When the NIS2 Directive—short for the European Union’s “Directive on measures for a high common level of cybersecurity across the Union”—was adopted in December 2022, it marked a turning point in Europe’s approach to digital resilience. For Belgium, this evolution isn’t just theoretical. It’s legislative, operational, and rapidly becoming very real.
As we move through 2025, Belgium’s response to NIS2 is not only active but also ambitious. The new legislation dramatically expands the scope of regulated entities, redefines responsibilities, and raises the stakes for compliance. For financial institutions, ICT leaders, municipal governments, and medium-sized manufacturers alike, the Belgium NIS2 directive is reshaping how cyber risk is managed and governed.
Let’s dive into the milestones, scope, sanctions, and sectoral impacts that define the Belgium NIS2 implementation, and most importantly, what your organization needs to do about it.
Key takeaways on where Belgium stands with NIS2
The Belgian transposition of NIS2 is more than a legal update—it’s a total overhaul of the country’s cybersecurity governance framework. The Law of 26 April 2024—known colloquially as the NIS2-wet / loi NIS2—replaces the 2019 NIS-1 Act and centralizes implementation under the Centre for Cybersecurity Belgium (CCB).
The CCB functions not only as the national CSIRT (Computer Security Incident Response Team) but also as the principal registry and supervisory authority, supported by sector-specific regulators such as the FSMA (Financial Services and Markets Authority) and BIPT (Belgian Institute for Postal Services and Telecommunications).
To help illustrate the legislative and operational trajectory, the table below captures the timeline for Belgium’s transposition of NIS2.
Belgium’s NIS2 implementation timeline
| Date | Milestone | Status |
| 14 Dec 2022 | EU formally adopts NIS2 Directive | Complete ✔︎ |
| 27 Mar 2024 | Draft NIS2 bill approved in Parliament’s Interior Committee | Complete ✔︎ |
| 26 Apr 2024 | NIS2 law adopted and published | Complete ✔︎ |
| 9 Jun 2024 | Royal Decree on incident reporting templates and thresholds | Complete ✔︎ |
| 18 Oct 2024 | Law enters into legal force | Pending |
| Jan 2025 | CCB opens Scope tool & registration portal | Pending |
| 31 Mar 2025 | Final registration deadline for all in-scope entities | Upcoming ⏳ |
| Q3 2025 | Start of formal compliance audits by authorities | Upcoming ⏳ |
A new regulatory framework with broader reach
Unlike its predecessor, the Belgium NIS2 law does not simply tweak definitions. It introduces a radically broader scope. Instead of roughly 1,000 operators, the law now covers between 10,000 and 12,000 entities, spanning 18 sectors. Nearly all medium-sized manufacturers and every municipality with over 50,000 residents are now in scope.
The law classifies organizations into two tiers:
- Essential Entities (EE): ≥ 250 full-time employees or €50 million turnover
- Important Entities (BE): ≥ 50 employees or €10 million turnover
Regardless of size, entities providing cloud, telecoms, DNS, and trust services are always in scope. Importantly, some previously unregulated entities under the Wbni framework are now automatically classified as EE under transitional provisions.
Entity classification thresholds under Belgium’s NIS2 law
| Classification | Employee threshold | Turnover threshold | Special cases |
| Essential Entity (EE) | ≥ 250 | ≥ €50 million | Telcos, cloud, DNS always included |
| Important Entity (BE) | ≥ 50 | ≥ €10 million |
These designations are not just labels—they determine your reporting duties, regulatory scrutiny, and potential sanctions.
Sanctions and liability: compliance is no longer optional
Non-compliance under the Belgium NIS2 directive carries significant financial and reputational risk. The sanctions regime introduced by the law is rigorous and applies graduated enforcement, starting with warnings and ending with fines or even disqualification of directors for repeat failures.
Sanction tiers under the Belgium NIS2 law
| Entity type | Max fine (EUR) | % of global turnover | Additional measures |
| Essential Entity | €10 million | 2% | Suspension of certifications, director bans |
| Important Entity | €7 million | 1.4% | Remedial orders, public naming |
| All entities | €0.5–2 million | N/A | For procedural failures or delays |
Public authorities are exempt from fines but remain under the jurisdiction of the CCB for binding directives and audits.
For executives, the stakes are personal. Directors are required to formally approve and monitor their organization’s cybersecurity programs. Repeated negligence can trigger a three-year management ban, making board-level engagement non-negotiable.
Sector-specific impacts: who is most affected?
The NIS2 Belgium transposition has far-reaching implications for multiple sectors. Entities that had previously flown under the radar now face specific obligations—from annual penetration testing to real-time incident notification protocols. Let’s take a closer look.
Sectoral impact of Belgium’s NIS2 law
| Sector | Major changes | New requirements |
| Manufacturing | Newly covered (medium manufacturers) | Supplier risk clauses, pen-testing, CyFun “Foundational” controls |
| Energy & utilities | Mid-size DSOs, LNG, hydrogen now included | Continuous monitoring, CREG audits, SBOM exchanges |
| Healthcare | All medium and large hospitals & labs now EE | ISO 27001 governance, KPI reporting, BC/DR drills |
| Digital infrastructure | Covered regardless of size | 24/7 SOC, zero-trust, secure-by-design compliance (ENISA) |
| Finance | Enhanced coordination with DORA | Dual reporting channels (CCB + NBB), TLPT obligations |
| Public sector | Large municipalities, provinces & ministries now EE | CISO appointment, no fines but must comply with CCB mandates |
What Belgian companies should do next
With the law entering into force this October and mandatory registration due by 31 March 2025, the clock is ticking. Companies should immediately take the following actions:
- Run the CCB’s Scope Tool to determine whether you qualify as EE or BE.
- Prepare for registration by gathering your enterprise number, NACE code, and cyber contact details.
- Conduct a gap analysis against Article 21 requirements and the CyFun® Framework, focusing on areas like supply chain risk, multi-factor authentication, and incident response playbooks.
- Build a standard operating procedure for 24-hour, 72-hour, and 30-day incident reporting using CCB templates.
- Brief the board and begin cyber KPI reporting to mitigate liability risks.
These steps are not just good practice—they’re your new legal obligation.
Are you prepared for NIS2 enforcement?
Belgium has not only met the EU deadline for transposing the NIS2 directive—it has done so with an ambitious, structured framework designed to scale cybersecurity across its public and private sectors. The reach of the Belgium NIS2 directive extends far beyond traditional critical infrastructure and touches nearly every mid-sized organization in the country.
With the enforcement clock already ticking, organizations must act now to avoid legal, financial, and operational consequences. From regulatory alignment to executive responsibility, the burden of cybersecurity has officially moved from IT departments to the boardroom.
The path to compliance is clearly marked—what remains is your move.
