What is NIS2? Complete Guide for Belgian Businesses

NIS2 (Network and Information Security Directive 2) is the EU's updated cybersecurity law that came into effect in October 2024. It's the most significant EU cybersecurity legislation ever, affecting an estimated 160,000 organizations across Europe—including thousands of Belgian SMEs.

Belgian business team discussing NIS2 cybersecurity compliance

Who Must Comply with NIS2?

NIS2 applies to organizations in "essential" and "important" sectors. The scope is much broader than the original NIS directive.

Critical infrastructure sectors under NIS2: energy, transport, healthcare, digital

Essential Sectors

  • Energy (electricity, oil, gas, hydrogen)
  • Transport (air, rail, water, road)
  • Banking & financial infrastructure
  • Healthcare (hospitals, labs, pharma)
  • Drinking water & wastewater
  • Digital infrastructure (DNS, cloud, data centers)
  • Public administration
  • Space

Important Sectors

  • Postal & courier services
  • Waste management
  • Food production & distribution
  • Manufacturing (medical devices, electronics, machinery)
  • Digital providers (marketplaces, search engines)
  • Research organizations

What Does NIS2 Require?

NIS2 mandates "appropriate and proportionate" cybersecurity measures. The key requirements are:

Risk Management

Identify, analyze, and address cybersecurity risks systematically

Incident Handling

Detect, respond to, and report security incidents within 24 hours

Business Continuity

Backup, disaster recovery, and crisis management plans

Supply Chain Security

Assess and manage risks from suppliers and vendors

Basic Cyber Hygiene

Policies on passwords, updates, access control, encryption

Staff Training

Ensure employees understand their cybersecurity responsibilities

NIS2 in Belgium: CyberFundamentals

The Centre for Cybersecurity Belgium (CCB) created the CyberFundamentals framework to help organizations comply with NIS2. It's the official Belgian approach, recognized by the government and aligned with EU requirements.

CyberFundamentals assurance levels and Easy Cyber Protection pricing
LevelControlsForOur Price
Small 7 All SMEs (recommended baseline) Free
Basic 34 Standard security needs €99/month
Important 117 "Important" sector organizations €199/month
Essential 140 "Essential" sector organizations Contact us

NIS2 Penalties: What's at Risk?

NIS2 introduces significant penalties for non-compliance:

CategoryMaximum FineAdditional
Essential entities €10 million or 2% of global turnover Personal liability for management
Important entities €7 million or 1.4% of global turnover Management can be suspended
Late incident reporting Administrative fines Public disclosure possible

When Must You Comply?

NIS2 entered into force on October 17, 2024. Member states had until this date to transpose the directive into national law. Organizations should already be working on compliance.

Now Assess whether your organization is in scope
Now Start implementing CyberFundamentals baseline
Ongoing Document your cybersecurity posture
When incidents occur Report significant incidents within 24 hours

How to Get Started with NIS2 Compliance

Don't be overwhelmed. The goal isn't perfection—it's continuous improvement.

Business owner working on cybersecurity compliance with clear dashboard
1

Assess your scope

Are you in an essential or important sector? Do you meet the size threshold?

2

Start with basics

Begin with CyberFundamentals "Small" level—7 practical controls

3

Document everything

Keep records of what you implement and when

4

Build gradually

Move to higher assurance levels based on your sector requirements

5

Get help

Work with your IT partner or use a compliance platform like Easy Cyber Protection

How Easy Cyber Protection Helps

One task at a time — No overwhelm—just clear next steps
Progress tracking — See exactly where you stand
Evidence collection — Document compliance as you go
IT partner collaboration — Share tasks with your technical team
Free start — Begin with our free Small tier

Frequently Asked Questions

Does my company need to comply with NIS2?

If you operate in an essential or important sector AND have 50+ employees or €10M+ annual turnover, you likely need to comply. Some critical services must comply regardless of size.

What is the difference between NIS2 and GDPR?

GDPR focuses on personal data protection, while NIS2 focuses on overall cybersecurity and network security. Many organizations need to comply with both. GDPR has higher fines (€20M/4% turnover) but NIS2 adds management liability.

What happens if I don't comply with NIS2?

Essential entities face fines up to €10 million or 2% of global turnover. Important entities face up to €7 million or 1.4%. Management can also be held personally liable and suspended.

What is CyberFundamentals?

CyberFundamentals is the Belgian framework created by the CCB (Centre for Cybersecurity Belgium) to help organizations meet NIS2 requirements. It defines four levels: Small, Basic, Important, and Essential.

How long does NIS2 compliance take?

It depends on your starting point. Basic compliance with CyberFundamentals Small level can be achieved in weeks. Full compliance with higher levels typically takes 3-6 months with proper guidance.

Related Articles

Sources

  1. NIS2 Directive (EU) 2022/2555 — Official Journal of the European Union
  2. NIS2 Directive Overview — European Commission
  3. Centre for Cybersecurity Belgium (CCB) — CyberFundamentals Framework
  4. NIS2 Article 34: Administrative Fines — Penalty amounts for essential and important entities