The NIS2 Directive has dramatically expanded the number of organizations that must comply with EU cybersecurity requirements. In Belgium, the Centre for Cybersecurity Belgium (CCB) oversees implementation, and thousands of companies across 18 sectors are now in scope. This guide helps you determine whether your organization must comply.
Quick answer — is my Belgian company in scope?
- You operate in one of the 18 NIS2 sectors (Annex I essential or Annex II important), AND
- You have 50+ employees OR €10M+ turnover / balance sheet, OR
- You are a DNS provider, TLD registry, trust service provider or public electronic communications provider — any size, or
- You have been specifically designated by the Belgian government.
Belgium transposed NIS2 via the Act of 26 April 2024. Registration with the CCB was required by 18 March 2025 for essential and important entities. Updated April 2026.
NIS2 Sectors Belgium: Quick Reference Table
The 18 sectors covered by NIS2 are split between two annexes, each with different penalty exposure and supervision intensity:
| Annex | Sector | Entity type | Max. fine |
|---|---|---|---|
| I | Energy (electricity, gas, oil, hydrogen, district heating) | Essential | €10M / 2% worldwide turnover |
| I | Transport (air, rail, water, road) | Essential | €10M / 2% worldwide turnover |
| I | Banking & financial market infrastructure | Essential | €10M / 2% worldwide turnover |
| I | Healthcare (hospitals, labs, pharma) | Essential | €10M / 2% worldwide turnover |
| I | Drinking water & wastewater | Essential | €10M / 2% worldwide turnover |
| I | Digital infrastructure (DNS, TLD, cloud, datacenters, CDN, trust services) | Essential | €10M / 2% worldwide turnover |
| I | ICT service management (B2B MSPs, MSSPs) | Essential | €10M / 2% worldwide turnover |
| I | Public administration | Essential | As set by Belgian law |
| I | Space (ground-based operators) | Essential | €10M / 2% worldwide turnover |
| II | Postal & courier services | Important | €7M / 1.4% worldwide turnover |
| II | Waste management | Important | €7M / 1.4% worldwide turnover |
| II | Chemical manufacturing & distribution | Important | €7M / 1.4% worldwide turnover |
| II | Food production & distribution | Important | €7M / 1.4% worldwide turnover |
| II | Manufacturing (medical devices, electronics, machinery, vehicles) | Important | €7M / 1.4% worldwide turnover |
| II | Digital providers (marketplaces, search engines, social networks) | Important | €7M / 1.4% worldwide turnover |
| II | Research organisations | Important | €7M / 1.4% worldwide turnover |
NIS2 Penalties in Belgium
Belgium transposed NIS2 via the Act of 26 April 2024, which took effect on 18 October 2024. The penalty framework is among the strictest in EU cybersecurity regulation:
- Essential entities — administrative fines up to €10 million or 2% of global annual turnover, whichever is higher.
- Important entities — administrative fines up to €7 million or 1.4% of global annual turnover, whichever is higher.
- Management accountability — board members and senior managers can be held personally liable and temporarily banned from management duties for serious failures.
- Supervision — essential entities face proactive ex-ante supervision (audits, on-site inspections), while important entities face ex-post supervision (triggered by incidents or complaints).
Key NIS2 Dates for Belgium
- 16 January 2023 — NIS2 directive (EU) 2022/2555 enters into force at EU level.
- 17 October 2024 — EU transposition deadline; Belgium met this with the Act of 26 April 2024.
- 18 October 2024 — NIS2 becomes enforceable in Belgium.
- 18 March 2025 — deadline for essential and important entities to register with the CCB via Safeonweb@work.
- 18 April 2027 — deadline to have fully implemented the cybersecurity risk management measures and be audit-ready.
How NIS2 Determines Who Must Comply
NIS2 uses two criteria to determine whether an organization is in scope:
- Sector — the organization operates in one of the 18 sectors listed in the directive's annexes.
- Size — the organization meets the size threshold: at least 50 employees or annual turnover/balance sheet exceeding 10 million euros.
Organizations that meet both criteria are automatically in scope. Some smaller organizations may also be included if they are deemed critical by Belgian authorities, regardless of size.
Essential Entities: Annex I Sectors
Essential entities face the strictest requirements and highest penalties. In Belgium, these include organizations in the following sectors:
Energy
- Electricity generators, distributors, and transmission operators
- Natural gas distribution, transmission, and storage operators
- Oil refining and pipeline operators
- Hydrogen production, storage, and distribution
- District heating and cooling operators
Transport
- Air carriers and airport operators
- Rail transport operators and infrastructure managers (including Infrabel and SNCB/NMBS)
- Inland waterway and maritime shipping companies
- Road transport operators of essential goods
Banking and Financial Infrastructure
- Credit institutions supervised by the NBB
- Financial market infrastructure operators
- Note: financial entities also fall under DORA
Healthcare
- Hospitals and healthcare providers
- EU reference laboratories
- Pharmaceutical manufacturers
- Medical device manufacturers (when critical)
Other Essential Sectors
- Drinking water — suppliers and distributors
- Wastewater — collection, treatment, and discharge operators
- Digital infrastructure — DNS providers, TLD registries, cloud computing providers, data center operators, content delivery networks, and trust service providers
- ICT service management (B2B) — managed service providers and managed security service providers
- Public administration — federal and regional government entities
- Space — operators of ground-based infrastructure supporting space-based services
Important Entities: Annex II Sectors
Important entities face slightly lower penalties but must still meet core NIS2 requirements:
- Postal and courier services — including bpost and private courier companies
- Waste management — collection, treatment, and recycling operators
- Chemical manufacturing — production and distribution of chemicals
- Food production — large-scale food manufacturing and distribution (wholesale)
- Manufacturing — medical devices, computers, electronics, machinery, motor vehicles, and other transport equipment
- Digital providers — online marketplaces, search engines, and social networking platforms
- Research organizations — universities and research institutions (when designated by Belgium)
Size Thresholds and Exceptions
The general size threshold is 50 employees or 10 million euros in turnover. However, several exceptions apply in Belgium:
- Always in scope regardless of size: DNS providers, TLD registries, trust service providers, and providers of public electronic communications networks.
- Member State designation: the Belgian government can designate smaller entities as essential or important if their disruption would significantly impact public safety, security, or health.
- Sole provider: if your organization is the sole provider of a critical service in Belgium, you may be in scope regardless of size.
- Cross-border impact: organizations whose disruption could affect multiple EU member states may be designated regardless of size.
What Compliance Requires
Once in scope, both essential and important entities must:
- Register with the CCB — in-scope organizations must register with the Centre for Cybersecurity Belgium.
- Implement security measures — adopt risk-based cybersecurity measures covering risk analysis, incident handling, business continuity, supply chain security, and more.
- Report incidents — notify the CCB of significant incidents within 24 hours (early warning), 72 hours (full notification), and one month (final report).
- Ensure management accountability — senior management must approve and oversee cybersecurity risk management measures and undergo training.
A practical starting point is conducting an ISO 27001 gap analysis, as the standard aligns closely with NIS2 requirements.
How ICTLAB Can Help
ICTLAB helps Belgian organizations determine their NIS2 scope and achieve compliance efficiently. Our cybersecurity services include scope assessment, gap analysis, implementation of required security measures, and preparation for CCB registration and reporting. We work with organizations across all NIS2 sectors, from energy and healthcare to digital infrastructure and manufacturing.
If you are unsure whether your organization falls under NIS2, contact our Brussels-based team for a no-obligation assessment of your compliance obligations.