The clock is ticking. On April 18, 2026, essential entities under Belgium’s NIS2 law must have completed their first compliance assessment. This is no longer a theoretical obligation: the Center for Cybersecurity Belgium (CCB) expects concrete proof that your organization complies with the required security measures. In this article, we explain exactly what that assessment entails, how the process works and what steps you can take today.
What is an NIS2 conformity assessment?
A conformity assessment is the formal, external verification or certification that demonstrates your organization’s compliance with NIS2 security requirements. It is emphatically not a self-assessment. An independent conformity assessment body (CAB), accredited by BELAC and authorized by the CCB, conducts the assessment.
Important to understand: the NIS2 Act went into effect on Oct. 18, 2024. Since then, you have been legally required to implement security measures. The April 18, 2026 deadline is not about “becoming compliant,” but about proving that you already are.
There are two routes for that assessment. The first is the CyberFundamentals framework (CyFun), developed by the CCB. The second is ISO 27001 certification. Both are recognized equally. In practice, about 75% of registered entities choose CyFun. You can read more about the comparison between the two frameworks in our article on ISO 27001 or CyberFundamentals.
What deadline applies to your organization?
Not every organization has the same obligations. The Belgian NIS2 law makes a fundamental distinction between essential and important entities, and that has direct implications for your conformity assessment.
Essential entities (large organizations in sectors such as energy, transportation, healthcare and digital infrastructure) are subject to mandatory, regular oversight. They must complete a conformity assessment by April 18, 2026. Specifically:
- Are you opting for CyFun? Then you must be able to present at least a Basic or Important verification.
- Do you opt for ISO 27001? Then you must submit your scope, Statement of Applicability (SoA) and most recent internal audit to the CCB.
The next step will follow on April 18, 2027. By that date, Essential entities that chose CyFun must have reached their target level. That means: an Important certification if you were on Basic in 2026, or full Essential certification.
Major entities (medium-sized organizations in critical or less critical sectors) are subject to retrospective surveillance. They are not required to undergo conformity assessment, but may do so voluntarily. Those who do so receive a presumption of conformity. All other NIS2 obligations, including security measures and incident reporting, do apply as of Oct. 18, 2024.
Unsure if your organization is classified as essential or important? The CCB offers an NIS2 Scope Test Tool through the Safeonweb@Work portal. An overview of all NIS2 obligations can be found in our complete NIS2 Guide.
What is the assessment process like through CyFun?
The CyberFundamentals framework has three levels, each with its own assessment type. By the April 2026 deadline, the Basic or Important level is relevant to most organizations.
Basic and Important: verification (ISO/IEC 17029).
These levels involve verification. An approved CAB verifies that your self-assessment is substantively correct. The process involves six steps:
- You complete the official CyFun self-assessment tool (an Excel tool from the CCB). In it, you score each security measure on documentation maturity and implementation maturity, each on a scale of 1 to 5.
- You select an accredited CAB and enter into an agreement.
- The CAB conducts a full verification. This includes documentation review and an on-site visit. Minimum of 1.5 man-days, including at least 1 day (8 hours) on-site.
- An independent reviewer within the CAB assesses the findings.
- The CAB issues a verification statement.
- You submit the verified self-assessment and verification statement to the CCB via Safeonweb@Work. The CCB reviews the file and awards a CyFun label with QR code.
Thresholds vary by level. For Basic, you must average 2.5 out of 5, with each of the 13 key measures at least at 2.5. For Important, the bar is 3.0 out of 5, with 21 key measures. You can read more about the CyFun framework in our article on the CyberFundamentals framework.
Essential: certification (ISO/IEC 17021-1)
The Essential level is fundamentally different. It involves a management system certification, similar to an ISO 27001 audit. That process includes a Stage 1 audit (documentation review), a Stage 2 audit (on-site implementation review), annual surveillance audits and recertification every three years. The threshold level averages 3.5 out of 5. This level is not mandatory until April 2027 for essential entities.
Who are the recognized assessment bodies?
This is one of the most frequently asked questions, and the answer is sobering: currently, only two CABs are officially accredited by BELAC for CyFun verifications.
Brand Compliance Belgium was the first to receive BELAC accreditation on September 4, 2025. They are accredited for Basic and Important verifications under ISO/IEC 17029.
What a Work SRL (through their Trust CHECK division) followed in second place. They operate out of Wallonia and conduct audits in Dutch, French and English.
Both CABs cover Basic and Important verifications only. No CAB is currently accredited for Essential certifications. The CCB expects the accreditation process for additional CABs to be fully completed “around April 2026,” but concrete figures are lacking.
In addition, organizations can opt for the ISO 27001 route. Several accredited certification bodies are available for this in Belgium.
The CCB publishes a current list of authorized and accredited CABs on the Safeonweb@Work CAB page.
Why starting now is essential
The timing is tight. The latest figures from the CCB (February 2026) show about 1,574 essential entities registered. Three-quarters of those chose CyFun. That means over 1,100 organizations need CyFun verification, while only two accredited CABs are operational.
Johan Klykens, director of NCCA at the CCB, indicated in January 2026 that the CCB expects sufficient capacity by April 2026. But in practice, full verification takes at least 1.5 man days per organization, not including planning and reporting. Those who start late risk ending up in the queue.
In addition, you need time to prepare for the assessment process. A realistic time frame from self-assessment to verification is three to six months, depending on your starting position. Organizations that have not completed a CyFun self-assessment by today are in the danger zone.
What if you don’t meet the deadline?
Belgium’s NIS2 law provides stiff penalties. Essential entities risk fines of up to 10 million euros or 2% of annual global turnover. Major entities up to 7 million euros or 1.4%. Repeated violations within three years can double those amounts.
But financial penalties are not the only risk. Directors can be held personally liable for negligence. The law explicitly requires the governing body to approve cybersecurity measures and oversee implementation. We will publish an in-depth analysis of NIS2 fines and director liability in a separate article soon.
For now, the CCB is taking a cooperative, educational approach. No sanctions were imposed in the first 15 months. But that policy may change as deadlines pass.
How Cyberplan helps with your conformity assessment
A compliance assessment does not start with the CAB, but with a clear picture of your current level of security. Cyberplan supports organizations in preparing for the NIS2 compliance assessment through a cybersecurity audit: a thorough analysis of your IT security that serves as a practical gap analysis. Based on this, you will know exactly where you stand in relation to the CyFun framework and which measures are still missing.
That preparation can also be subsidized. Through the VLAIO cybersecurity improvement program, you can receive up to 50% subsidy on a guided implementation path.
Want to know where your organization stands? Book a no-obligation meeting and together we will map out the steps you still need to take before April 18, 2026.
Frequently asked questions about the NIS2 conformity assessment.
What is the difference between verification and certification at CyFun?
A verification applies to the Basic and Important levels and confirms whether your self-assessment is substantively correct. It is a snapshot in time. A certification applies to the Essential level and assesses whether your management system is structurally capable of ensuring cybersecurity. A certification also includes annual surveillance audits.
How much does a CyFun conformity assessment cost?
The cost depends on the size of your organization and the CyFun level chosen. A full verification takes a minimum of 1.5 man days. Exact prices vary by CAB. Contact an accredited CAB for a quote. The preliminary audit can be subsidized through the VLAIO cybersecurity improvement program.
Does my company have to be at the Essential level by April 18, 2026?
No. The April 2026 deadline requires at least Basic or Important verification for Essential entities. The Essential level (with full certification) is not required until April 18, 2027.
What if there is no CAB available for my assessment?
In addition to the two accredited CyFun-CABs, you can choose the ISO 27001 route, for which more certification bodies are available. You can also choose direct inspection by the CCB as an alternative path.
Is a self-assessment sufficient to comply with NIS2?
No. A self-assessment is a mandatory first step, but does not replace formal conformity assessment. Essential entities must undergo external verification or certification by an accredited CAB. Significant entities may suffice with a self-assessment, but will be audited in case of incidents.
Where can I find the official CyFun self-assessment tool?
The CCB offers the self-assessment tool for free through the CyberFundamentals Toolbox on Safeonweb@Work: atwork.safeonweb.be/cyberfundamentals-toolbox. There you will also find the selection tool to determine your appropriate CyFun level.
