NIS2 Belgium: Compliance, Authorities & Key Requirements
Learn how Belgium implements the NIS2 Directive: which sectors and entities are covered, how registration works via Safeonweb@Work, and what steps organisations must take to prepare for compliance.
Introduction
Belgium has implemented NIS2 by adopting a new cybersecurity law and a royal decree. Entities operating essential or important services must comply with enhanced cybersecurity, risk management, and reporting requirements, and must register with the national authority within the prescribed deadlines.
NIS2 implementation in Belgium
Belgium transposed NIS2 via the Act of 26 April 2024 and the Royal Decree of 9 June 2024. The law entered into force on 18 October 2024. Registration is handled through Safeonweb@Work, with most entities registering by 18 March 2025 and digital-sector entities by 18 December 2024.
Status
In force since 18 Oct 2024.
Official info
CCB — NIS2 · Safeonweb@Work — NIS2 Law · NIS2 Quickstart (7 steps)
Registration
Register via Safeonweb@Work. Deadlines: 18 Dec 2024 (digital sector) and 18 Mar 2025 (others).
| Sector | Belgium note |
|---|---|
| Electronic communications & digital infrastructures | BIPT designated as competent authority for this sector (registration still via Safeonweb@Work). |
| Finance | NBB and FSMA are the primary supervisors (notably for DORA) and cooperate with the CCB on NIS2 where relevant. |
| All other sectors | The Centre for Cybersecurity Belgium (CCB) acts as national competent authority/CSIRT/SPOC, coordinating with sectoral bodies as needed. |
What you need to know about compliance & certification
Belgium follows the NIS2 two-tier model (Essential / Important) and Article 21 risk-management measures.
Scope criteria
- Provide a service in Annex I or II and meet size thresholds (≥50 employees or ≥€10m).
- Established in Belgium or provide relevant services on Belgian territory.
Obligations
- Risk management & security policy
- Incident handling & reporting (CCB channels)
- Business continuity & crisis management
- Supply-chain security & vendor risk
- Access control, segmentation, encryption
- Executive/board accountability & training
Standards & alignment
Map controls to ISO/IEC 27001:2023, NIST CSF 2.0, and ENISA guidance as appropriate.
National NIS2 timeline & key dates
Sector-specific requirements (Belgium)
- Electronic communications: BIPT supervises under the NIS2 law for this sector (registration via Safeonweb@Work still required).
- Finance: DORA obligations overseen by NBB/FSMA; align with NIS2 risk-management and incident duties.
- All others: CCB acts as competent authority and CSIRT; use CCB guides and portals.
Penalties for non-compliance
Belgian law provides supervisory powers and sanctions aligned with NIS2’s turnover-based caps. The CCB coordinates supervision; sectoral regulators may support enforcement in their domains.
How to prepare for NIS2 in Belgium
- Determine scope: confirm Annex I/II services and size thresholds; classify EE/IE.
- Register: submit details on Safeonweb@Work by your deadline.
- Governance: board accountability for cybersecurity.
- Risk management: align with ISO 27001 / NIST CSF; map to ENISA guidance.
- Supply chain: assess providers; set contractual security requirements.
- Incident readiness: follow the CCB notification guide; test 24/7 escalation.
- Continuity & crisis: document BCP/DR; exercise regularly.
- Train & prove: management training, staff awareness, evidence.