On 18 October 2024, the Belgian Act of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security (the NIS2 Act) transposing Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (the NIS2 Directive) will enter into force.
The NIS2 Act updates the Belgian Act of 7 April 2019, establishing a framework for cybersecurity in networks and information systems related to public security (NIS1 Act). A Royal Decree on 9 June 2024 further implements this by appointing the Centre for Cybersecurity Belgium (CCB) as the national cybersecurity authority.
The NIS2 Directive and the Belgian NIS2 Act are major advances in combating cyber threats. Aiming to secure essential service providers from cyber attacks and disruptions, the NIS2 Act enforces stricter security measures like cybersecurity risk management, incident response, supply chain security, and incident reporting.
By implementing the NIS2 Directive, Belgium faces the task of further strengthening its cybersecurity legal framework and ensuring that both private and public sectors comply with the new requirements.
The key aspects of the Belgian NIS2 Act can be summarized as follows:
-
Expanded scope of application – The NIS2 Act applies to essential and important entities that (i) provide services referred to in Annex I “Sectors of high criticality” or Annex II “Other critical sectors” of the NIS2 Directive (regardless of their size), (ii) have an active workforce of a minimum of 50 full-time employees and/or an annual turnover that exceeds 10 million euros (medium-sized enterprises) and (iii) are established in Belgium.
While the original NIS1 Act focused on a limited number of sectors, NIS2 Act covers a broader range of critical sectors. These include energy, transport, financial services, health, digital infrastructure, and public administration.
In Belgium, all entities covered by the NIS2 Act must register with the CCB using the Safeonweb@Work portal within five months of the Act's start date. Since it takes effect on 18 October 2024, registration is due by 18 March 2025. Entities in the digital sector (like DNS service providers, cloud computing services, and online marketplaces) have only two months to register, with a deadline of 18 December 2024. -
Implementation of suitable TOMs – Registered entities are required to put in place appropriate and proportionate technical, operational, and organisational measures (TOMs) to address risks to the security of their networks and IT systems. To achieve this, they must adhere to an “all-hazards” approach. The NIS2 Act specifies eleven (11) minimum TOMs that every NIS2 entity must implement, such as policies on risk analysis and information system security, incident management, supply chain security, and procedures related to cryptography and, where relevant, encryption.
-
Enhancing reporting systems – A key element of the NIS2 Act involves advancing how major cybersecurity incidents are reported and managed. In Belgium, organisations must set up effective internal protocols to adhere to the 24-hour deadline for notifying the CCB about substantial cyber incidents, followed by a detailed final report (outlining the incident's assessment and describing its impact and severity) within one (1) month after the initial notification. Moreover, NIS2 entities are required to inform their clients of such cybersecurity incidents. Complying with this mandate will demand investments in monitoring and incident detection capabilities.
-
Enhanced accountability and governance for management bodies – The NIS2 Act stresses internal governance. Entities in Belgium must appoint cybersecurity officers and involve their management bodies in cybersecurity risk management. Management members must also undergo cybersecurity training to identify risks and assess risk management practices and their impact on services. This highlights a shift towards greater corporate accountability, recognising cybersecurity as a strategic concern.
-
Supply chain security – NIS2 brings supply chain security into sharper focus. Belgian organizations must evaluate the cybersecurity measures adopted by their suppliers and service providers to reduce third-party risks. This is especially crucial for sectors such as energy and healthcare, where vulnerabilities in the supply chain can lead to severe impacts.
- Increased enforcement and penalties – The NIS2 Act mandates substantial fines for non-compliance, with administrative penalties potentially reaching up to 10 million euros or 2% of the entity’s global annual revenue from the previous fiscal year. The CCB and sectoral regulators will oversee enforcement efforts to ensure that entities fulfill their obligations under the NIS2 Act.
The enactment of the NIS2 Act in Belgium represents a significant advancement in bolstering the nation's cybersecurity measures amid a rapidly digitizing and interconnected landscape. This Act introduces an expanded scope, more stringent cybersecurity requirements, and enhanced enforcement mechanisms, compelling Belgian organizations to elevate their cybersecurity priorities. Although challenges such as compliance and associated costs exist, the enduring benefits of a more secure and resilient cybersecurity infrastructure far exceed these initial obstacles.
