The Network and Information Security Directive 2 (NIS2) is the EU's most ambitious cybersecurity legislation to date. Since its enforcement deadline in October 2024, thousands of organizations across Belgium must meet stricter security requirements or face significant penalties.
What Is the NIS2 Directive?
The NIS2 Directive (EU 2022/2555) is the European Union's cybersecurity law for critical and important infrastructure operators. It replaced the original 2016 NIS Directive and expanded the number of in-scope sectors from 7 to 18, covering roughly 160,000 entities across the EU. In Belgium, NIS2 has been enforceable since 18 April 2024, with the Centre for Cybersecurity Belgium (CCB) acting as the national supervisory authority. The directive applies to medium and large organizations in essential and important sectors, and breaches can trigger fines of up to €10 million or 2% of global annual turnover.
At EU level, the European Union Agency for Cybersecurity (ENISA) supports member states with implementation guidance, threat intelligence, and incident coordination. The Belgian transposition was published in the Belgian Official Gazette, and obligations apply regardless of whether an entity has previously been subject to sector-specific cybersecurity regulation.
Who Must Comply in Belgium?
NIS2 divides organizations into two categories based on their sector and size. See our detailed breakdown of NIS2 sectors in Belgium for a complete list.
Essential Entities
- Energy (electricity, gas, oil, hydrogen)
- Transport (air, rail, road, water)
- Banking and financial market infrastructure
- Healthcare
- Drinking water and wastewater
- Digital infrastructure (DNS, TLD, data centers, cloud)
- Public administration
Important Entities
- Postal and courier services
- Waste management
- Chemical manufacturing
- Food production and distribution
- Manufacturing (medical devices, electronics, machinery)
- Digital providers (marketplaces, search engines, social networks)
- Research organizations
Medium-sized companies (50+ employees or €10M+ turnover) and large companies in these sectors are automatically in scope. Some smaller organizations may also be included if they provide critical services.
Key NIS2 Requirements
Organizations must implement cybersecurity measures that are proportionate to the risks they face. The directive outlines several specific areas:
- Risk analysis and information security policies — formal risk management frameworks and documented security policies.
- Incident handling — processes for detecting, reporting, and responding to security incidents. Significant incidents must be reported to the CCB within 24 hours.
- Business continuity — backup management, disaster recovery, and crisis management plans.
- Supply chain security — assessing and managing risks from direct suppliers and service providers.
- Vulnerability management — regular vulnerability assessments, including penetration testing, and coordinated disclosure processes.
- Cybersecurity training — regular security awareness training for all staff, including management.
- Encryption and access control — appropriate use of cryptography and multi-factor authentication.
Penalties for Non-Compliance
Under the Belgian transposition of NIS2 (in force since 18 April 2024), penalties depend on whether an organization is classified as an "essential" or "important" entity. Essential entities — including energy, transport, banking, healthcare and digital infrastructure providers — face administrative fines of up to €10 million or 2% of global annual turnover, whichever is higher. Important entities, such as postal services, waste management, chemical manufacturers and digital providers, face fines of up to €7 million or 1.4% of global annual turnover.
Beyond financial penalties, NIS2 introduces individual accountability: members of the management body can be held personally liable for compliance failures and, in serious cases, may be temporarily banned from exercising managerial functions. The Centre for Cybersecurity Belgium (CCB) is the supervisory authority responsible for issuing these sanctions in Belgium.
How to Prepare Your Organization
Getting NIS2-ready is not a one-time project — it requires building sustainable security practices into your organization:
- Assess your scope — determine whether your organization falls under NIS2 based on sector, size, and criticality.
- Conduct a gap analysis — compare your current security posture against NIS2 requirements to identify areas that need improvement.
- Implement risk management — establish formal risk assessment processes and document your security policies.
- Set up incident response — create and test incident detection and reporting workflows that meet the 24-hour notification requirement.
- Review your supply chain — evaluate the security practices of your key suppliers and include security requirements in contracts.
- Train your team — ensure all employees, especially leadership, understand their cybersecurity responsibilities.
- Engage expert support — work with cybersecurity professionals who understand both the technical and regulatory landscape in Belgium.
Need to understand how NIS2 relates to GDPR? Read our GDPR vs NIS2 comparison. For budgeting your compliance efforts, see our guide to security audit costs in Belgium.
How ICTLAB Can Help
ICTLAB helps Belgian organizations navigate NIS2 compliance with practical, hands-on support. From initial gap assessments and risk analysis to implementing security monitoring, incident response plans, and employee training programs, our cybersecurity services provide the technical expertise needed to meet regulatory requirements without disrupting your operations. We also help teams adopt DevSecOps practices to embed security throughout the development lifecycle.
Whether you are starting from scratch or need to strengthen existing security measures, our team in Brussels is ready to help you build a compliant and resilient security posture.