The European cybersecurity landscape shifted permanently on 14 December 2022, when the EU formally adopted the NIS2 Directive (Directive (EU) 2022/2555). For organizations operating in Belgium, this wasn’t just another directive to monitor from afar; it was a call to action that culminated in the Belgian Parliament approving the Law of 26 April 2024.
This new legislation, often referred to as the “NIS2 law,” effectively replaced the older 2019 framework to address a much more volatile digital world. I’ve seen many teams feel overwhelmed by the sheer scale of these requirements, but the Belgian approach is actually quite structured once you peel back the legislative layers.
This article covers the entirety of the NIS2 Belgium framework, from the critical registration deadlines at the CCB to the specific “CyberFundamentals” security requirements. I will break down the legislative milestones, the roadmap for enforcement, and the specific fines that now hang over non-compliant boards.
TL;DR: What You Need to Know
Belgium has fully transposed the NIS2 Directive through the Law of 26 April 2024 and a subsequent Royal Decree. This transition moves Belgium from a manual “identification” regime to a mostly self-assessment with a self-registration model: if you meet the sector and size/exception criteria, you’re typically in scope without waiting for a formal letter.
However, there are still a few categories where formal identification exists, think “critical infrastructure” style cases, but most orgs won’t get a tap-on-the-shoulder anymore.
I’ll summarize the high-level points here:
- Registration is mandatory via the Safeonweb@Work portal, with deadlines having passed in late 2024 and early 2025.
- Enforcement is tiered, with Essential Entities (EE) and Important Entities (IE) facing different oversight intensities and fine caps.
- The CyberFundamentals (CyFun®) framework is Belgium’s preferred baseline for proving you’ve implemented “appropriate and proportionate” security measures.
- Board members are personally accountable, and regulators can temporarily bar management-body members from exercising managerial responsibilities if the organization keeps failing to fix serious issues.
Timelines and Legislative Milestones
The Belgium NIS2 implementation followed a tight schedule to meet the EU’s October 2024 transposition deadline. It all started with the EU adoption in late 2022, but the real local momentum began in early 2024.
I’ve mapped out the key milestones that shaped the current regulatory environment:
| Date | Milestone | Significance |
| 26 Apr 2024 | National NIS2 Law Passed | Established the legal framework for public security networks. |
| 17 May 2024 | Official Publication | The law was published in the Official Gazette, signaling its arrival. |
| 9 Jun 2024 | Royal Decree Adopted | Detailed incident reporting formats and designated regulators. |
| 18 Oct 2024 | Entry into Force | Main provisions became active; entities became legally subject to duties. |
| 18 Dec 2024 | “Digital providers” registration deadline | Deadline for certain digital categories (like DNS/TLD and domain-name services, cloud, data centres, CDN, managed services, and certain online platforms) to register with the CCB. |
| 18 Mar 2025 | General Registration | Deadline for all other essential and important entities to register. |
You won’t need a law degree for this, but it is important to note that the law is now fully “live.” If you haven’t registered by now, you are technically already behind the curve.
Structure and National Specificities
The Belgian NIS2 directive transposition isn’t just a carbon copy of the EU text; it includes several Belgian “flavors” you need to account for. The Law of 26 April 2024 acts as the primary skeleton, while the Royal Decree of 9 June 2024 provides the “muscle”, the practical details on how to actually notify the authorities when things go sideways.
Scope and “Auto-Identification” (with a Belgian footnote)
One of the biggest shifts is how entities enter the scope. Under the old NIS1 rules, the government had to tap you on the shoulder. Now, in practice, it’s a “figure it out and register yourself” regime: if you meet the criteria, you’re in. The big implication is that a lot more organizations need to do a serious scope check instead of waiting for a notice.
That said, Belgium does keep some formal identification in the mix for specific cases (especially around critical infrastructure). So: assume you’re responsible for determining scope, but don’t be surprised if certain categories are still “officially designated.”
Essential Entities vs Important Entities (it’s not just size)
I’ll break down the two tiers, but here’s the important nuance: EE vs IE is mainly sector-driven, and the size thresholds are more like the “default gate” (with exceptions).
- Essential Entities (EE): Typically, entities in the higher-criticality sectors (think Annex I type sectors) that meet the size/exception rules. These get the heavier oversight treatment.
- Important Entities (IE): Typically, entities in other in-scope sectors (Annex II type sectors), again subject to the size/exception rules, but supervised a bit less aggressively.
About size: you’ll often see “medium enterprise and up” used as the practical baseline (e.g., 50+ employees and €10m+ turnover/balance sheet criteria), and “large” organizations (250+ employees / €50m turnover) obviously fall in scope when the sector fits. But don’t treat those numbers like the whole story: sector and exceptions matter.
Regardless-of-size exceptions: Some categories are in scope even if they’re tiny, for example, certain DNS/TLD/domain-name-related services, public electronic communications networks/services, and certain trust services.
So yes, there are “you’re in no matter what” cases, just don’t assume every digital business automatically qualifies for that exception.
The Financial and Public Sector Exceptions
Belgium exercised a specific option to exclude the banking and financial market sectors from the local NIS2 law. This is because these entities are already sweating over the Digital Operational Resilience Act (DORA). Instead of double-regulating them, the Belgian law lets DORA take the lead while maintaining a liaison with the National Bank of Belgium (NBB).
Furthermore, although public administrations are in scope, Belgium decided not to impose administrative fines on public administrations in the “public administration sector.” If a municipality fails to secure its data, the Centre for Cybersecurity Belgium (CCB) will issue binding instructions rather than a multi-million euro bill.
Quick reality check, though: “public” doesn’t automatically mean “no fines.” A public entity that’s in scope under another sector (health is the classic example) can still be fined like any other entity. So don’t treat this as a blanket public-sector shield.
Real Roadmap: 2025 and Beyond
Since the law is already implemented, we are no longer looking at an “estimated” roadmap. We are in the thick of the enforcement phase. Here is the schedule for what I call the “compliance ramp-up.”
Q1 – Q2 2025: The Registration Close-out
By the end of March 2025, the grace period for initial registration via the Safeonweb@Work portal officially ended. The CCB launched a suite of tools during this time, including a scope assessment tool, to help the “compliance-anxious” determine exactly where they stand.
2025 onward: Supervision gets real
This is the part most teams miss: the transition from “paper compliance” to “active supervision.” After registration deadlines, the CCB and sectoral regulators (including BIPT for relevant sectors) can move into more formal supervision activities — and yes, that can include audits and evidence requests. If you’re an Essential Entity, expect a higher degree of scrutiny than an Important Entity.
2026 – 2027: The CyberFundamentals / ISO milestones
The Belgian law includes specific milestones for demonstrating security maturity through the CyberFundamentals framework or ISO standards.
| Deadline | Requirement for Essential Entities |
| 18 Apr 2026 | Reach Basic or Important CyFun assurance level (via verification/assessment). |
| 18 Apr 2026 | Alternative: Submit an ISO 27001 Statement of Applicability to CCB. |
| 18 Apr 2027 | Reach Essential CyFun assurance level (the “top” maturity target). |
| 18 Apr 2027 | Alternative: Achieve full ISO/IEC 27001 certification. |
Enforcement and Fines
I’ll be honest: the NIS2 penalties in Belgium are designed to be “dissuasive.” The law isn’t just looking for a slap on the wrist; it’s looking for a change in culture. The Belgian authorities have a tiered regime that mirrors the EU caps.
The Financial Hit
For Essential Entities, the maximum fine is the higher of €10,000,000 or 2% of total worldwide annual turnover. For Important Entities, it’s €7,000,000 or 1.4%.
Even minor “procedural” failures, like not cooperating with inspectors, failing to provide required information, or breaching specific compliance obligations (including protections around good-faith compliance/reporting), can trigger fines in the lower range (the “this is annoying but still painful” category).
Personal Accountability
This is where the C-suite needs to pay attention. Article 20 of the Directive (reflected in Belgian law) makes directors personally responsible for approving and overseeing cybersecurity measures. If there is repeated failure to address risks, regulators can impose measures, including temporarily barring members of the management body from exercising managerial responsibilities until the organization has taken the necessary corrective steps.
It’s no longer just a “tech problem”; it’s a “keep your job” problem.
Short Checklist: How to Prepare
If you’re feeling the pressure, don’t worry. I’ve distilled the massive Belgian law into a few actionable steps to get your house in order.
- Verify Your Tier: Use the CCB Scope Test Tool to determine whether you are an EE or an IE.
- Register Immediately: If you haven’t, get onto the Safeonweb@Work portal today. This is a non-negotiable legal requirement.
- Adopt CyFun: Start mapping your current controls against the CyberFundamentals framework. It’s the closest thing to a “cheat sheet” for Belgian compliance.
- Fix Your Reporting: Ensure your incident response plan includes the “24h/72h” notification rule. You’ll be reporting these via notif.safeonweb.be.
- Brief the Board: Ensure your directors have undergone cybersecurity training. They need to sign off on your risk analysis, and they need to know why.
For teams looking to streamline this, tools like Copla can be a huge help. Copla provides the visibility and audit readiness needed to track these various deadlines and requirements in one place, effectively automating the evidence collection you’ll need for those 2026 milestones.
Make NIS2 Compliance a Calm, Continuous Operating System, Not a Last-Minute Audit Project
Copla is built for teams that need NIS2 compliance without burning out staff or blowing the budget. It combines an automation-first GRC platform with experienced CISO oversight. That gives you four clear advantages:
- Cuts compliance workload by up to 80%
- Automates key NIS2 tasks across controls, evidence, and registers
- Guides execution step by step with clear ownership and built-in prompts
- Gives you CISO-level leadership without hiring a full internal team
On top of that, teams typically save €60K+ per year versus adding in-house capacity for the same workload, while staying continuously audit-ready, not “ready when the audit starts.”
The only compliance management platform you’ll need
Copla brings together capabilities such as asset and risk registries, evidence mapping, audit verification, regulatory reporting, vulnerability management, awareness training, and incident tracking — all in one place.
Moving Toward Resilience
The NIS2 Belgium transposition is undeniably complex, but it’s also a unique opportunity to finally get the budget and board-level attention that cybersecurity deserves. By moving toward a risk-based approach and leveraging the CyberFundamentals framework, you’re not just checking a box for the CCB; you’re building a more resilient business.
I recommend starting with a gap analysis between your current state and the “Important” level of the CyFun framework. This will give you a clear roadmap for the next 18 months.
