TL;DR: The NIS2 roadmap for Flemish SMEs includes seven concrete steps: registration with the CCB via Safeonweb@Work, choice between CyFun or ISO 27001, a gap analysis, implementation of priority measures, documentation, the formal conformity assessment and leveraging VLAIO grants. Essential entities must submit their first proof of compliance by April 18, 2026. Key entities have more time, but the duty of care already applies since October 2024.
By now you know that NIS2 affects your business. The law is active, the deadlines are approaching, and you are no longer looking for an explanation of what NIS2 is, but rather how to get started. That is exactly what this NIS2 roadmap provides: a practical overview of the seven steps you, as a Flemish SME, have to go through to become compliant, including the timeline, costs and subsidies that make the process affordable. You can read an extensive overview of what NIS2 exactly entails in our NIS2 guide.
Does your company fall under NIS2?
Before you begin the compliance process, you must determine whether your organization is classified as an essential or significant entity. That distinction determines which deadlines and oversight apply to you.
The Belgian NIS2 law makes a fundamental difference between the two categories. Essential entities are large organizations in very critical sectors such as energy, transportation, healthcare and digital infrastructure. Important entities are medium-sized organizations (50 to 250 employees or more than €10 million turnover) in critical or less critical sectors, such as food production, wastewater management or postal services.
The difference is not just semantic. Essential entities fall under proactive supervision: they must prove their compliance in advance through a formal conformity assessment. Key entities fall under reactive supervision, but that does not mean they have no obligations. Security measures and incident reporting obligations apply to both categories since Oct. 18, 2024.
In doubt about your classification? The CCB offers an NIS2 Scope Test Tool through the Safeonweb@Work portal. Within five minutes, you will know if and how NIS2 applies to your organization.
Important to note: Belgian law takes a “whole-entity approach.” The security obligations apply to your entire IT environment, including administrative systems, HR platforms and any operational technology. Not just for core activities that are considered critical.
How do you register with the CCB?
Registration with the Center for Cybersecurity Belgium is the formal first step of any NIS2 pathway. Without registration, you are legally in violation, even if your security is in order.
Registration is via the Safeonweb@Work platform. A legal representative of your company registers with eID or itsme and assigns himself the role of access manager for the cybersecurity service. You then enter a number of mandatory details: your enterprise number (CBE), contact information for cybersecurity matters (including a 24/7 monitored email address for incident reports), your sector and entity type in accordance with the NIS2 attachments, and the IP ranges your organization uses.
The registration deadline for most sectors was March 18, 2025. Are you not yet registered? If so, this is the first action you can take today. Failure to register is considered a procedural violation by the CCB that can result in administrative fines, even without a security incident.
After registering, you can use the CyFun Selection Tool through the same portal to determine your required security level. Which brings us to the next step.
CyFun or ISO 27001: which framework do you choose?
Belgian SMEs face a strategic choice: the national CyberFundamentals (CyFun) framework or the international ISO 27001. Both are recognized equally by the CCB as a route to NIS2 compliance. In practice, 75% of registered entities choose CyFun.
That preference is not surprising. CyFun was developed specifically by the CCB for the Belgian market, is available free of charge and offers a scalable three-level path. The 2025 version is aligned with NIST CSF 2.0 and includes a sixth core function, “Govern,” which ties directly into the NIS2 requirement around governance accountability.
CyFun Basic includes 34 to 50 measures and focuses on essential cyber hygiene: multifactor authentication, patch management, backup procedures. This level provides protection against 82% of common cyber attacks and is the entry level for most SMBs classified as important entities. CyFun Important adds some 99 measures and increases protection to 94%. CyFun Essential is the highest level, with about 140 to 200 measures.
Cost also speaks in CyFun’s favor. An ISO 27001 project costs an average of €15,000 to €60,000 in implementation and certification, with a lead time of 6 to 14 months. A CyFun verification at the Basic level can be completed within 3 to 6 months with a significantly lower budget.
You can read a detailed comparison of both frameworks in our article on ISO 27001 or CyberFundamentals. You can read more about the structure and levels of CyFun in our article on the CyberFundamentals framework.
What does gap analysis entail?
A gap analysis is when you compare your current level of security against the requirements of the chosen framework. The difference between where you are and where you need to be constitutes your implementation roadmap.
On a CyFun track, you use the CCB’s official self-assessment tool: an Excel tool in which you score each security measure on documentation maturity and implementation maturity, each on a scale of 1 to 5. For CyFun Basic, you must average 2.5 out of 5, with each of the 13 key measures at least at 2.5. For CyFun Important, the bar is 3.0 out of 5, with 21 key measures.
In practice, most SMEs do not perform this gap analysis on their own. A cybersecurity audit by an external partner provides a more objective picture and prevents blind spots. Cyberplan guides Flemish SMEs through the entire process: from gap analysis to implementation and preparation for compliance assessment.
The output of a good gap analysis is a concrete roadmap with priorities: what measures must you address first to reach the required level, and how much time and budget does that require?
Which measures do you implement first?
After the gap analysis, the real work begins. The trick is to prioritize: not everything at once, but first the measures that cover the greatest risk and make the difference fastest.
For most SMEs starting at the CyFun Basic level, these are the quick wins that are achievable within three months:
Enable multifactor authentication (MFA) on all remote access points and administrator accounts. This is one of 13 key measures and blocks the majority of credential-based attacks.
Structure patch management: establish a monthly process for testing and deploying security updates. Unpatched systems are responsible for a significant portion of successful attacks on Belgian SMEs.
Backup strategy following the 3-2-1-1 rule: three copies, on two different media, one off-site and one immutable or air-gapped. Test your backups at least semi-annually for recoverability.
Establish incident response plan: who does what if things go wrong? NIS2 requires a 24-hour early warning to the CCB, followed by full notification within 72 hours. Without a plan, you do not meet this obligation.
Awareness training for employees: the Belgian VLAIO Cybersecurity Barometer shows that 45.8% of Flemish companies were victims of a cyber-attack. People are the first line of defense, and training is a mandatory measure under Article 21 of the NIS2 law.
The quick wins are followed by the documentation phase: policy formation, establishing processes, formalizing supply chain agreements. This phase typically takes three to six months. The total journey from zero to CyFun Basic verification realistically takes nine to 12 months.
How does conformity assessment work?
The conformity assessment is formal proof that your organization meets NIS2 requirements. You can read the full process and current deadlines in our article on the NIS2 conformity assessment.
The key elements in brief: essential entities must submit a verification statement for CyFun Basic or Important to the CCB, or equivalent ISO 27001 documentation, by April 18, 2026. Full target level (CyFun Essential or ISO 27001 certification) must be achieved by April 18, 2027.
The assessment is performed by a conformity assessment body (CAB), accredited by BELAC and authorized by the CCB. Currently, there are only two CABs accredited for CyFun verifications: Brand Compliance Belgium (accredited since September 2025) and Trust CHECK. Waiting times are up to 3 to 5 months, which means that companies that have not started now will have it particularly tight before the April 2026 deadline.
Major entities are not required to undergo an external conformity assessment, but must have a current self-assessment and be able to demonstrate their duty of care. Those who voluntarily obtain a CyFun label enjoy a presumption of conformity during any inspections.
The consequences of noncompliance are hefty. Essential entities risk fines of up to €10 million or 2% of global annual sales. Directors can be held personally liable for negligence. A detailed analysis can be found in our article on NIS2 fines and director liability.
What VLAIO grants can you use?
Flemish SMEs have two powerful grant instruments at their disposal that make the NIS2 pathway significantly more affordable. Since Feb. 1, 2026, cybersecurity has been the only consulting domain still eligible for the SME portfolio, lowering the threshold for utilizing this grant.
SME portfolio (advice and training): small enterprises receive 45% subsidy, medium-sized enterprises 35%, with a maximum of €7,500 per year. Concretely: a gap analysis and NIS2 advice trajectory of €5,000 will cost a small enterprise only €2,750 after subsidy. The application is made via VLAIO’s e-desk and must be submitted within 14 calendar days of the start of the performance. Please note that only performances by registered service providers are eligible. Cyberplan is registered as a service provider with VLAIO.
Cybersecurity improvement trajectories: for a more structural trajectory, VLAIO subsidizes 50% of the costs in SMEs, on trajectories between €7,100 and €39,900. The offer is divided into three packages: START (initial analysis and action plan, approximately €7,100 to €11,900), MEDIUM (analysis plus implementation guidance, approximately €14,200 to €24,720) and PLUS (comprehensive support including pentesting, approximately €24,000 to €39,900). More details on these pathways can be found in our article on the VLAIO cybersecurity improvement pathway.
You can combine both tools, provided they are used for different parts of your project. For example: the SME portfolio for awareness training and the improvement track for overarching implementation.
Your NIS2 timeline in practice
The entire journey from zero to CyFun Basic verification realistically takes 9 to 12 months. For SMEs starting today, that timeline looks like this:
Month 1: complete registration on Safeonweb@Work, go through CyFun Selection Tool, choose framework (CyFun or ISO 27001).
Month 2: Conduct gap analysis (internally via self-assessment tool or externally via cybersecurity audit), create roadmap.
Month 3 to 5: Implement quick wins: MFA, patch management, backups, initial awareness training.
Month 6 to 8: put documentation in order: policy creation, incident response plan, supply chain agreements.
Month 9: Conduct internal audit, collect evidence.
Month 10 to 12: formal verification by a CAB, application CyFun label through Safeonweb@Work.
Given the current wait times at the two accredited CABs, it is crucial to select and contract with a CAB as early as possible in your journey. Those who do not try to schedule an appointment until month 9 risk missing the deadline.
Want to know where your company stands and what the NIS2 pathway looks like for you? Schedule a no-obligation introductory meeting with Cyberplan and we will map out your starting position.
Frequently asked questions about the NIS2 roadmap
How long does it take to become NIS2 compliant?
The entire journey from zero to CyFun Basic verification takes 9 to 12 months. SMEs with an existing level of security (such as a current backup policy and MFA) can often complete the path in 6 to 9 months. Turnaround time depends on your starting position, available internal resources and waiting time at a CAB.
What does it cost to become NIS2 compliant?
The total investment varies by company, but for an SME with 50 to 150 employees you should count on €5,000 to €20,000 for the complete process (gap analysis, implementation and verification). With the VLAIO subsidies (45% via SME portfolio and 50% via improvement trajectories) this amount will be considerably lower. A concrete calculation example: a €10,000 trajectory will cost a small enterprise approximately €5,500 after subsidy.
What if I don’t meet the April 18, 2026 deadline?
The CCB currently uses a cooperative, educational approach. No sanctions have been imposed in the first 15 months. But as deadlines pass, that policy may change. Essential entities that cannot provide any proof of compliance risk fines of up to €10 million or 2% of global annual sales. Key entities have no hard filing requirement by April 2026, but must be able to demonstrate their duty of care in the event of an inspection.
Is CyFun Basic sufficient for an SME?
CyFun Basic is the entry level and sufficient as a first step for most SMEs classified as a major entity. The level protects against 82% of common cyber attacks. Essential entities must eventually reach the Essential level (April 2027 deadline), but can meet the initial April 2026 deadline with Basic or Important verification.
Can I combine the SME portfolio with an improvement program?
Yes, this is possible. The condition is that you use both grants for different parts of your project. For example, use the SME portfolio for specific cybersecurity training of employees and the improvement track for overarching implementation and gap analysis. Both fall under European de minimis regulations: total support cannot exceed €300,000 over three years.
Should I contact a CAB myself or will my service provider do it?
You enter into your own agreement with an accredited CAB. However, your service provider can advise you on the timing and help you prepare so that verification goes smoothly. Given the current market crunch (two accredited CABs for over 1,100 essential entities), it is wise to contact them as early as possible.
