Belgium

(a) What is the NIS2 implementation status?

On 18 October 2024, the Belgian NIS2 Act of 26 April 2024 and the accompanying Royal Decree of 9 June 2024 transposing the NIS2 Directive have come into effect. Belgian law provides for certification through the CyberFundamentals Scheme.

(b) What is the envisaged NIS2 implementation timeline?

For entities affected by the Belgian NIS2 Law the following timelines apply:

• Notification: Starting from 18 October 2024, all NIS2 entities are required to notify the Centre for Cybersecurity Belgium (CBB) about significant incidents via their website.
• Registration: While a limited numbers of entities (DNS service providers, TLD name registries, providers of domain registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, and providers of online market places, online search engines and social networking services) must be registered by 18 December 2024, most NIS2 entities have until 18 March 2025 to register with the CCB via Register my organisation | CCB Safeonweb.

(c) What does the NIS2 mean for other national cybersecurity legislation?

The Belgian NIS2 law has replaced the prior Belgian NIS1 Law.

(d) Who will be the supervisory authority and how are they preparing the market?

The main supervisory authority for Belgium is the Centre for Cyber Security Belgium (“CCB”). Their role is to supervise and monitor the application of the Belgian cyber security strategy. They ensure coordination between the public authorities (NCCN; NNB; FSMA; BIPT; etc.) and the private or academic sectors.

The CCB created a Cyberfundamentals Framework which is a set of concrete measures to protect data, reduce the risk of the most common cyber-attacks and increase an organisation’s cyber resilience. To facilitate the use of the Cyberfundamentals Framework, they have implemented certain tools (CyFun Selection Tool, CyFun Self-Assessment tool and the Cyberfundamentals Framework mapping). The Cyberfundamentals are structured into four levels, with each successive level containing slightly more measures than the previous one: beginner level SMALL, followed by BASIC, IMPORTANT and ESSENTIAL. The levels IMPORTANT and ESSENTIAL are already adapted to the requirements set out in NIS2.

In addition, the CCB regularly publishes newsletters (including updates on the NIS2 and what it means for the private actors in Belgium).

(e) What should you be doing/on the lookout for?

Due to the enlarged scope of NIS2, the first assessment should be to verify whether your company falls within the NIS2, whether it being as an important or an essential organisation. Furthermore, a gap analysis and/or audit can help with verifying the possible threats, risk and to verify where and how the level of cybersecurity needs to be raised (e.g. foreseeing cyber security policies; having supply chain security; access control; and incident handling procedures; training of personnel, etc.).

It is of great importance that all NIS2 entities register on Safeonweb@Work. On this website you can also find the NIS2 Quickstart Guide that the CBB has formulated to help companies comply with the Belgian NIS2 legislation.

The CCB has published guidelines to apply to cybersecurity funding under the Digital Europe Programme (the “DEP”). The document walks applicants through the entire process, from finding relevant calls to submitting proposals.