NIS2 Directive: What Belgian Companies Need to Know in 2025

The European NIS2 Directive (Directive 2022/2555) represents the most significant overhaul of cybersecurity regulation in the EU to date. For Belgian companies, the transposition into national law through the Centre for Cybersecurity Belgium (CCB) brings specific obligations and timelines that demand immediate attention.

Belgium's NIS2 Transposition: The CCB Framework

Belgium was among the first EU member states to actively prepare for NIS2 transposition. The Centre for Cybersecurity Belgium (CCB) serves as the national competent authority and has established the CyFun (Cybersecurity Fundamentals) framework as the reference standard for compliance.

Key Dates for Belgian Companies

• October 2024: NIS2 transposition deadline into Belgian law
• Q1 2025: Registration obligation for entities in scope
• Q2 2025: First compliance assessments expected
• 2026: Full enforcement with potential penalties

Who Is In Scope in Belgium?

The Belgian transposition follows the EU criteria but adds specificity for the national context:

Essential Entities (stricter requirements):

• Energy operators (Elia, Fluxys, nuclear facilities)
• Transport providers (SNCB, TEC, De Lijn, Brussels Airport)
• Healthcare organizations (hospitals with 250+ beds)
• Digital infrastructure (DNS operators, cloud providers, data centers)
• Banking and financial institutions (under NBB supervision)
• Water utilities (SWDE, Vivaqua)

Important Entities (proportionate requirements):

• Manufacturing companies with 50+ employees
• Food production and distribution
• Postal and courier services
• Waste management operators
• Chemical manufacturers
• Digital service providers (online marketplaces, search engines)

The CyFun Framework: Belgium's Compliance Standard

The CCB's CyFun framework is organized into five functions aligned with international standards:

1. Identify

• Asset management and inventory
• Business environment understanding
• Risk assessment methodology
• Supply chain risk management

2. Protect

• Access control and identity management
• Security awareness and training
• Data security measures
• Information protection processes

3. Detect

• Continuous monitoring capabilities
• Anomaly and event detection
• Security event analysis

4. Respond

• Response planning and procedures
• Communications protocols
• Analysis and mitigation capabilities
• Improvement processes

5. Recover

• Recovery planning
• Service restoration procedures
• Communication during recovery
• Lessons learned integration

Incident Reporting to the CCB

Belgian organizations must report significant incidents to the CCB following strict timelines:

| Notification Type | Deadline | Content Required | |---|---|---| | Early Warning | 24 hours | Nature of incident, suspected cause | | Incident Notification | 72 hours | Initial assessment, severity, impact | | Intermediate Report | On request | Status updates, measures taken | | Final Report | 1 month | Root cause, remediation, lessons learned |

What Constitutes a "Significant Incident"?

Under Belgian transposition, an incident is significant if it:

• Causes or may cause severe operational disruption or financial loss
• Affects or may affect other natural or legal persons by causing considerable damage
• Impacts the availability, authenticity, integrity, or confidentiality of data or services

Governance Requirements for Belgian Boards

NIS2 introduces personal accountability for management bodies. Belgian company directors must:

1. Approve cybersecurity risk management measures and oversee their implementation
2. Follow cybersecurity training to gain sufficient knowledge to identify risks
3. Ensure regular cybersecurity training for all employees
4. Be held personally liable for non-compliance in case of negligence

This is a fundamental shift for Belgian corporate governance. The board can no longer delegate cybersecurity entirely to IT departments.

Supply Chain Security Obligations

Belgian organizations must assess and manage cybersecurity risks in their supply chains. This includes:

• Vendor risk assessments: Evaluate the cybersecurity posture of critical suppliers
• Contractual requirements: Include security clauses in procurement contracts
• Continuous monitoring: Regularly verify supplier compliance with security requirements
• Incident notification chains: Establish communication protocols for supply chain incidents

Practical Steps for Supply Chain Compliance

1. Inventory all suppliers and categorize by criticality
2. Develop a supplier security questionnaire based on CyFun
3. Include NIS2 compliance clauses in new and renewed contracts
4. Establish a supplier incident notification process
5. Conduct annual supplier security reviews

Penalties for Non-Compliance

The Belgian transposition includes significant financial penalties:

• Essential entities: Up to EUR 10 million or 2% of total annual worldwide turnover
• Important entities: Up to EUR 7 million or 1.4% of total annual worldwide turnover
• Administrative measures: Binding instructions, compliance orders, security audit requirements
• Personal sanctions: Management body members can face temporary bans from exercising managerial functions

A Practical Compliance Roadmap for Belgian SMBs

Phase 1: Assessment (Weeks 1-4)

1. Determine if your organization falls under NIS2 scope
2. Register with the CCB if required
3. Conduct a CyFun gap analysis
4. Assess current cybersecurity maturity level

Phase 2: Planning (Weeks 5-8)

1. Develop a remediation roadmap based on gap analysis
2. Allocate budget for necessary investments
3. Assign roles and responsibilities (consider appointing a NIS2 coordinator)
4. Engage management in cybersecurity governance

Phase 3: Implementation (Weeks 9-20)

1. Deploy technical security measures (MFA, EDR, network segmentation)
2. Develop and document policies and procedures
3. Implement incident response capabilities
4. Establish supply chain security processes
5. Conduct employee awareness training

Phase 4: Validation (Weeks 21-24)

1. Perform internal compliance assessment against CyFun
2. Test incident response procedures
3. Validate supply chain security measures
4. Prepare documentation for potential CCB inspection

Belgian Resources and Support

• CCB Website: ccb.belgium.be for official guidance and CyFun documentation
• Safeonweb: safeonweb.be for threat alerts and best practices
• Cyber Security Coalition: Industry collaboration platform for Belgian organizations
• FPS Economy: Registration portal for NIS2 entities

Conclusion

NIS2 compliance is not optional for Belgian organizations that fall within scope. The CCB has provided a clear framework through CyFun, and the enforcement mechanisms are robust. Organizations that act now will not only avoid penalties but will also strengthen their cybersecurity posture against an increasingly hostile threat landscape.

Need help with NIS2 compliance in Belgium? Schedule a free CyFun gap analysis with our compliance experts.