Audit41Readiness
🇧🇪Belgium

NIS2 in Belgium: What your organisation must do.

Law of 26 April 2024 · In force October 18, 2024

Belgium has transposed the EU NIS2 Directive. If your organisation operates in a covered sector, you are likely in scope and must comply with Centre for Cybersecurity Belgium (CCB) requirements.

23d 9h 9m

Conformity deadline

Essential entities must demonstrate conformity to CCB by April 18, 2026.

CCB conformity deadline: April 18, 2026

Essential entities in Belgium must demonstrate conformity to the CCB (Centre for Cybersecurity Belgium) by April 18, 2026. This applies to CyberFundamentals or ISO 27001 compliance paths.

Check your NIS2 scope — free →See Audit41 Readiness →

Entity classification

Are you an Essential or Important Entity?

Essential Entity

Annex I sector + large enterprise, or formally designated critical infrastructure

Penalties: up to €10M or 2% of global turnover

Proactive supervision — authorities can audit at any time

Important Entity

Annex I medium enterprise or Annex II medium/large enterprise

Penalties: up to €7M or 1.4% of global turnover

Reactive supervision — investigated when non-compliance is indicated

Not sure which classification applies to your organisation? The free self-check takes 3 minutes and tells you exactly where you stand — including Belgium-specific rules. Start free self-check →

What Belgium requires

Your obligations under Law of 26 April 2024.

1

Register via Safeonweb@Work portal (deadline was March 18, 2025)

2

Choose compliance framework: CyberFundamentals (CyFun) or ISO 27001

3

Essential entities: submit conformity proof to CCB by April 18, 2026

4

Important entities: voluntary conformity assessment, mandatory progress report by April 18, 2027

5

Management body must approve and oversee cybersecurity measures — personal liability applies

6

Report significant incidents within 24 hours (early warning) and 72 hours (full report)

7

Supply chain security due diligence required

ISO 27001 advantage

ISO 27001 gives you a presumption of conformity in Belgium.

Belgium is one of the few EU countries where ISO 27001 certification provides a presumption of conformity with NIS2 — accepted by CCB as equivalent to CyFun Essential level.

Sectors in scope in Belgium

EnergyTransportBanking and financial market infrastructureHealthDrinking waterWastewaterDigital infrastructureICT service managementPublic administration(federal public administration = essential)SpacePostal and courier servicesWaste managementManufacturing

What makes Belgium different

Belgium offers two accepted compliance paths: CyberFundamentals (CyFun) framework or ISO 27001 certification — your choice.

ISO 27001 gives a presumption of conformity — unique among major EU markets.

Directors face personal liability for non-compliance under Belgian law.

Federal public administration entities are automatically classified as essential.

Fines up to €10 million or 2% of global turnover — doubled for repeat offences.

Know exactly where you stand on NIS2 in Belgium.

The free self-check takes 3 minutes. It applies Belgium-specific rules, tells you your entity type, and recommends the right assessment plan.

Start Belgium self-check — free →