Beltug continues to monitor the process for the NIS2 implementation in Belgium, and provide insight and knowledge-sharing for our members.

What is the current status?

“The public consultation on the draft NIS2 law was a great success,” states the Centre for Cyber security Belgium (CCB). “More than 300 comments were received from around 60 participants, which shows the significant interest of companies, public authorities and individuals in this issue. These comments, and the required formal opinions, will be used in the coming weeks by the inter-ministerial working group to adapt the draft texts or to provide additional explanations in the explanatory memorandum.”

Will the law be approved before the parliament dissolves in May?

“Every effort will be made to ensure that this Law and its Royal Decree are adopted before the deadline for transposition of the NIS2 Directive, i.e. 17 October 2024.” is the official information. One can see the prudent formulation: October not June.

What stages has the draft implementation law and draft royal decree passed?

The draft regulations have already passed several stages:

  • State Council (Conseil d’Etat – Raad van State), which verifies if the law is in line with the current applicable laws, amongst other separation of powers between Federal and Regional level: approval with some remarks
  • College of Attorneys General, which provides advice from the judicial branch: approval
  • Privacy authority: ‘standard’ approval (more a form of ‘abstention’).
  • Public consultation for comments: completed

What stages are still to go?

We are still awaiting:

  • Agreement within the government on the modifications, following all the advice and input received
  • Approval from the Federal Parliament

Questions and next steps

Beltug members still face a number of questions around the NIS: Will the draft law be approved? Will you know what to do? Will you know whether you have to implement NIS2, including registering before May 2025?  Will you know what to do as a supplier?  Here are a few insights into these issues:

  • We hear that the approval might derail because of discussions between the federal and regional levels. We are collecting more information, but reach out to us if you have a view on whether regional levels should also have authority, their own analysis, etc.
  • If the draft laws pass, it will become gradually clearer what you will have to do, but this will still take some time. Two practical implementation frameworks are ISO27001 for your whole organisation or the CyberFundamentals framework, but whether you have the option of choosing your own framework and getting inspections will need some clarification.
  • Clarifications on the scope will still be needed, as this depends on the European level. While we haven’t had direct communication with the European Commission on this matter, members have told us that currently the Commission is keeping the scope broad. It is our opinion at this time that the Commission will only begin officially clarifying the scope through Q&A documents and implementation acts once the transposition period has ended (17 October).
  • The impact on the supply chain is less clear, but certainly organisations falling under the NIS2 will have to analyse their supply chain and take actions. So suppliers will feel the effect.

In conclusion, the NIS2 implementation is moving forward, but the need for clarification remains. Furthermore, there might be a political discussion between the federal and regional levels brewing.

If you have an opinion on all of this, don’t hesitate to share it with us!