NIS2 in Belgium
Everything you need to know about the NIS2 directive in Belgique / Belgie: transposition law, competent authority, fines, deadlines, and how Reglyze helps SMEs become compliant.
Belgium moved early on NIS2: the Law of 26 April 2024 entered into force on 18 October 2024, making it one of the first member states with binding national rules. The Centre for Cybersecurity Belgium (CCB) is both the competent authority and the national CSIRT, and Belgium is distinctive in offering an assessable conformity route — its own CyberFundamentals (CyFun) framework, or ISO 27001 — rather than leaving 'appropriate measures' undefined. Because the law is already in force, Belgian entities are past the run-up phase: registration was due by 18 March 2025 and supervision is live.
Key facts at a glance
Law of 26 April 2024 establishing a framework for the cybersecurity of network and information systems of general interest for public security (Belgian NIS2 Law), with the Royal Decree of 9 June 2024
Adopted / in force: 2024-10-18
Centre for Cybersecurity Belgium (CCB)
https://ccb.belgium.beUp to EUR 10 million or 2% of total worldwide annual turnover (whichever is higher)
Up to EUR 7 million or 1.4% of total worldwide annual turnover (whichever is higher)
These ceilings come from the directive — see how NIS2 fines are calculated, recent enforcement cases and director personal liability.
How CyFun maps to NIS2
Each maturity level of CyFun — the national framework for NIS2 — shown against the NIS2 controls it covers. This is the authority's own correspondence, not a generic article list: where a maturity level has no direct NIS2 control nexus, we say so.
| Maturity level (CyFun) | NIS2 control(s) | ISO 27001 correspondence | Status |
|---|---|---|---|
| Basicbasic | Art. 20(1) Art. 20(2) Art. 21(2)(a) Art. 21(2)(b) Art. 21(2)(c) Art. 21(2)(e) Art. 21(2)(g) Art. 21(2)(h) Art. 21(2)(i) | Partial coverage | |
| Importantimportant | Art. 20(1) Art. 20(2) Art. 21(2)(a) Art. 21(2)(b) Art. 21(2)(c) Art. 21(2)(d) Art. 21(2)(e) Art. 21(2)(f) Art. 21(2)(g) Art. 21(2)(h) Art. 21(2)(i) Art. 21(2)(j) | Covered | |
| Essentialessential | Art. 20(1) Art. 20(2) Art. 21(2)(a) Art. 21(2)(b) Art. 21(2)(c) Art. 21(2)(d) Art. 21(2)(e) Art. 21(2)(f) Art. 21(2)(g) Art. 21(2)(h) Art. 21(2)(i) Art. 21(2)(j) | Covered |
Mapping derived from the authority's published CyFun framework. Reglyze maintains it as the source data evolves — see the platform for the full control-by-control view.
Priority sectors for NIS2 in Belgium
NIS2 covers 18 sectors across Annex I (essential) and Annex II (important). These are the sectors where Belgium's transposition and CCB supervision focus most.
Public sector and entities of general interest
Belgium frames the law around 'network and information systems of general interest for public security', and federal/regional public-sector bodies are squarely in scope. The CCB has pushed public administrations toward CyFun assurance levels as the practical baseline.
Energy, transport, finance and health
Classic Annex I essential sectors — Belgium hosts EU institutions, the Port of Antwerp-Bruges and major energy/finance infrastructure — face proactive supervision and are expected to reach higher CyFun (or ISO 27001) assurance levels given their criticality.
Manufacturing, digital providers and MSPs
Mid-sized manufacturers and digital-service providers enter as important entities above the 50-employee / EUR 10M threshold; managed service providers and digital infrastructure are caught regardless of size and carry supply-chain duties toward Belgian clients.
Key deadlines
2024-10-18
The Belgian NIS2 Law entered into force. In-scope essential and important entities are legally bound.
2025-03-18
Registration deadline with the CCB for essential and important entities — five months after entry into force.
Is your company in scope? Common Belgium scenarios
Two worked examples of how NIS2 scoping plays out in Belgium. Not sure where you land? Run the free NIS2 scope checker.
Energy is an Annex I sector and an operator of this size is an essential entity under the Belgian NIS2 Law. It had to register with the CCB by 18 March 2025, must implement the risk-management measures (CyFun or ISO 27001), and is subject to proactive CCB supervision with the 24h/72h/1-month incident cadence.
Digital service provision falls under Annex II. Above the 50-staff / EUR 10M threshold the company is an important entity: it must register with the CCB, can demonstrate measures via a CyberFundamentals assurance level, and faces ex-post supervision triggered by incidents or complaints.
What Belgium businesses need to know
Belgium was one of the first EU member states to transpose NIS2: the Law of 26 April 2024 (published 17 May 2024) entered into force on 18 October 2024, with the Royal Decree of 9 June 2024 implementing it.
The Centre for Cybersecurity Belgium (CCB) is both the national cybersecurity authority and the national CSIRT (CERT.be); sectoral authorities support it in supervision.
Belgium offers two routes to demonstrate the risk-management measures: the CCB's home-grown CyberFundamentals (CyFun) framework or ISO/IEC 27001 — a distinctive, assessable conformity path.
Essential and important entities had to register with the CCB within five months of entry into force — by 18 March 2025.
Significant incidents follow the NIS2 24-hour early warning, 72-hour notification and one-month final-report cadence, filed via the CCB / Safeonweb@work portal.
How CCB enforces NIS2 in Belgium
The CCB supervises essential entities proactively (ex-ante) and important entities ex-post, and acts as the single point of contact and national CSIRT. Belgium's distinctive lever is the CyberFundamentals (CyFun) framework: entities can demonstrate conformity through a CyFun assurance level (Basic / Important / Essential) or ISO 27001, which turns 'appropriate measures' into an auditable target. Fines mirror the directive — up to EUR 10M / 2% for essential and EUR 7M / 1.4% for important entities. Registration via the CCB / Safeonweb@work portal was due by 18 March 2025, so Belgian entities are already inside the live supervision regime.
NIS2 in Belgium: frequently asked questions
- Is NIS2 in force in Belgium?
- Yes. The Belgian NIS2 Law of 26 April 2024 entered into force on 18 October 2024 — one of the earliest transpositions in the EU. Obligations are binding now, and registration with the CCB was due by 18 March 2025.
- What is CyberFundamentals (CyFun) and do we have to use it?
- CyberFundamentals (CyFun) is the CCB's own risk-management framework, with assurance levels (Small, Basic, Important, Essential) mapped to entity criticality. Belgian entities can demonstrate the NIS2 risk-management measures via a CyFun assurance level OR via ISO/IEC 27001 — you are not forced into CyFun, but it is the path the CCB actively supports.
- Who is the NIS2 authority in Belgium?
- The Centre for Cybersecurity Belgium (CCB) is both the national cybersecurity authority and the national CSIRT (CERT.be), designated by the Royal Decree of 9 June 2024. Sectoral authorities assist the CCB with supervision in specific sectors.
- How high are NIS2 fines in Belgium?
- Essential entities face administrative fines up to EUR 10 million or 2% of total worldwide annual turnover (whichever is higher); important entities up to EUR 7 million or 1.4%. The CCB can also impose supervisory measures and, for essential entities, more intrusive enforcement.
Official sources
Primary references for NIS2 in Belgium — verify the latest text and deadlines directly with the authority.