Belgium was one of the first EU member states to fully implement NIS2. The Belgian NIS2 Law of 26 April 2024 entered into force on 18 October 2024. The Centre for Cybersecurity Belgium (CCB) is now actively supervising essential entities. If you haven't completed your CCB registration and CyberFundamentals (CyFun®) assessment, your obligations are already overdue.
CCB registration deadline passed. In-scope entities had to self-register with the CCB by 18 March 2025 (digital infrastructure providers: 18 December 2024). If you have not registered, this is now an enforcement risk in itself. Registration is via the CCB Safeonweb@Work portal — we fast-track registration and gap analysis simultaneously.
NIS2 in Belgium — at a glance
Belgium transposed NIS2 through the Law of 26 April 2024, supervised by the Centre for Cybersecurity Belgium (CCB) and anchored to its CyberFundamentals (CyFun®) framework. Here is what defines your obligations.
| Status | In force since 18 October 2024 — one of the first EU states with full effect |
| National law | Belgian NIS2 Law of 26 April 2024 (transposing Directive (EU) 2022/2555) |
| Competent authority | CCB — Centre for Cybersecurity Belgium & national CSIRT (ccb.belgium.be) |
| Registration deadline | 18 March 2025 — already passed (digital infrastructure: 18 December 2024), via the Safeonweb@Work portal |
| Compliance framework | CyberFundamentals (CyFun®) or ISO 27001, recognised by the CCB as proof of NIS2 compliance |
| Entity categories | Essential entities & important entities |
| Maximum fines | Up to €10M or 2% of global turnover (essential); €7M or 1.4% (important) |
Belgian NIS2 implementation
Belgium built a structured compliance architecture around NIS2 — more prescriptive than most EU member states. These are the distinguishing obligations the CCB enforces.
The Centre for Cybersecurity Belgium is the national cybersecurity authority and national CSIRT. It conducts proactive compliance assessments of essential entities and oversees registration via the Safeonweb@Work portal at ccb.belgium.be.
Belgium's distinctive contribution: the CCB recognises its own CyberFundamentals framework and ISO 27001 as the reference frameworks for proving NIS2 compliance. CyFun® has four assurance levels mapped to NIS2 obligations — essential entities must reach CyFun Essential or higher.
All in-scope entities must self-register with the CCB through the Safeonweb@Work portal. The general deadline was 18 March 2025; digital infrastructure providers had 18 December 2024. Missed deadlines expose organisations to immediate enforcement risk.
Essential entities must undergo CCB-conducted audits or conformity assessment body audits. Important entities can rely on self-assessment using the CyFun® reference framework. This tiered approach gives organisations more flexibility than many other EU implementations.
Belgium is one of the few EU countries to mandate a coordinated vulnerability disclosure policy under NIS2. In-scope entities must create and publish a formal policy for responsible disclosure of security vulnerabilities — a requirement often overlooked.
Brussels hosts the EU institutions, NATO headquarters and the European offices of hundreds of multinationals. The density of organisations directly in NIS2 scope, or sitting in EU supply chains, is exceptionally high in Belgium.
CyberFundamentals · CyFun®
In Belgium, demonstrating NIS2 compliance means demonstrating the right CyFun® assurance level. Developed and recognised by the CCB, CyberFundamentals maps NIS2 Article 21 obligations to four levels of cyber maturity — and essential entities cannot stop at the basics.
The Basic level covers essential cyber hygiene controls drawn from CIS Controls and international standards. It is the entry point for smaller organisations but is generally insufficient on its own for entities formally in NIS2 scope.
The Important level adds structured risk management, detection and response capability. It is a realistic target for important entities, which may rely on self-assessment against the CyFun® reference framework using the CCB's published toolkit.
Essential entities must reach CyFun Essential as a minimum, with the highest-impact operators targeting Critical. At these levels the CCB expects independently verified audits — by the CCB itself or an accredited conformity assessment body.
Already ISO 27001 certified? The CCB recognises ISO 27001 alongside CyFun®, and the CyFun® framework publishes mappings to ISO 27001 and the NIST CSF. We translate your existing ISMS into your required CyFun® level and register you with the CCB via Safeonweb@Work — get CyFun® support.
Webristle is a full cybersecurity agency, not only a compliance advisor. Beyond the NIS2 gap analysis and reports, our engineers deliver the security work the Directive actually requires: system hardening, MFA and identity governance, encryption and PKI, network segmentation, EDR and 24/7 monitoring, backup and disaster recovery, penetration testing and incident response. One team takes you from assessment to a fully implemented, audit-ready and resilient infrastructure.
Article 21 NIS2 · Belgian NIS2 Law
These are the controls the CCB assesses during compliance reviews. CyFun® maps them to four maturity levels — essential entities must reach Essential level across all controls and document the evidence.
Formal threat assessment, Business Impact Analysis and board-approved risk appetite, documented and reviewed periodically and whenever significant changes occur.
Detection and classification procedures plus CCB reporting: 24h early warning, 72h full notification, 30-day final report — through the CCB's reporting channels.
Continuity plans, tested disaster recovery, backup management and crisis management with documented RTO and RPO targets approved at board level.
Security assessment of critical suppliers, NIS2-compliant contractual clauses and continuous monitoring — particularly relevant given Belgium's dense EU supply-chain exposure.
Structured vulnerability management, penetration testing, patch management and infrastructure hardening, evidenced against your target CyFun® level.
Policies and procedures to test the effectiveness of risk-management measures, including CCB audits, conformity assessment body reviews and red-team exercises.
Zero-trust architecture, mandatory MFA on critical systems, IAM governance and Privileged Access Management, with least-privilege principles documented and enforced.
Awareness programmes, secure onboarding/offboarding and insider-risk management. Under the Belgian NIS2 Law, management must receive documented, auditable periodic training.
Systematic patch management, asset inventory, endpoint security and BYOD policies — plus Belgium's mandatory coordinated vulnerability disclosure policy.
Encryption of data at rest and in transit as a minimum standard, key and certificate lifecycle management and digital signatures compliant with EU standards.
How we work
A structured four-phase process with clear deliverables at each stage. We work alongside your team to minimise operational disruption.
We confirm your classification (essential vs important), determine your required CyFun® level and support CCB registration via Safeonweb@Work if not yet done.
Technical-organisational assessment mapped to CyberFundamentals and NIS2 Article 21, against your existing controls (ISO 27001). Delivered within 5 working days.
Prioritised plan aligned to your required CyFun® level. CCB enforcement-risk and registration gaps first, with the vulnerability disclosure policy included.
Technical hardening, policy documentation, management training and CyFun® evidence gathering during CCB audits or conformity assessment body reviews.
Start today
The gap analysis is the mandatory starting point. In 5 working days you will have a precise picture of your position against the Belgian NIS2 Law and your required CyberFundamentals level.
Our senior consultants will respond within 48 hours with a free preliminary assessment of your Belgian NIS2 and CyFun® exposure.
No commitment · Response in 48h · Trusted by 80+ companies across Europe
Related insights
FAQ
The questions we hear most often from Belgian CISOs, CEOs and legal counsel.
Belgium has had NIS2 in full effect since October 2024. Free gap analysis in 48 hours — we assess your CCB exposure, map gaps to your required CyberFundamentals level, support your registration and give you a clear remediation roadmap.
EN
