Belgium

(a) What is the NIS2 implementation status?

The Belgium NIS2 law of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security (“NIS2 Law”) and the Royal Decree of 9 June 2024 implementing the law of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security, were published in the Belgian Official Gazette.

FAQ document in relation to the implementation of the NIS2 directive in Belgium

(b) What is the envisaged NIS2 implementation timeline?

The NIS2 Law and the Royal Decree will enter into force on 18 October 2024 (art. 98). As a result, and barring exceptions, all the obligations of the law and the royal decree will apply to essential and important entities (cybersecurity measures, incident reporting, etc.) from that date.

By way of derogation:

The obligation to register will be phased in over time. The timeframe depends on the type of entity; and the regular conformity assessment of essential entities will also follow a gradual and differentiated implementation depending on the reference system chosen.

Awaiting implementation of NIS2, the rules of the current Belgian NIS Law of 7 April 2019 will remain applicable.

(c) What does the NIS2 mean for other national cybersecurity legislation?

There is currently no draft law implementing NIS2 available, so the influence on other national cybersecurity legislations is not entirely known at this stage.

Belgian legislation which might be impacted, inter alia relate to data protection and critical infrastructures, including (i) the Joint directive of the Ministers of Justice and of the Interior of 13 July 2021 on the measures necessary to include the management and security, traceability and integrity of the personal data and the information processed in the databases referred to in article 44/2 of the Police Service Act; (ii) the Law of 1 July 2011 on the security and protection of critical infrastructures; (iii) the Royal Decree of 12 July 2019; (iv) the Law of 13 June 2005 on electronic communications and (v) the Law of 20 July 2022 on the cybersecurity certification of information and communication technologies.

For the financial market participants, the implementation of NIS2 will have to be analysed together with the Digital Operational Resilience Act (DORA), being a Regulation not needing further transposition in Belgium.

(d) Who will be the supervisory authority and how are they preparing the market?

The main supervisory authority for Belgium is the Centre for Cyber Security Belgium (“CCB”). Their role is to supervise and monitor the application of the Belgian cyber security strategy. They ensure coordination between the public authorities (NCCN; NNB; FSMA; BIPT; etc.) and the private or academic sectors.

The CCB created a Cyberfundamentals Framework which is a set of concrete measures to protect data, reduce the risk of the most common cyber-attacks and increase an organisation’s cyber resilience. To facilitate the use of the Cyberfundamentals Framework, they have implemented certain tools (CyFun Selection Tool, CyFun Self-Assessment tool and the Cyberfundamentals Framework mapping). The Cyberfundamentals are structured into 4 levels, with each successive level containing slightly more measures than the previous one: beginner level SMALL, followed by BASIC, IMPORTANT and ESSENTIAL. The levels IMPORTANT and ESSENTIAL are already adapted to the requirements set out in NIS2.

In addition, the CCB regularly publishes newsletters (including updates on the NIS2 and what it means for the private actors in Belgium).

(e) What should you be doing/on the lookout for?

Without waiting for the transposing into local Belgian legislation, Belgian companies should start to prepare for the general obligations arising from NIS2.

Due to the enlarged scope of NIS2, the first assessment should be to verify whether your company falls within the NIS2, whether it being as an important or an essential organisation. Furthermore, a gab analysis and/or audit can help with verifying the possible threats, risk and to verify where and how the level of cybersecurity needs to be raised (e.g. foreseeing cyber security policies; having supply chain security; access control; and incident handling procedures; training of personnel, etc.)