The Belgian NIS2 law has been in effect since Oct. 18, 2024, and contains sanctions that go further than most business owners realize. Fines of up to €10 million, personal director liability and even a temporary board ban: these are not theoretical scenarios, but legally enshrined consequences. In this article you will read what fines the law provides, what you personally risk as a director and how to avoid sanctions.
The five NIS2 fine categories in Belgium.
The Belgian NIS2 law (Law of April 26, 2024) uses a tiered penalty system with five categories. Each category has a minimum fine of €500, meaning that even minor violations have financial consequences.
The first category concerns the registration requirement: those who fail to register or register incorrectly with the CCB (Centre for Cybersecurity Belgium) risk a fine of €500 to €125,000. Registration through Safeonweb@Work had to be completed by March 18, 2025, and as early as December 18, 2024 for digital service providers such as cloud providers.
The second and third categories cover reprisals against whistleblowers (€500 to €200,000) and failure to cooperate with CCB oversight (also €500 to €200,000), respectively. The latter is particularly relevant: those who obstruct an inspection or ignore requests for information risk immediate sanctions.
The most severe sanctions affect entities that fail to comply with core obligations around risk management and incident reporting:
| Category | Fine Fork | Applies to |
|---|---|---|
| Non-registration with CCB | €500 – €125.000 | All NIS2 entities |
| Retaliation against whistleblowers. | €500 – €200.000 | All NIS2 entities |
| Failure to cooperate in surveillance | €500 – €200.000 | All NIS2 entities |
| Non-compliance with security measures | €500 – €7,000,000 or 1.4% turnover | Major entities |
| Non-compliance with security measures | €500 – €10,000,000 or 2% turnover | Essential entities |
Important detail: when calculating turnover, the entire group turnover can count when several companies form a single economic unit. For repeated violations within three years, the fine is doubled.
Two exceptions: government entities in the “public services” sector are given binding instructions instead of fines (but a public hospital can be fined). Banking and financial institutions are covered by DORA instead of NIS2.
Directors’ liability: the real gamechanger
The most profound difference from the GDPR is in Article 31 of Belgium’s NIS2 law. Whereas GDPR fines affect only the organization, NIS2 makes directors personally liable for cybersecurity negligence for the first time.
Article 31 imposes four concrete obligations on the governing body. First: approve cybersecurity risk management measures. Second: oversee their implementation. Third: be liable for breaches by the entity. And fourth, perhaps the most salient obligation: directors must attend mandatory cybersecurity training to identify and assess risks.
The law deliberately defines “member of a governing body” broadly. According to the explanatory memorandum, it includes any person authorized to manage, make decisions or exercise control over the entity. This means that actual directors and controlling shareholders can also be captured, not just the formal board of directors. Control is determined in accordance with Articles 1:14 to 1:18 of the Companies and Associations Code (CCC).
Article 61 adds another layer: natural persons in charge of an essential or important entity are personally liable for violations. For essential entities, the CCB can also impose a temporary ban on holding directorships. That is a measure with no equivalent in the GDPR.
The entry into force of Book 6 of the new Civil Code on Jan. 1, 2025 reinforces this exposure. The quasi-immunity of directors against third parties has been abolished, meaning that third parties can now sue directors directly for extra-contractual liability for cybersecurity negligence.
What violations result in NIS2 fines?
For Flemish business owners, it is essential to understand what specific actions (or failure to act) result in sanctions. Belgian law identifies five key areas.
Failure to register with the CCB is the most obvious offense (fine up to €125,000). Any entity covered by NIS2 must register through Safeonweb@Work.
Non-compliance with the 11 mandatory security measures is at the heart of the obligations. Consider risk assessment policies, incident handling, business continuity, supply chain security and multi-factor authentication. These are the measures that the CyberFundamentals framework (CyFun) flesh out. Not sure which framework is right for your organization? In our article on the CyberFundamentals framework, you can read how CyFun translates the NIS2 obligations into concrete steps.
Failure to report incidents is also an independent offense. NIS2 follows a five-step protocol: an early warning within 24 hours, a full incident report within 72 hours and a final report within one month. Does your company ever find itself in a crisis situation? In our roadmap company hacked: the first 7 steps you can read about what to do immediately.
Failure to cooperate with supervision by the CCB (inspection, request for information) carries a fine of up to €200,000. And failure to comply with director obligations (no approval of measures, no supervision, no training) can result in personal liability and a temporary board ban.
How does the CCB enforce in practice?
The CCB is the national regulator for NIS2 in Belgium. It makes an important distinction between two types of entities.
Essential entities are under both ex ante and ex post supervision: they must be able to demonstrate compliance at all times, through periodic compliance reviews. Major entities are under ex post supervision only: the CCB intervenes only after an incident or indications of non-compliance.
The inspection service of the CCB has broad powers: on-site inspections, remote controls, ad hoc audits, security scans and requests for information. The sanction procedure provides safeguards: the CCB informs the entity of the intended sanction and gives it the opportunity to defend itself.
In practice, the CCB has not imposed any NIS2 fines to date (March 2026). The approach so far has been constructive and supportive. But that transition period is nearing its end. Between October 2024 and September 2025, the CCB received 279 incident reports from NIS2 entities: the average number of monthly reports increased from about 25 to 45. By the end of 2025, about 1,500 essential and 2,500 major entities had been registered.
The next crucial deadline is April 18, 2026: by that date, essential NIS2 entities must submit their CyFun self-assessment or ISO 27001 documentation to the CCB. A progress report should follow by April 2027.
NIS2 vs. GDPR: why the comparison shakes up business owners
Many executives already know GDPR enforcement. The comparison with NIS2 is illuminating. The Belgian Data Protection Authority (GBA) has built a relatively modest track record since 2018. The highest surviving fine was €250,000 (IAB Europe, 2022). In 2024, the GBA imposed a €200,000 fine on a hospital following a ransomware attack: the first Belgian GDPR case specifically targeting insufficient cybersecurity measures. In our article on the GBA Strategic Plan 2026, you can read about how the GBA is tightening its enforcement.
The fundamental difference: under the GDPR, the regulation itself contains no specific provisions on personal director liability. Fines hit the organization. NIS2 breaks that pattern: it makes governing bodies explicitly and directly liable, imposes a training obligation, and provides for a board ban as the ultimate sanction.
| Aspect | GDPR | NIS2 |
|---|---|---|
| Maximum fine | €20 million or 4% turnover | €10 million or 2% turnover |
| Fine hits | The organization | The organization and the director |
| Personal liability | Not explicit in regulation | Explicit in articles 31 and 61 |
| Driver training requirement | No | Yes, mandatory |
| Executive Order | No | Yes, for essential entities |
| Belgian enforcement to date | Modest (highest: €250,000) | No fines imposed yet |
How do you avoid NIS2 penalties?
The most effective protection against NIS2 sanctions is to be proactive. A practical roadmap:
- Check your registration with the CCB via Safeonweb@Work. Not yet registered? Do so immediately, as non-registration is the easiest violation to determine.
- Have a gap analysis performed. A cybersecurity audit maps out where your organization stands in relation to NIS2 obligations and provides a concrete roadmap with priorities.
- Choose your compliance framework: CyFun or ISO 27001. The majority of Belgian organizations choose CyFun. Read our comparison article to find out which framework best suits your organization.
- Schedule the conformity assessment well in advance of the April 18, 2026 deadline. A journey from zero to assessment typically takes 3 to 6 months.
- Follow cybersecurity training as a driver. This is not a recommendation but a legal requirement.
Flemish SMEs can use VLAIO subsidies for the guidance path: up to 50% subsidy through the cybersecurity improvement path.
Want to know where your business stands? Book an introduction and find out how to become NIS2-compliant with no headaches.
Frequently asked questions about NIS2 fines in Belgium
What are the maximum NIS2 fines in Belgium?
Essential entities risk fines of up to €10 million or 2% of annual global turnover (whichever is higher). Major entities risk up to €7 million or 1.4% of turnover. For repeated violations within three years, the fine is doubled.
As a driver, can I be personally fined under NIS2?
Yes. Articles 31 and 61 of the Belgian NIS2 law explicitly provide for personal liability for members of the governing body. In the case of essential entities, the CCB can even impose a temporary ban on holding management positions.
Have NIS2 fines already been imposed in Belgium?
No, until March 2026, the CCB has not yet imposed any NIS2 fines. The regulator is taking a companion approach for now, but the legal framework is fully operational and the first compliance deadline (April 18, 2026) is fast approaching.
What is the difference between NIS2 fines and GDPR fines?
The main difference is the personal dimension. Under the GDPR, fines affect only the organization. NIS2 makes directors personally liable, imposes training obligations on them, and provides for a board ban. The maximum NIS2 fine (€10 million or 2% turnover) is lower than the GDPR (€20 million or 4%), but the impact on directors is greater.
When is the next NIS2 deadline?
The next critical deadline is April 18, 2026. By that date, essential NIS2 entities must submit their CyFun self-assessment or ISO 27001 documentation to the CCB. A progress report will follow by April 2027.
Should I take cybersecurity training as a driver?
Yes, this is a legal requirement under Article 31 of the Belgian NIS2 law. Members of the governing body must have sufficient knowledge and skills to identify cybersecurity risks and assess risk management practices.
