete measures aimed at better protecting data, reducing the risk of the most common cyberattacks and increasing the cyber resilience of an organisation.

Based on the severity of the threat to which an organisation is exposed, a distinction is made between the starter level Small and three security levels Basic, Important and Essential. The CyFun Framework contains a set of control measures for each level.

In order to obtain the CyFun label, you must take the following steps:

  1. Determine the CyFun security level by conducting a risk assessment. You can use the CyFun Selection Tool for this.
  2. Complete a Self Assessment and implement corrective measures.
  3. Have the Self Assessment and the implemented measures verified or certified by a CAB.
  4. Apply for the CyFun label via the Safeonweb@work portal.

ISO/IEC 27001 certification

Another way to demonstrate compliance with NIS2 is to obtain ISO/IEC 27001 certification. ISO/IEC 27001 is the globally recognised standard for information security and describes the requirements for setting up, implementing, maintaining and continuously improving an Information Security Management System (ISMS).

The following steps must be taken to obtain ISO 27001 certification:

  1. Acquire the necessary knowledge about ISO/IEC 27001, for example through training courses.
  2. Implement the ISO 27001 management system in your organisation in accordance with the standard requirements.
  3. Conduct internal audits.
  4. Have the management assess the results of the internal audit and take corrective measures if necessary. Record the conclusion about compliance with the requirements in the management review.
  5. Contact an accredited CAB (Certification and Accreditation Body) to conduct an external audit.

Inspection by CCB or sectoral inspection service

Finally, an NIS2 entity can immediately submit to an inspection by the authorities, i.e. the CCB and/or the sectoral inspection service. This inspection may consist of on-site inspections, on-site supervision, ad hoc audits, security scans and requests for information and evidence. Failure to respond to requests from the inspection services will result in administrative fines being imposed on the NIS2 entity. A fee is charged for an inspection by the CCB or the sectoral inspection service.

When choosing between one of the three options above, it is important to take various factors into account. If your organisation is looking for an internationally recognised, structured and future-oriented solution, it is better to opt for ISO/IEC 27001 certification. This certificate not only offers NIS2 compliance, but also provides overall information security management and the trust of customers and partners.

For small organisations with a national focus, CyberFundamentals may be the right option. This label is specifically for the Belgian market and cannot be used internationally for customers or suppliers.

The CCB inspection is particularly useful for organisations that want to be assessed directly by the authorities, without the intervention of a CAB.

Would you like more information about conformity assessment by a CAB?

CONTACT AN EXPERT

Sanctions

The Belgian NIS2 law provides for specific sanctions for entities that do not comply with the legal provisions. These sanctions vary according to the nature and severity of the violation and are subdivided into administrative measures and administrative fines.

Possible administrative measures that the CCB can impose include warnings, appointing a supervisory officer, temporarily suspending a certification or licence, temporarily prohibiting the performance of managerial functions, and so on.

Administrative fines that can be imposed are also legally defined and can range from 500 to 10,000,000 euros, which are doubled for repeated offences within a period of three years. A detailed overview of the administrative measures and fines can be consulted on the CCB website.

When do I need to take action in Belgium? (timeline) key milestones & deadlines (entry into force)

The Belgian NIS2 law will enter into force on 18/10/2024. From that date, NIS2 entities are obliged to take the minimum set of control measures against cyber threats. From that date, significant incidents must also be reported according to the prescribed procedure. Furthermore, administrative bodies must fulfil their obligations as described above and the entities must cooperate with the competent authorities and are also subject to their supervision.

Entities must register via Safeonweb@Work by 18/03/2025 at the latest. For DNS service providers, top-level domain name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network service providers, providers of managed services, providers of managed security services, as well as providers of online marketplaces, online search engines and platforms for social networking services, a stricter deadline applies for mandatory registration with the CCB, namely 18/12/2024.

Essential entities are also bound by deadlines regarding regular conformity assessments. As described above, an essential entity can choose between the CyberFundamentals Framework, ISO/IEC 27001 certification or an inspection by the CCB inspection service or a sectoral inspection service.

1. CyberFundamentals Framework

1.1 Basic assurance level

Entities that determine on the basis of their risk assessment that they must comply with the Basic assurance level must be granted a Basic verification by an accredited and recognised CAB by 18/04/2026 at the latest.

1.2 Important assurance level

Entities that must comply with the assurance level Important must be granted a Basic or Important verification by 18/04/2026 at the latest. If necessary, the entities in question may first obtain a Basic verification and an Important verification by 18/04/2027 at the latest.

1.3 Assurance level Essential

Entities that must comply with the Essential security level must have Basic or Important verification by 18/04/2026 at the latest. They must obtain Essential certification by 18/04/2027 at the latest.

2. ISO/IEC 27001 certification

Entities that opt for ISO/IEC 27001 certification must submit their scope and statement of applicability (SoA) to the CCB by 18/04/2026 at the latest and be certified by a CAB by 18/04/2027.

3. Inspection by the CCB/sectoral inspection service

Entities that opt for an inspection by the CCB or a sectoral inspection service must submit their self-assessment of CyFun’s Basic or Important assurance level or their ISO/IEC 27001 information security policy, scope of application and SoA to the CCB. No later than 18/04/2027, the entity must submit a progress report on its compliance.

Source: Safeonweb.be, consulted on 27/03/2025