Belgium is currently in the process of putting the European NIS2 directive into Belgian law. As of 18 October 2024, organisations must comply, taking into account the 18 months implementation period for the security measures. As the Centre for Cybersecurity Belgium has put it “NIS2 is NIS1 on steroids”. The new legislation will involve a huge expansion of the number of entities and sectors in scope, there will be more precision in terms of the security measures to take, timing of incident reporting will match the rest of the EU, significant administrative sanctions will be imposed, and the Boards of organisations will become responsible for cyber security.

Informed and involved

Beltug has set up initiatives where our members can gather together to share their needs and insights. In the NIS2 sounding board, members discuss the process of transposing the EU law into Belgian law. These exchanges are based on information received from policy makers and authorities involved in the topic. We have covered the entire text of the legislation, including the parts on privacy and the chapter for the federal ministries.

We are using the contacts and trust we have built up over the years to speak directly with policy makers and those holding the ‘legislative pen’. We can bring them the ideas and concerns of the business users; for example, pointing out that, as organisations merge and engage in take-overs, not only are automated and easy-to-use registration mechanisms needed, but a deregistration mechanism as well. More fundamentally, we highlighted that the NIS2 must foresee a possibility for using biometrics for access control of very secure parts of our digital infrastructure, such as data centres or communications infrastructure.

From these conversations with policy makers, we can also bring back to our members perspectives and updates, to ensure they have the most correct and up-to-date information.

We exchange and collaborate with other sector organisations, and liaise on key issues for our members. And we ensured that our members were informed about the Cyberfundamentals Framework.

Sharing Beltug’s expertise

These actions have enabled Beltug to build expertise into the upcoming legal framework, which we continue to use to support our members. Levi Nietvelt recently held both an information session and a webinar for a Beltug member:

We are eager to use this insight to inform other in our network about the latest developments of the NIS2 transposition into Belgian law. There is already a lot of information that can bring some early transparency to organisations. We can shed light and debunk some of the myths that are around.”

Gradual but fast-approaching implementation

It’s important to keep in mind that the implementation of the NIS2 will be ‘gradual’ for important and essential entities, over 18 months starting in October 2024. If you are an essential entity, this may be extended 12 months, depending on the choice you make to show the regulator you are complying with the law. However, as all security experts know, 18 months is very short. We urge you to use the insight and the overview of measures communicated by Beltug and the organisations with which we collaborate, to get started now!