Scope of application

NIS2 repeals and replaces the NIS1 Directive (Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union), which was deemed insufficient in addressing the escalating incidents associated with the digitization of society. NIS1 had already set certain minimum standards with regard to cybersecurity for companies and sectors deemed critical to society, which included "digital services providers” (online search engines, online marketplaces and providers of cloud computing services) and “operators of essential services” (e.g. in the energy, healthcare and transportation sector). The entities concerned were, among other things, obliged to implement technical & organisational security measures and to notify serious cybersecurity incidents to the national cybersecurity authority.  

Under NIS2, twelve additional sectors are mandated to institute cybersecurity risk management measures and follow incident notification obligations. The new rules also strengthen and streamline security and reporting requirements by establishing a minimum list of key elements that all entities must consider or implement, including incident management, supply chain security, vulnerability handling and disclosure.

The entities concerned are divided into two main categories (the first one being subject to the strictest obligations):  

Organisations in these sectors (with some exceptions) will be covered by NIS2 if they meet certain thresholds in terms of size (employee headcount and annual turnover).

They will be subject to strict minimum cybersecurity risk management requirements, e.g. having certain risk analysis policies in place, provide for proper incident handling, auditing and testing, performing cybersecurity supply chain due diligence (to assess the cybersecurity practices of suppliers and services providers). Also, the rules on incident notification have been tightened.  

By 17 April 2025, Member States are required to establish a list with the entities covered by NIS2, with the option to impose entities to self-register.  

How has Belgium tackled the transposition of the NIS2 Directive?

Belgium has decided to make use of the possibility to expand the list of entities subject to the NIS2 regime. More precisely, the Belgian transposition law permits the inclusion of additional sectors and sub-sectors, as well as the expansion of the existing list, through royal decree. Additionally, there is flexibility for the national regulator to add specific entities to the list. Consequently, if an entity is presently not concerned or listed, there remains a potential for its inclusion in the future.

Given the significant number of entities likely concerned by NIS2, entities are asked to self-register within either two or five months of the law coming into effect. A platform will be made available for this purpose.  

Belgium also extended the list of risk management measures and information obligations. As a consequence, entities falling under the Belgian NIS2 law must adopt a coordinated vulnerability disclosure policy and conduct a comprehensive risk analysis that considers all potential risks, in order to safeguard networks, information systems, and physical environments against incidents. Based on this assessment, they must develop a security policy for information systems and networks, incorporating elements stipulated by law. The list of obligations can be still extended by royal decree.

Finally, the Belgian legislator has outlined the framework for supervision of compliance with NIS2. Key aspects include the identification of the relevant authority (the national CSIRT) - the Centre for cybersecurity Belgium (“CCB”) -, the possibility for “Important Entities” to voluntarily undergo a pre-assessment, which is mandatory for “Essential Entities”, and the provisions regarding administrative actions and fines.

Sanctions

Under NIS2, the national regulator may issue binding injunctions and administrative fines of up to EUR 10 million or 2% of the annual worldwide turnover (whichever is higher) for “Essential Entities”, and up to EUR 7 million or 1.4% of the annual worldwide turnover (whichever is higher) for “Important Entities”. 

Note that also directors and management bodies can be held liable for non-compliance of companies with NIS2, as they are responsible for implementing the required measures and required by law to follow appropriate cybersecurity trainings.

What's next?

Essential and Important Entities have until 18 October 2024 to effectively organize their NIS2 compliance. On this date, the new regime for cybersecurity will apply to them.  

Additionally, for certain companies, notably those active in the financial sector, additional cybersecurity requirements will apply per 1 January 2025 pursuant to the Digital Operational Resilience Act, which is currently also being discussed for further implementation in Belgian parliament. 

In case of any questions, don’t hesitate to reach out to the contact persons listed below.