Skip to main content
ImplementedNIS2

NIS2 in Belgium

Belgium enacted its NIS2 law in April 2024, one of the first EU member states to fully transpose. CCB leads enforcement with fines up to €10 million.

Transposition law
Loi du 26 avril 2024 établissant un cadre pour la cybersécurité des réseaux et systèmes d'information (NIS2 Belgium Act)
In force
26 April 2024
Competent authority
Centre for Cybersecurity Belgium (CCB)
Max fine (Essential)
€10 million or 2% of global annual turnover
Max fine (Important)
€7 million or 1.4% of global annual turnover
Full enforcement
October 2024

Key Deadlines

NIS2 Act enacted
26 April 2024
Full enforcement
17 October 2024
Registration deadline
17 January 2025

Competent Authority

Centre for Cybersecurity Belgium (CCB)
Primary NIS2 competent authority and CSIRT
https://ccb.belgium.be

CCB is one of the most active NIS2 supervisors in the EU. It operates CERT.be as its incident response team and maintains a dedicated NIS2 platform (safeonweb@work). Proactive audits apply to Essential Entities.

Registration Process

Register at safeonweb.be/nis2. You'll need your CBE number (Crossroads Bank for Enterprises), sector classification, and contact details for your security officer.

📊 Quick Test

Find out if your company is in scope

Does your organisation fall under Annex I (Essential) or Annex II (Important) entities?

Check NIS2 Scope →

Key Requirements

  • 1Registration on the CCB NIS2 portal within 3 months
  • 272-hour incident notification to CCB/CERT.be (24h early warning)
  • 3Annual management review of cybersecurity posture
  • 4CyberFundamentals framework compliance recommended (based on NIST/ISO 27001/CIS)
  • 5Management liability for significant negligence
  • 6Supplier security assessments mandatory

National Additions

Belgium developed its own CyberFundamentals Framework (CFF), a tiered assurance framework aligned with ISO 27001, NIST CSF, and CIS Controls that entities can use to demonstrate NIS2 compliance
Three assurance levels: Basic, Important, and Essential, mapped to NIS2 entity tiers
CCB actively publishes threat alerts via safeonweb.be and requires entities to monitor these

FAQ: NIS2 in Belgium

What is the CyberFundamentals Framework?
The CFF is Belgium's national cybersecurity assurance framework developed by CCB. It offers three tiers, Basic (SMEs/Important Entities), Important (large entities), and Essential (Critical infrastructure), each mapping to increasing levels of security control rigour aligned with ISO 27001 and NIST CSF.
Is Belgium's CCB strict on enforcement?
Yes. CCB is considered one of the more proactive NIS2 supervisors in the EU. It has a track record of active engagement, publishes regular threat advisories, and has publicly committed to conducting on-site audits for Essential Entities.

Ready to assess your NIS2 compliance?

Use our free tools to check your NIS2 scope and run a gap assessment.

🎯 Scope Checker📊 Gap Assessment