EN 
NL 
DE 
FR Under the EU NIS2 Directive, certain organizations classified as essential and important are legally required to taking cybersecurity risk-management measures. Essential entities shall demonstrate cybersecurity maturity. This includes sectors such as energy, transport, health, finance, digital infrastructure, and public administration.
Failure to comply can result in audits, corrective measures, and administrative fines.
The centre for cybersecurity in belgium developped a tool to figure out if your entity fall under the NIS2 law or not. Refer to this link to find the tool.
Obligations of Essential and Important Entities under the NIS2 Law (Belgium)
The Belgian NIS2 law, which transposes the EU Directive 2022/2555, imposes several cybersecurity obligations on entities deemed essential or important for the functioning of society and the economy.
1. Registration
Entities falling within the scope of the NIS2 law must register with the Centre for Cybersecurity Belgium (CCB) via the Safeonweb@work platform. This registration is mandatory and ensures that the CCB can effectively supervise and support these entities.
2. Cybersecurity Risk Management Measures
Both essential and important entities are required to implement appropriate technical, operational, and organizational measures to manage cybersecurity risks. These measures aim to:
- Secure network and information systems.
- Prevent incidents.
- Minimize the impact of incidents on customers and services.
4. Supply chain security
Essential and Important entities must take appropriate and proportionate cybersecurity risk-management measures on their supply chain. This is why many companies outside NIS2 scope adopt CyFun® to strengthen cybersecurity governance or because a customer, supplier, or partner requires proof of compliance.
5. Notification of Significant Incidents
Entities must report any significant incidents to the national CSIRT, which in Belgium is the CCB. This includes:
- Incidents causing severe operational disruption.
- Incidents with potential cross-border effects.
- Financial or reputational damage.
The reporting process includes:
- Initial notification within 24 hours.
- Detailed incident report within 72 hours.
- Final report within one month.
4. Obligations for management
The management bodies of NIS2 entities are responsible for:
- Approving cybersecurity risk-management measures and supervise their execution.
- Following a training to ensure that their knowledge and skills are sufficient to identity risks and treatment
In case of non-compliance, management can be held liable.
5. Supervision
- Essential entities must undergo regular compliance assessments, choosing one of the following:
- CyberFundamentals Certification or verification.
- ISO/IEC 27001 Certification.
- Audit by the CCB’s audit service.
- Important entities must not undergo a regular compliance assessment.
6. Sanction
Essential and Important entities which do not respect their obligations can be subjected to a series of administrative measures and fines.