EN
EN
Book an introduction
Blog

NIS2 in Belgium: the complete guide to Flemish companies in 2026

What does NIS2 mean for your Flemish company? Discover the obligations, deadlines and penalties of the Belgian cyber law and how to become compliant step by step.
Een divers team van experts bij Cyberplan plant de NIS2-compliance roadmap op een whiteboard met post-its, ter voorbereiding op de Belgische verificatiedeadline van 18 april 2026.

Belgium is one of the few EU member states that transposed the NIS2 directive into national law on time. While countries like the Netherlands, France and Germany are still struggling with their implementation, Belgium’s cyber law has been in effect since Oct. 18, 2024. That sounds like good news, and it is. But it also means the clock is ticking: the first verification deadline for NIS2 compliance falls on April 18, 2026.

Meanwhile, Belgian organizations are attacked an average of 1,925 times per week. The CCB (Center for Cybersecurity Belgium) received as many as 352 incident reports in 2024, nearly four times as many as in 2022. And according to the VLAIO Barometer, 45.8% of Flemish companies were victims of a cyber attack in 2024.

NIS2 is not an abstract European rule. It is the new reality for thousands of Flemish companies. In this guide, you will read exactly what the law means, whether your company is covered by it, what measures you need to take and how you can take advantage of the available Flemish subsidies.

What is the NIS2 directive and why is it important for Belgium?

NIS2 stands for Network and Information Security Directive 2. It is the successor to the original 2016 NIS directive and sets significantly more stringent cyber security requirements for organizations in critical sectors. Belgium transposed this European directive through the law of April 26, 2024, which came into full effect on Oct. 18, 2024.

Key shifts from NIS1:

  • The number of regulated sectors increased from 6 to 18 sectors, which now includes manufacturing, food and waste management.
  • Identification is no longer done by government by company, but automatically by size and sector.
  • There is a strict reporting requirement: an initial warning within 24 hours, a detailed report within 72 hours and a final report within 1 month.
  • Directors are now personally liable for compliance with cybersecurity measures.
  • The maximum fines increase to 10 million euros or 2% of global turnover for essential entities.

The Center for Cybersecurity Belgium (CCB) acts as the national regulator and coordinates implementation through the CyberFundamentals framework.

Does your company fall under the Belgian NIS2 law?

The Belgian NIS2 law uses two criteria to determine whether your organization falls within the scope: the sector in which you operate and the size of your company.

Scope rule: In principle, your organization falls under NIS2 if you have at least 50 employees, or an annual turnover or balance sheet total of more than 10 million euros, and operate in one of the regulated sectors.

The law distinguishes two categories of sectors:

Sectors of very high importance (Appendix I) include energy, transportation, banking, healthcare, drinking water, digital infrastructure, ICT services (B2B) and government.

Other critical sectors (Annex II) include postal and courier services, waste management, chemicals, food, manufacturing, digital providers and research organizations.

Based on your sector and size, your company is classified as an essential entity (large companies in Schedule I sectors) or a significant entity (medium-sized companies in Schedule I, or large companies in Schedule II). Essential entities receive proactive oversight through inspections and audits. Major entities are generally audited only after an incident or indications of non-compliance.

About 1,500 essential and 2,500 significant entities are currently registered with the CCB in Belgium.

Note that even if your company itself is not covered by NIS2, you may be indirectly affected. The law requires NIS2 entities to assess the cyber security of their suppliers. If you supply to an NIS2-regulated company, that company may have requirements for your security.
Not sure if you are an essential or significant entity? Find out in this guide.

Ten measures your company should take

At the heart of NIS2 is the duty of care: your organization must take appropriate technical, operational and organizational measures. The law specifies ten areas that must be covered as a minimum.

1. Risk Analysis and Information Security Policy
A formally approved policy that describes how risks are identified and addressed.

2. Incident handling
Documented processes for detection, response and recovery from cyber incidents, including collaboration with the CCB.

3. Business continuity and crisis management
 Plan for backup management, disaster recovery and crisis communications so that your core business continues in the event of an attack.

4. Supply Chain Security
 Assess the security practices of your suppliers and service providers. This is one of the most impactful obligations.

5. Secure procurement, development and maintenance
 Network and information systems should be designed securely, including vulnerability management.

6. Regular assessment and testing
 Testing the effectiveness of your measures through penetration tests and vulnerability scans.

7. Cyber hygiene and training
Basic hygiene such as patching and strong passwords, and regular awareness training for all employees, including management.

8. Cryptography and encryption
 Protection of sensitive data both in transit and at rest.

9. Personnel and Access Management
 Strict Identity & Access Management based on the “least privilege” principle.

10. Multi-factor authentication (MFA)
 Required for access to critical systems and for outside personnel.

CyberFundamentals: the Belgian compass for NIS2 compliance

To make the NIS2 requirements concrete and workable, the CCB has developed the CyberFundamentals framework (CyFun). This framework translates international standards such as NIST CSF 2.0, ISO 27001 and CIS Controls into a practical, layered approach specifically tailored to the Belgian market.

CyFun works with three levels of assurance, each tailored to your organization’s risks and resources:

  • Basic: essential controls for basic cyber hygiene. The minimum level every business should strive for.
  • Important: More comprehensive protection against targeted cyber attacks by common means.
  • Essential: the highest level, designed to resist advanced attacks by specialized actors.

In late 2025, the CCB launched CyFun 2025, an updated version that includes a strengthened focus on OT (machinery and industrial systems) security, doubled controls for supply chain security, expanded governance measures and improved auditability.

Three-quarters of registered NIS2 entities have now chosen a security framework, with the majority choosing CyFun over ISO 27001. This is no coincidence: According to the CCB, CyFun is written around the real cyber threats that exist in Belgium, translating them into understandable and feasible measures. Particularly suitable, therefore, for an SME country like Belgium.

NIS2 entities, by the way, may also choose ISO 27001 as an alternative to CyFun. Which framework best suits your organization depends on your industry, size and existing security infrastructure.

The NIS2 deadlines you need to know in 2026 and 2027

The Belgian NIS2 implementation follows a phased approach. Here are the crucial moments:

  • Oct. 18, 2024: NIS2 law in effect. Entities are required to implement measures and report significant incidents.
  • March 18, 2025: Registration deadline with the CCB via Safeonweb@Work. This has passed, but the portal remains open.
  • April 18, 2026: First verification deadline. All entities must meet the CyFun Basic level as a minimum. Essential entities must have this verified by an accredited auditing agency (CAB).
  • April 18, 2027: Entities whose risk assessment requires them to meet the Important or Essential level must complete their full certification.

The transition to CyFun 2025 runs in parallel: companies can still work with CyFun 2023 until April 18, 2027, but after that, only CyFun 2025 will be accepted.

What does your company risk in the event of non-compliance?

Belgium’s NIS2 law provides for stiff penalties. The maximum fines are:

  • Essential entities: at least 10 million euros or 2% of global annual sales.
  • Major entities: at least 7 million euros or 1.4% of global annual sales.

But financial penalties are not the whole story. Directors and senior management are personally liable for compliance. They must formally approve cybersecurity measures, oversee implementation and attend regular cybersecurity training. In serious breaches, regulators can temporarily ban individual directors from performing management functions.

Flemish subsidies: up to 50% back on your security investment

Good news: the Flemish government realizes that NIS2 requires a substantial effort from companies and provides significant financial support.

Cybersecurity Improvement Pathways (VLAIO) VLAIO has selected 19 approved service providers to guide companies in their cybersecurity maturity growth. The grant is 50% for SMEs and 35% for non-SMEs covered by NIS2, on trajectories between €7,100 and €39,900. Three packages are available:

  • START: maturity analysis and action plan
  • MEDIUM: analysis, action plan and 9 days of implementation guidance
  • PLUS: analysis, action plan and 23 days of in-depth consulting and implementation

SME portfolio Since February 1, 2026, advice through the SME portfolio is limited to the topic of cybersecurity. Cybersecurity advice and training is subject to an increased support rate: 45% for small enterprises and 35% for medium-sized enterprises, with a maximum of 7,500 euros per year.

In practice, this means that a cybersecurity audit or NIS2 gap analysis can be up to almost half the list price for your company.

Roadmap: here’s how to start NIS2 compliance today

Waiting until the deadline is not an option. Especially when you take into account the lead time of audits and the limited availability of accredited audit firms. A structured approach helps.

Step 1: define your scope. Use the official Scope Test Tool at safeonweb.be to check if your organization is covered by NIS2 and in which category.

Step 2: register your organization. If you have not already done so, please register via Safeonweb@Work. The portal is still accessible.

Step 3: Choose your security framework. Determine whether CyFun or ISO 27001 is the best fit for your situation. Use the CyFun Selection Tool to determine your assurance level.

Step 4: Conduct a gap analysis. Map out where your current security falls short of NIS2 standards. You can do this through the CyFun Self-Assessment Tool or with help from an external partner.

Step 5: Establish a roadmap. Prioritize the most critical vulnerabilities and the measures with the greatest impact. Start with the “low-hanging fruit” such as MFA, backup policies and network segmentation.

Step 6: Train your management. Drivers must demonstrate cyber security training. This is a legal requirement.

Step 7: Prepare the audit. Essential entities must have their measures verified by an accredited audit firm by April 18, 2026 (Basic level).

Frequently asked questions about NIS2 in Belgium

Should my SME be NIS2 compliant?

If your company has at least 50 employees or an annual turnover of more than 10 million euros, and is active in one of the 18 regulated sectors, you are covered by NIS2. But smaller companies can also be indirectly affected as a supplier to an NIS2-regulated organization.

What is the difference between an essential and important entity?

Essential entities are large companies in the most critical sectors (energy, healthcare, digital infrastructure). They receive proactive monitoring through inspections. Important entities are medium-sized companies in the same sectors or large companies in the other critical sectors. They are basically monitored only after an incident.

When is the first NIS2 deadline?

The next critical deadline is April 18, 2026. At that time, all NIS2 entities must meet at least the CyFun Basic level. Essential entities must have this verified by an accredited audit firm.

What are the NIS2 fines in Belgium?

The maximum fines are 10 million euros or 2% of annual global turnover for essential entities, and 7 million euros or 1.4% for significant entities. In addition, individual directors can be held personally liable.

What grants are available for NIS2 compliance?

Through VLAIO, you can receive up to 50% grants on cybersecurity improvement projects (SMEs) and up to 45% through the SME portfolio for cybersecurity consulting and training (small businesses). As of February 2026, the SME portfolio only offers consulting grants for cybersecurity.

Do I have to choose between CyFun and ISO 27001?

Both frameworks are acceptable for NIS2 compliance in Belgium. CyFun was developed specifically for the Belgian market, is more practical and accessible to SMEs. ISO 27001 is internationally recognized and can offer advantages if you also need to demonstrate compliance to foreign customers. A specialized partner can help you make the right choice.

Make NIS2 an opportunity for your business

NIS2 compliance may feel like an extra burden on top of an already full agenda. But it is also an opportunity to structurally strengthen your cybersecurity, increase customer and partner trust, and protect your market position in an economy where digital security is increasingly a quality label.

Cyberplan guides Flemish companies through the entire NIS2 process, from gap analysis and CyFun implementation to penetration testing and awareness training. As a recognized VLAIO service provider, we also help you make maximum use of available grants, saving up to 50% on your investment.

Wondering where your company stands? Book a free consultation and find out what steps you need to take before April 18, 2026.