Shady ASThe European Union's NIS2 Directive (Directive 2022/2555) represents the most significant overhaul of cybersecurity regulation in the EU's history. Belgium transposed this directive into national law on 26 April 2024, with the NIS2 Law entering into force on 18 October 2024. The Centre for Cybersecurity Belgium (CCB) has been designated as the national cybersecurity authority, and organisations that fall within scope must now act decisively to achieve compliance.
Unlike its predecessor NIS1, which applied to a relatively narrow set of operators of essential services, NIS2 dramatically expands the scope to cover 18 critical sectors and introduces stricter obligations around risk management, incident reporting, supply chain security, and management accountability. With fines reaching up to 10 million euros or 2% of global annual turnover, the stakes for non-compliance have never been higher.
What changed from NIS1 to NIS2
The original NIS Directive, adopted in 2016, was the EU's first piece of cybersecurity legislation. However, its implementation revealed significant gaps: inconsistent transposition across member states, a limited scope that left many critical sectors unprotected, and insufficient enforcement mechanisms. NIS2 addresses all of these shortcomings with a comprehensive framework that harmonises requirements across the EU.
Key differences include a vastly expanded scope covering sectors such as public electronic communications, space, waste management, food production, postal services, and public administration. NIS2 also introduces a size-based threshold, automatically capturing all medium-sized and large entities in covered sectors. The directive replaces the old distinction between operators of essential services and digital service providers with a new classification of essential entities and important entities, each subject to different supervisory regimes.
Perhaps most significantly, NIS2 introduces personal accountability for senior management. Board members and C-level executives can be held personally liable for cybersecurity failures, and in cases of repeated non-compliance, individuals can be temporarily banned from exercising managerial functions.
Which Belgian organisations are in scope
NIS2 applies to medium-sized and large organisations operating in 18 designated sectors. Essential entities include organisations in energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. Important entities cover postal and courier services, waste management, chemicals, food production and distribution, manufacturing of critical products, digital providers, and research organisations.
In Belgium, the CCB oversees compliance through a registration process. Entities were required to register via the Safeonweb@Work portal by 18 March 2025. The distinction between essential and important entities matters primarily for supervision: essential entities face both proactive and reactive oversight with mandatory regular conformity assessments, while important entities are subject to reactive supervision only, typically triggered by incidents or evidence of non-compliance.
Importantly, NIS2's reach extends beyond the directly regulated entities. The directive places strong emphasis on supply chain security, meaning that even organisations not directly in scope may need to comply if they are part of a regulated entity's supply chain. The CCB advises all organisations in such supply chains to comply with at least the CyberFundamentals Framework Basic level.
Key obligations and compliance requirements
NIS2 imposes obligations across four core areas. First, risk management: organisations must implement appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risks. These include policies on risk analysis, incident handling, business continuity, supply chain security, network security, access control, encryption, and multi-factor authentication.
Second, incident reporting: organisations must notify the CCB of significant incidents within strict timelines. An early warning must be submitted within 24 hours of becoming aware of a significant incident, followed by a detailed incident notification within 72 hours, and a final report within one month. This represents a significant acceleration compared to previous requirements and demands well-rehearsed incident response procedures.
Third, supply chain security: organisations must assess and manage cybersecurity risks in their supply chains, including evaluating the security practices of their direct suppliers and service providers. Fourth, management accountability: the management body must approve cybersecurity risk-management measures, oversee their implementation, and undergo regular cybersecurity training. Management can be held personally liable for infringements.
In Belgium, compliance can be demonstrated through the CyberFundamentals (CyFun) Framework developed by the CCB, or through ISO 27001 certification. The CyFun framework defines four assurance levels: Small (for micro-organisations), Basic (34 essential controls), Important (99 additional controls), and Essential (85 further advanced controls). Entities supervised directly by the CCB must submit their self-assessment or ISO 27001 documentation by 18 April 2026.
Penalties and Enforcement
The penalty regime under NIS2 is substantial and designed to ensure compliance is taken seriously. Essential entities face fines of up to 10 million euros or 2% of their total worldwide annual turnover, whichever is higher. Important entities face fines of up to 7 million euros or 1.4% of their total worldwide annual turnover.
Beyond financial penalties, the enforcement toolkit includes binding instructions, orders to implement specific security measures, orders to inform affected parties of threats, and temporary suspension of certifications or authorisations. In the most severe cases, member states can temporarily prohibit individuals responsible for management functions from exercising those roles.
Belgium's enforcement approach is tiered, with the CCB applying proportionate measures based on the severity of non-compliance and the entity's classification. The proactive supervision of essential entities means that compliance gaps are likely to be identified before incidents occur, making early preparation critical.
Practical steps toward compliance
Achieving NIS2 compliance requires a structured approach. Start by determining whether your organisation falls within scope by assessing your sector, size, and role in critical supply chains. If in scope, ensure your registration with the CCB via the Safeonweb@Work portal is complete and accurate.
Conduct a thorough gap analysis comparing your current cybersecurity posture against the CyFun framework or ISO 27001 requirements. Prioritise addressing the most critical gaps, particularly around incident response capabilities, supply chain risk assessment, and management-level cybersecurity governance. Invest in training for both technical staff and board members, as management accountability is a cornerstone of the new regime.
Establish or refine your incident response procedures to meet the 24-hour early warning and 72-hour notification deadlines. Test these procedures through regular exercises. Review and strengthen contracts with suppliers and service providers to include cybersecurity requirements, and implement ongoing monitoring of supply chain risks. Finally, document everything — the ability to demonstrate compliance through records and evidence is essential during supervisory assessments.
How Shady AS can help
Navigating NIS2 compliance can be complex, particularly for organisations dealing with multiple regulatory frameworks simultaneously. At Shady AS SRL, our Brussels-based team of IT consultants specialises in helping Belgian organisations assess their NIS2 obligations, conduct gap analyses against the CyberFundamentals Framework and ISO 27001, and build practical roadmaps to compliance.
From implementing robust incident response procedures to strengthening supply chain security and preparing management bodies for their new accountability requirements, we provide end-to-end support tailored to your organisation's specific needs. Contact us today to schedule a NIS2 readiness assessment and ensure your organisation is prepared for the new cybersecurity landscape.