Belgium

(a) What is the NIS2 implementation status?

On 18 October 2024, the Belgian Act of 26 April 2024 and the accompanying Royal Decree of 9 June 2024, transposing the NIS2 Directive have come into effect. Belgian law provides for certification through the CyberFundamentals Scheme.

While a limited numbers of entities (DNS service providers, TLD name registries, providers of domain registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, and providers of online market places, online search engines and social networking services) must be registered by 18 December 2024, most NIS2 entities have until 18 March 18 2025 to register with the CCB via Register my organisation | CCB Safeonweb.

(b) What is the envisaged NIS2 implementation timeline?

The NIS2 Law and the Royal Decree will enter into force on 18 October 2024 (art. 98). As a result, and barring exceptions, all the obligations of the law and the royal decree will apply to essential and important entities (cybersecurity measures, incident reporting, etc.) from that date.

By way of derogation:

The obligation to register will be phased in over time. The timeframe depends on the type of entity; and the regular conformity assessment of essential entities will also follow a gradual and differentiated implementation depending on the reference system chosen.

Awaiting implementation of NIS2, the rules of the current Belgian NIS Law of 7 April 2019 will remain applicable.

(c) What does the NIS2 mean for other national cybersecurity legislation?

There is currently no draft law implementing NIS2 available, so the influence on other national cybersecurity legislations is not entirely known at this stage.

Belgian legislation which might be impacted, inter alia relate to data protection and critical infrastructures, including (i) the Joint directive of the Ministers of Justice and of the Interior of 13 July 2021 on the measures necessary to include the management and security, traceability and integrity of the personal data and the information processed in the databases referred to in article 44/2 of the Police Service Act; (ii) the Law of 1 July 2011 on the security and protection of critical infrastructures; (iii) the Royal Decree of 12 July 2019; (iv) the Law of 13 June 2005 on electronic communications and (v) the Law of 20 July 2022 on the cybersecurity certification of information and communication technologies.

For the financial market participants, the implementation of NIS2 will have to be analysed together with the Digital Operational Resilience Act (DORA), being a Regulation not needing further transposition in Belgium.

(d) Who will be the supervisory authority and how are they preparing the market?

The main supervisory authority for Belgium is the Centre for Cyber Security Belgium (“CCB”). Their role is to supervise and monitor the application of the Belgian cyber security strategy. They ensure coordination between the public authorities (NCCN; NNB; FSMA; BIPT; etc.) and the private or academic sectors.

The CCB created a Cyberfundamentals Framework which is a set of concrete measures to protect data, reduce the risk of the most common cyber-attacks and increase an organisation’s cyber resilience. To facilitate the use of the Cyberfundamentals Framework, they have implemented certain tools (CyFun Selection Tool, CyFun Self-Assessment tool and the Cyberfundamentals Framework mapping). The Cyberfundamentals are structured into 4 levels, with each successive level containing slightly more measures than the previous one: beginner level SMALL, followed by BASIC, IMPORTANT and ESSENTIAL. The levels IMPORTANT and ESSENTIAL are already adapted to the requirements set out in NIS2.

In addition, the CCB regularly publishes newsletters (including updates on the NIS2 and what it means for the private actors in Belgium).

The CCB provides an online platform where NIS2-related incidents can be notified: Report a Cyber Incident to the CCB.

(e) What should you be doing/on the lookout for?

Due to the enlarged scope of NIS2, the first assessment should be to verify whether your company falls within the NIS2, whether it being as an important or an essential organisation. Furthermore, a gab analysis and/or audit can help with verifying the possible threats, risk and to verify where and how the level of cybersecurity needs to be raised (e.g. foreseeing cyber security policies; having supply chain security; access control; and incident handling procedures; training of personnel, etc.)

The National Center for Cybersecurity Belgium (the “NCC-BE”) has published guidelines to apply to cybersecurity funding under the Digital Europe Programme (the “DEP”). The document walks applicants through the entire process, from finding relevant calls to submitting proposals. Enclosed we provide you with the guidelines.