Cyber risk is no longer a technical issue. It is a serious business risk. In today’s digital environment, cyber incidents are not a question of if, but when. Cybercriminals are evolving rapidly, leveraging increasingly sophisticated techniques such as AI-driven phishing and ransomware-as-a-service.
Cyber resilience is therefore no longer a ‘nice-to-have’ – it is critical to protect operations, data and reputation. Organisations must implement both preventive and responsive measures, tailored to their risk profile. This approach lies at the core of the European NIS2 Directive, which introduces a structured framework for anticipating, managing and responding to cyber threats.
While adopted at EU level, the Directive only becomes binding for organisations once it is translated into national legislation by each Member State. In Belgium, the NIS2 Act has been in force since 18 October 2024. The coming years will be marked by several key deadlines, with a first major milestone fast approaching on 18 April 2026. By then, organisations must be able to demonstrate compliance in practice – not just on paper.
Does the NIS2 Act apply to your company?
The NIS2 Act significantly broadens its scope and now applies to a wide range of organisations across various sectors, including but not limited to energy, transport, healthcare and digital infrastructure. Applicability is determined by two key criteria:
- the sector in which your company operates; and
- the size of the organisation, with a focus on medium-sized and large enterprises.
The NIS2 Act distinguishes between ‘essential’ and ‘important’ entities, each subject to different levels of obligations. The Belgian Centre for Cybersecurity (CCB) provides a practical tool to assess whether your organisation falls within scope.
Organisations should not take a narrow view. Even if they fall outside the formal scope, they may still be impacted — for example, through contractual requirements in the supply chain of in-scope entities.
Current obligations under the NIS2 Act
Since October 2024, organisations in scope must comply with a number of obligations, including:
- registration via Safeonweb@work;
- implementation of appropriate cyber risk management measures;
- incident reporting to the CCB;
- management accountability (including oversight and training); and
- cooperation with competent authorities
From compliance on paper to compliance in practice
From 18 April 2026, the focus shifts: having documents in place will no longer be sufficient – organisations must be able to demonstrate compliance. Essential entities will need to undergo a formal conformity assessment or certification. Important entities must be able to evidence compliance, particularly in the context of supervision or audits. In practice, compliance must become verifiable and defensible.
Choosing the right compliance route
Companies can choose between different compliance approaches:
- CyberFundamentals (CyFun®): A Belgian framework focused on practical security measures across three levels (Basic, Important, Essential). Often the most pragmatic route for organisations with a lower maturity level.
- ISO/IEC 27001: An internationally recognised standard based on a full Information Security Management System (ISMS). More comprehensive, but also more resource-intensive.
- CCB inspection route: A supervisory approach based on self-assessment and follow-up by the authorities. A potential fallback where timing or resources are constrained.
Non-compliance is not an option
Failure to comply can result in administrative fines of up to 10 million euro. However, the real risk goes beyond financial penalties – including operational disruption and reputational damage.
How we can help
Now is the time to assess whether your organisation falls within scope, evaluate your current cybersecurity maturity, determine the most appropriate compliance route and identify remaining gaps.
The NIS2 Act is not just a regulatory burden – it is an opportunity to build a more resilient and future -proof organisation. Navigating the NIS2 Act requires both legal and practical insight. We assist companies in determining whether they fall within scope, translating legal obligations into concrete actions, and preparing for certification or supervisory review.
Questions on how the NIS2 Act impacts your business? We are happy to think along.
Want more details?
More information available on the website of the CCB or Safeonweb.
For any questions, contact Nuans.
