You can find the actual EU directive here, including Annex I with sectors of high criticality (essential entities), and annex II with other critical sectors (important entities). As you will see, the scope, based on the sectors, is the most-asked question. Interestingly, this is an EU-wide aspect, so it is already in the directive, and has not been changed by Belgium.

Is the Belgian adoption of the legislation on time?

Belgium has transposed the NIS2 directive on 26 April, so, on time. This means that from 18 October onwards, you will have to:

  • Register at the website if your organisation needs to follow the NIS2 rules. You should do that by 18 March 2025. (A few specific entities – such as DNS service providers, cloud computing service providers, datacentres, etc. – need to register by 18 December 2024.)
  • Start taking cyber security measures (we know you are already do, of course, but you should also analyse them thoroughly)
  • Notify incidents. Keep in mind, this notification will not automatically lead to a control. Specifically, you must:
    • Notify within 24h that ‘something’ is happening (details on how will come, e.g. a call, an SMS, an online form)
    • Deliver a more complete report within 72 hours
    • Deliver the full report within 1 month
  • You can receive an inspection if you are an essential entity.

Is the Royal Decree published and what does it include?

While the broad security measures are in the law that has been published, how to do this, as well as timing details, are part of the Royal Decree published on 24 June. This allows more flexibility (as our government, not our parliament, can adapt these).

As was always the case, two frameworks have been put forward: the Cyber Fundamental Framework (CyFun) and the ISO 27001 framework. If you use one of these, and get verified or certified, you are presumed to be in conformity. Keep in mind that under the NIS2, the scope is your entire organisation, not just IT.

If you are an essential entity, you can also choose to be inspected by the CCB.

Essential entities must get certified or inspected. Important entities are not required to get verified or certified, but they must be able to show that they have implemented the broad measures, if asked by the CCB and/or the sectoral authority.

Beltug, together with Agoria and VBO–FEB, has obtained an adaptation to the Royal Decree that organisations using CyFun will be heard when the CCB (which developed the framework) makes changes to it. For example, if the CCB wants to add more focus on governance or to change the key measures, it must ensure organisations using CyFun can provide input. After all, these organisations prove their compliance to a law using CyFun, and non-compliance can result in fines of up to 2% of worldwide turnover or 10 million euro.

The Royal Decree also sets out the timing:

  • Important entities have until 18 April 2026 to have implemented the security measures
  • Essential have until 18 April 2027 to have implemented the security measures and to get certified or inspected by the CCB.

Considering that the scope is your whole organisation, and that entities must ensure their supply chains up and down can’t ‘infect’ them, the timing is indeed short.

“Is my organisation affected by, and especially in the scope of, the NIS2?”

The authorities are working on clarifying the scope. You can find the basics here, and a graphical overview that includes jurisdiction here.

While this remains the most common question asked about the NIS2, it seems we will have to wait a bit longer for an answer. However, you can already contact the CCB, so they will take your question into account when providing FAQ, etc.

If you have doubts about your organisation, you can already start analysing what you should do through the CyFun Basic, Important or Essential framework (depending on whether you expect to be ‘important’ or ‘essential’).

Responsibility of the Board and responsibility for the supply chain are new aspects of the legislation, as is the need to be able to prove things through policies and procedures. This means you should look at:

  • How your organisation involves your Board on cyber security. If you are in scope, they will carry the final responsibility.
  • How you analyse your suppliers in terms of cyber security. Can a hacker enter through the supply chain? What happens if your suppliers are hacked? How are you affecting your clients when you are hacked?
  • Have you documented what you are doing and what decisions you take in terms of cyber security? When you mitigate, transfer or accept a risk, can you show it to your clients, auditor or to the authorities? Do you have (up-to-date) security policies and procedures in place?

It is important to highlight that the scope is at EU-level, not Belgian-level. Certain issues have been resolved; for example, providing charging stations in your parking lot for staff members does not make you an energy company. More clarification will come, but it will take some time. In the meantime, you can get started!

“What can we do in the meantime?”

There are several things you can do in the meantime. The CCB provides this list of key, basic measures under the CyFun Basic level:

  • Identify who should have access to critical information and technology
  • Limit employee access to what they need to do their jobs
  • Ensure nobody has administrator privileges for daily tasks
  • Secure remote access, e.g., by using multi-factor authentication
  • Install and activate firewalls
  • Incorporate network segmentation and segregation
  • Install patches and security updates
  • Maintain and review (activity) logs
  • Install and update anti-virus, anti-spyware, and other anti-malware programs
  • Make backups and store them separately

“We are part of the supply chain for an NIS2 ‘essential’ or ‘important’ organisation. What should we do?”

The NIS2 makes organisations responsible for the security of their supply chains. The essential or important organisation must therefore carry out a risk analysis, including how relevant and how connected you are to them. Then, there should be a dialogue about how you should be protected.

If, for example, you are crucial for such an organisation’s IT, it will ask you to follow all measures possible. Should you choose to prove your compliance using the CyFun framework, follow the ‘Essential’ level.

Keep in mind: your compliance requirements aren’t simply based on the fact that you are in the supply chain of an essential or important organisation. Rather, they depend on the level of risk. So, if the organisation determines there are no risks associated with you, you may not need to do anything at all.

Is the situation still unclear? If there isn’t another IT-knowledgable person in your own organisation that you can confer with, discuss the key measures of the CyFun Basic level (above, under ‘What can we do in the meantime?’) with your ICT suppliers. Managed (ICT) service providers with more than 50 employees or turnover of more than € 10 million also fall under NIS2, as ‘important’ or even ‘essential’ for large service providers. That means you and they are facing the same requirements, and can surely have an interesting, and even enlightening, conversation!

CyFun or ISO 27001 certified accreditation bodies: a familiar process

In parallel with the legal implementation and development of frameworks, the CCB also works on ensuring there are certified accreditation bodies (CAB) ready to verify and/or certify entities. The process to achieve this will follow the same path as with other ‘norms’ such as ISO 9001 (quality) or ISO 14001 (environment).

An organisation that wants to verify or certify other organisations must fulfil several criteria, such as impartiality, soundness, stability, etc. It must also master the norm it will verify or certify, based on the practices set out by the scheme’s owner. For CyFun that is the CCB; for ISO27001 it is the International Organisation for Standardisation (the federation of national standards bodies; in Belgium the Bureau voor Normalisatie/Bureau de Normalisation).

Then, the entity needs approval by an EU country that accepts the norm. While many EU States already accept ISO 27001, CyFun is currently only accepted by Belgium. In addition to the normal approval, the CCB has to rubberstamp the CABs; we expect it will have a list of CABs that can verify and certify.

As the Royal Decree sets out the frameworks, once it is published, the potential CABs can officially apply and start preparing for their double approval process. Once approved, their names will be shared. A simple internet search will already give you a list of CABs that can perform ISO 27001 certifications, but they will have to also get the CCB stamp to be used in this context.

We have heard there is an interest in the market to supply NIS2 certification services, so if all goes well, you will have some choice. In the meantime, you can already start to prepare, at least by having the key measures of Basic CyFun in place (and even the Important or Essential CyFun key measures, if you think you may need that level).