Complete Guide: NIS2 for Belgian Businesses

NIS2 is the EU's new cybersecurity directive that affects thousands of Belgian organizations. This guide brings together everything you need to know: what NIS2 requires, whether you're in scope, key deadlines, and how to achieve compliance through CyberFundamentals.

NIS2 directive overview
NIS2: The EU cybersecurity directive for critical sectors

What is NIS2?

NIS2 (Network and Information Security Directive 2) is the EU's updated cybersecurity law that came into effect in 2024. It significantly expands the scope of the original NIS directive and introduces stricter requirements for security measures, incident reporting, and management accountability.

  • Replaces the original NIS directive with broader scope
  • Applies to essential and important entities in critical sectors
  • Requires board-level cybersecurity oversight
  • Introduces personal liability for management

NIS2 Topics

What is NIS2?

Introduction to the directive, its origins, and why it matters

NIS2 Requirements

The 10 security measures every organization must implement

Who Must Comply?

Check if your organization falls under NIS2 scope

NIS2 Deadlines

Key dates and timeline for compliance

NIS2 Penalties

Fines, sanctions, and personal liability explained

Implementation Steps

Practical 5-step guide to achieving compliance

NIS2 for SMEs

What small and medium businesses need to know

NIS2 vs GDPR

Key differences and how they work together

NIS2 Compliance Checklist

Interactive checklist covering all 10 NIS2 requirement categories

Sectors Affected by NIS2

Essential Entities (11 sectors)

  • Energy
  • Transport
  • Banking
  • Financial markets
  • Health
  • Drinking water
  • Wastewater
  • Digital infrastructure
  • ICT service management (B2B)
  • Public administration
  • Space

Important Entities (7 sectors)

  • Postal services
  • Waste management
  • Chemical manufacturing
  • Food production
  • Manufacturing (medical, computers, electronics, machinery, motor vehicles)
  • Digital providers
  • Research

Key NIS2 Requirements

NIS2 mandates 10 categories of security measures:

  1. 1 Risk analysis and security policies
  2. 2 Incident handling procedures
  3. 3 Business continuity and crisis management
  4. 4 Supply chain security
  5. 5 Security in network and systems acquisition
  6. 6 Vulnerability handling and disclosure
  7. 7 Cybersecurity effectiveness assessment
  8. 8 Basic cyber hygiene and training
  9. 9 Cryptography and encryption policies
  10. 10 Access control and asset management
Full details on NIS2 requirements →

How to Achieve Compliance

In Belgium, the CCB CyberFundamentals framework provides the implementation path for NIS2:

Important entities: CyberFundamentals Important tier (117 controls)
Essential entities: CyberFundamentals Essential tier (140 controls)
1

Assess your scope

Determine if your organization is classified as essential or important under NIS2.

2

Gap analysis

Compare your current security posture against CyberFundamentals requirements.

3

Implement controls

Work through the required controls systematically, starting with highest priority.

4

Document everything

Maintain evidence of your security measures for regulatory review.

5

Continuous improvement

NIS2 compliance is ongoing - regularly review and update your measures.

Start with CyberFundamentals

Penalties for Non-Compliance

NIS2 introduces significant penalties:

Essential entities Up to €10 million or 2% of global turnover
Important entities Up to €7 million or 1.4% of global turnover
Management Personal liability and potential suspension
Learn more about NIS2 penalties →

How Easy Cyber Protection Helps

We simplify NIS2 compliance through the CyberFundamentals framework:

Scope assessment — Determine your NIS2 classification
Guided implementation — Step-by-step controls for your tier
Incident reporting — Built-in procedures for 24-hour compliance
Audit trail — Evidence collection for regulatory review

Frequently Asked Questions

When does NIS2 apply?

NIS2 became applicable on October 18, 2024. Organizations should already be working on compliance, with enforcement ramping up throughout 2025.

Does NIS2 apply to my business?

NIS2 applies to organizations in 18 critical sectors that meet certain size thresholds (generally 50+ employees or €10M+ turnover). Check our "Who Must Comply" article for detailed criteria.

What's the difference between essential and important entities?

Essential entities are in the most critical sectors (energy, health, transport, etc.) and face stricter supervision. Important entities are in other critical sectors with lighter oversight but similar requirements.

How do I prove NIS2 compliance?

Implementing the CCB CyberFundamentals framework demonstrates compliance. Documentation, audit trails, and potentially certification provide evidence for regulators.

Can I be personally liable as a manager?

Yes. NIS2 introduces personal liability for management who fail to approve and oversee cybersecurity measures. This can include personal fines and temporary bans from management roles.

Related Topics

Sources

  1. NIS2 Directive (EU) 2022/2555 — Official EU legislation
  2. European Commission NIS2 Overview — EC policy overview
  3. Centre for Cybersecurity Belgium (CCB) — Belgian authority
  4. CCB CyberFundamentals Framework — Implementation framework