NIS2 in Belgium

1. Quick SME Applicability Snapshot in Belgium

Does NIS2 apply to SMEs in Belgium?

Yes — depending on size and sector.

• Automatic applicability to medium-sized entities (≥50 employees and ≥€10 million turnover or balance sheet total) operating in covered sectors.
• Small or micro entities are included only if formally designated or operating in high-criticality sectors.
• Applies to entities established in Belgium and, in certain circumstances, foreign digital providers offering services in Belgium.

SMEs should assess qualification early under Belgium's NIS2 framework to determine compliance exposure.

2. Overview of NIS2 Implementation in Belgium

Belgium transposed the Directive through the Law of 26 April 2024 establishing a framework for the security of network and information systems of general interest for public security, replacing and expanding the earlier cybersecurity regime.

The law was adopted in 2024 and aligns Belgium's national cybersecurity regime with Directive (EU) 2022/2555. It strengthens governance obligations, expands sector coverage, and introduces updated supervisory mechanisms.

Belgium's NIS2 implementation follows the Directive baseline structure for entity classification, risk management, and sanctions. Certain procedural aspects reflect Belgium's established regulatory architecture.

As of the current transposition status, Belgium follows the NIS2 Directive baseline framework. National implementing details may refine specific obligations.

3. Scope of Application in Belgium

Belgium does not materially expand sector scope beyond Directive minimum categories at this stage.

4. Size Thresholds and SME Applicability in Belgium

The Directive baseline thresholds apply:

• ≥50 employees, and
• ≥€10 million annual turnover or balance sheet total.

Entities meeting both criteria in covered sectors are automatically within scope.

Small and micro enterprises may be included if designated by competent authorities based on critical importance, public security considerations, or systemic relevance.

Belgian authorities retain designation powers where justified by risk or national interest.

5. Entity Classification Framework in Belgium

Entities are classified as:

• Essential Entities — Subject to proactive supervision, including inspections and compliance audits.
• Important Entities — Subject primarily to reactive supervision, triggered by incidents or evidence of non-compliance.

Classification is automatic based on sector and size. Authorities may reclassify entities where operational impact or risk exposure warrants enhanced oversight.

Belgium's classification model mirrors the Directive structure without structural deviation.

6. Cybersecurity Risk Management Requirements in Belgium

Belgium's regime aligns with the Directive baseline for cybersecurity obligations. In-scope entities must implement appropriate and proportionate measures addressing:

• Risk analysis and information system security
• Incident detection and handling
• Business continuity and crisis management
• NIS2 supply chain Belgium risk controls
• Secure acquisition and development of ICT systems
• Access control and authentication policies
• Encryption and cryptography strategies
• Vulnerability handling and disclosure
• Staff cybersecurity awareness and training

Security measures must reflect state-of-the-art standards and organizational risk exposure. Alignment with ISO/IEC 27001 and recognized Belgian cybersecurity guidance is encouraged.

Supply chain risk management includes contractual safeguards and monitoring of third-party ICT providers.

7. Management Liability and Governance in Belgium

Management bodies must formally approve cybersecurity risk management measures and oversee their implementation.

Under Belgium's framework:

• Boards bear accountability for compliance.
• Senior management must ensure adequate cybersecurity expertise.
• Authorities may impose administrative measures for failures in governance.
• Temporary suspension of managerial functions may be available under Directive-aligned enforcement tools.

NIS2 management liability Belgium standards elevate cybersecurity to a board-level compliance responsibility.

8. Incident Reporting Obligations in Belgium

9. Supervisory Authorities and Enforcement Model in Belgium

Primary authority: Centre for Cybersecurity Belgium (CCB).

Belgium operates a centralized coordination model, with sectoral regulators contributing supervisory functions where applicable.

Supervisory powers include:

• Requests for information
• Security audits
• On-site inspections
• Binding compliance instructions
• Participation in EU cooperation mechanisms

Belgium's enforcement model integrates with EU-level cybersecurity coordination bodies.

10. NIS2 Fines and Sanctions in Belgium

Belgium applies Directive-aligned administrative penalties.

NIS2 fines Belgium enforcement may also include:

• Binding remediation orders
• Public identification of non-compliant entities
• Suspension of certification or authorization
• Managerial suspension powers

11. NIS2 Supply Chain and Vendor Security in Belgium

Entities must manage third-party cybersecurity risk through:

• Vendor due diligence processes
• Contractual security clauses
• Continuous monitoring of ICT suppliers
• Concentration risk analysis
• Incident propagation risk controls

Belgium's approach aligns with the Directive baseline, emphasizing proportionate oversight of external service providers.

12. Registration and Self-Identification Duties in Belgium

Entities within scope must:

• Register with competent authorities
• Provide corporate identification details
• Disclose sector classification
• Maintain up-to-date contact information

Deadlines and procedural mechanics are defined under Belgium's implementing framework. As of the current transposition status, Belgium follows the NIS2 Directive baseline framework. National implementing details may refine specific obligations.

Self-identification is mandatory for entities meeting statutory thresholds.

13. Interaction With GDPR and Other Laws in Belgium

The General Data Protection Regulation continues to apply alongside NIS2.

Overlap considerations include:

• Dual incident reporting obligations
• Supervisory authority coordination
• 72-hour personal data breach notifications
• Sector-specific Belgian cybersecurity legislation

Incidents affecting both system resilience and personal data may trigger parallel compliance duties.

14. Cross-Border Applicability

Entities with their main establishment in Belgium fall under Belgian supervisory authority for cross-border services.

Foreign digital providers offering services into Belgium may be subject to national obligations depending on establishment and service model.

Representation requirements follow Directive standards for non-EU providers serving Belgian markets.

15. Implementation Timeline in Belgium

• Directive adoption: 2022
• National law adoption: 2024
• Entry into force: Following national publication
• Commission notification: In alignment with EU procedures
• Compliance milestone: Directive-aligned deadlines

Belgium's legislative timeline adheres to the EU transposition schedule without publicly announced extended transitional periods.

16. Key Takeaways for SMEs in Belgium

• Medium-sized entities in covered sectors are automatically within scope.
• Small entities may be designated based on risk or criticality.
• Board-level oversight is mandatory.
• Incident reporting follows 24h / 72h / 1 month structure.
• Financial penalties can reach €10 million or 2% of global turnover.
• Vendor risk management is a core obligation.
• Early compliance planning reduces enforcement exposure.

FAQ: NIS2 Belgium SME Guide