NIS2 in Belgium: How the Law of 26 April 2024 Transposes the EU Directive

Who should read this: Compliance Officers, CIOs, CISOs, In-house Counsel, Risk Leaders, and Operations Leaders at organisations active in Belgium.

Belgium transposed the NIS2 Directive (Directive (EU) 2022/2555) ahead of most Member States. The Law of 26 April 2024 establishing a framework for the cybersecurity of network and information systems of general interest for public security (the “NIS2 Law”) was published in the Moniteur belge / Belgisch Staatsblad on 17 May 2024 (p. 63179, NUMAC 2024202344) and entered into force on 18 October 2024. It repealed the Law of 7 April 2019, which had transposed NIS1, and it was substantially amended by the Law of 19 December 2025 on the resilience of critical entities (the “CER Law”), published on 19 January 2026. By the date of this article, the NIS2 Law has been in force for roughly twenty months: most essential and important entities have completed first-wave registration and are now working through the harder, slower parts of compliance.

For organisations operating in Belgium, the legal posture changes in three concrete ways. First, the scope is far wider than under NIS1: medium-sized and large undertakings across eighteen sectors are covered by default, joined by a generous list of size-agnostic categories. Second, the institutional architecture is distinctive: the Centre for Cybersecurity Belgium (CCB, Centre pour la Cybersécurité Belgique / Centrum voor Cybersecurity België) is the national competent authority, the single point of contact and the national CSIRT all at once, with the National Crisis Centre (NCCN, Centre national de crise / Nationaal Crisiscentrum) co-leading crisis governance and sectoral regulators retaining a defined role. Third, Belgium has chosen a specific compliance model: mandatory periodic conformity assessment for essential entities, against an accredited reference framework (in practice, CyberFundamentals), with a rebuttable presumption of conformity for those who pass.

This article is a practical, business-reader guide to what the Belgian NIS2 Law requires. It maps each obligation to its EU directive counterpart, identifies which Belgian body you deal with for each interaction, and points to the source articles that go deeper on the underlying topic. It is not legal advice; for that, consult counsel. But it should give a leadership team enough to plan, budget, and assign owners, even if you started late.

For wider context on the directive itself, see our NIS2 Compliance guide.

The legislative path: from NIS1 to the Law of 26 April 2024

NIS1 was transposed into Belgian law by the Law of 7 April 2019. That law applied to a small set of “operators of essential services” identified by sectoral regulators, plus a handful of digital service providers. It served its purpose, but it left most of the economy outside the cybersecurity perimeter.

The Law of 26 April 2024 replaces that framework entirely. The full text is available on the Belgian eJustice portal at the ELI https://www.ejustice.just.fgov.be/eli/loi/2024/04/26/2024202344/justel. The text has been substantively amended since adoption: the CER Law of 19 December 2025 (in force 19 January 2026) replaced the references to the now-repealed critical-entities law of 18 July 2023 and added a new Article 75 extending the CSIRT-related provisions (Articles 8, 38, and Title 2) to any natural or legal person established in Belgium. That means the CCB’s CSIRT remit is no longer confined to regulated entities; it is national in the proper sense.

If your organisation was already covered under NIS1, you do not get a clean slate: the carry-over rules treat previously designated operators of essential services as essential entities under the new regime by default. New obligations apply from day one; the only carry-over is your designation status, not your compliance posture. For a recap of what changed between the two regimes, see NIS1 vs NIS2: Key Differences.

Who is in scope

Article 3 of the NIS2 Law mirrors the EU directive’s two-step scoping logic, then extends it with several Belgian additions.

Sector plus size (Art. 3 §1). First, the entity must be of a type listed in Annex I or Annex II of the Law. Annex I covers the eleven sectors of high criticality: energy (including the hydrogen sub-sector), transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service management (business-to-business), public administration, and space. Annex II covers seven other critical sectors: postal and courier services, waste management, manufacture and distribution of chemicals, production and distribution of food, manufacturing (medical devices, computers, electrical equipment, machinery, motor vehicles, other transport equipment), digital providers (online marketplaces, search engines, social networking platforms), and research. Second, the entity must qualify as at least a medium-sized enterprise under Commission Recommendation 2003/361/EC (50 or more staff, or annual turnover or balance-sheet total above EUR 10 million), or exceed those ceilings.

Size-agnostic categories (Art. 3 §3). Regardless of size, the Law applies to providers of public electronic communications networks and services, trust service providers, top-level domain name registries, DNS service providers, entities identified as essential or important under Chapter 4 of the Law, the federal public administration, federated entities identified by Royal Decree under Article 11 §2, the emergency zones, and the Brussels SIAMU fire and emergency-medical service.

Critical entities (Art. 3 §4). Entities designated as critical under the CER Law of 19 December 2025 are in scope size-agnostically. Because the same instrument that brought CER into Belgian law amended this Article, the boundary between the two regimes is unusually tight: critical entities will typically also be essential entities under NIS2.

Domain name registration services (Art. 3 §5). Providers of domain name registration services are in scope regardless of size.

If you are unsure whether the Law applies to your organisation, the fastest first check is our NIS2 scope checker, which walks through sector and size in three clicks. For a deeper read on how scoping works in the directive, see our guides on NIS2 scope and applicability and on the essential versus important distinction.

The financial sector deserves a separate note. Article 6 §3 of the NIS2 Law carves banking and financial market infrastructures (and the National Bank of Belgium’s central-securities-depositary activity) out of Titles 3 to 5 where Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector (“DORA”) applies. Article 6 §4 layers on specific exclusions for the NBB itself (except its CSD activity) and for the financial institutions it supervises under Articles 8 and 12bis of the NBB statute. Where DORA applies, it applies in place of NIS2 for the same conduct. We unpack the boundary in NIS2 and the financial sector: how DORA overlaps with banking and in NIS2, DORA and CER: overlapping regulations explained.

Article 5 §4 carves out a small set of sensitive activities: the intelligence and security services, the Coordination Unit for Threat Analysis (OCAM/CUTA), the Ministry of Defence, the police and the general police inspectorate, the judicial authorities, the judicial databases of the SPF Justice, the Belgian diplomatic and consular networks abroad, and Class I nuclear installations (with a carve-back for the electricity-transport elements of nuclear power plants, which remain in scope through the energy sector).

The Belgian institutional architecture

The Law of 26 April 2024 names a small set of bodies and gives each a clear role. This is one of the most useful parts of the text for compliance teams: it tells you exactly who you talk to, in what circumstances.

Centre for Cybersecurity Belgium (CCB, Centre pour la Cybersécurité Belgique / Centrum voor Cybersecurity België). Under Article 15 §1 and Article 16, the CCB is the national competent authority for cybersecurity supervision and enforcement, the single point of contact for cross-border cooperation, and the national CSIRT. It is also Belgium’s representative in EU-CyCLONe and the CSIRTs network. Practical implication: the CCB is the body that will register you, receive incident notifications, inspect, audit, request information, issue binding instructions, and impose fines for most entities. The CCB publishes its NIS2 guidance and the CyberFundamentals materials at ccb.belgium.be.

National Crisis Centre (NCCN, Centre national de crise / Nationaal Crisiscentrum). The NCCN co-leads cyber-crisis governance with the CCB. Under Article 34 §1 and Article 35 §3, incident notifications from essential entities are transmitted not only to the CCB but also to the NCCN. The NCCN and the CCB jointly drive the National Cyber Crisis Response Plan provided for under Article 29.

Sectoral authorities (Art. 15 §2). Royal Decree designates the sectoral authorities that work alongside the CCB. Three are written directly into the Law:

• National Bank of Belgium (NBB, Banque Nationale de Belgique / Nationale Bank van België) as sectoral authority for the finance sector under Article 80, except for trading-venue operators (where the Financial Services and Markets Authority (FSMA, Autorité des services et marchés financiers / Autoriteit voor Financiële Diensten en Markten) plays the cooperating role).
• Belgian Institute for Postal Services and Telecommunications (BIPT, Institut belge des services postaux et des télécommunications / Belgisch Instituut voor Postdiensten en Telecommunicatie) as sectoral authority for digital infrastructure (excluding trust service providers) and for postal and shipping services under Article 83.
• Federal Agency for Nuclear Control (FANC, Agence fédérale de Contrôle nucléaire / Federaal Agentschap voor Nucleaire Controle) for the electricity-transport elements of nuclear power plants under Article 77 (new Article 15ter inserted into the FANC statute).

If you want the EU-wide perspective on how these bodies fit into the directive’s design, our reference article on NIS2 institutional architecture: authorities, CSIRTs and contact points lays out the pattern.

National strategy and crisis plan

The Law requires two strategic instruments.

The national cybersecurity strategy (Article 28) is adopted by the Council of Ministers and reviewed at least every five years. Paragraph 2 enumerates ten mandatory contents (objectives, governance, risk assessment mechanisms, preparedness measures, and so on). Paragraph 3 lists ten policy areas the strategy must cover, including supply-chain security, public procurement, vulnerability disclosure, cyber hygiene for SMEs, and the now-distinctive notion of “cyberprotection active” (active cyber protection), which Belgium has embedded in the strategy as a discrete policy area. For background on why Article 7 of the directive requires a strategy and what good strategies look like, see The national cybersecurity strategy: what Article 7 requires.

The National Cyber Crisis Response Plan (Article 29) is adopted by Royal Decree. It defines crisis management procedures, preparedness measures, and arrangements for cross-border participation in coordinated EU-level responses. This anchors Belgium’s role in EU-CyCLONe and the CSIRTs network. See The Cooperation Group, EU-CyCLONe and the CSIRTs Network for the EU-level mechanics.

The cybersecurity risk-management measures (Article 30)

Article 30 of the NIS2 Law is the operational core. It requires essential and important entities to take “appropriate and proportionate technical, operational and organisational measures” based on an all-hazards approach. Where the EU directive enumerates ten categories of measures, the Belgian transposition adds an eleventh: a coordinated vulnerability disclosure policy, written into Article 30 §3 as a freestanding obligation rather than (as in the directive) a sub-component of secure development.

The full list of measures under Article 30 §3:

• policies on risk analysis and information system security;
• incident handling;
• business continuity, including backup management, disaster recovery, and crisis management;
• supply-chain security, including security-related aspects of relationships with direct suppliers and service providers;
• security in the acquisition, development, and maintenance of network and information systems, including vulnerability handling and disclosure;
• policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
• basic cyber-hygiene practices and cybersecurity training;
• policies and procedures regarding the use of cryptography and, where appropriate, encryption;
• human resources security, access-control policies, and asset management;
• multi-factor authentication or continuous authentication solutions, secure voice, video and text communications, and secure emergency communication systems within the entity, as appropriate;
• a coordinated vulnerability disclosure policy (the Belgian addition).

For the deep dive on what each of these covers in practice, see The 10 cybersecurity measures of NIS2 Article 21. The all-hazards principle, which extends beyond cyber threats to the physical environment, is unpacked in The all-hazards approach: physical security under NIS2. Supply chain risk gets its own treatment in Supply-chain security and vendor risk under NIS2. On how to calibrate the measures to the size and risk profile of the entity (rather than over-engineer), see NIS2 proportionality and what “appropriate” actually means.

Two Belgium-specific notes. First, Article 30 §5 requires the measures to be set out in a written “P.S.I.” (Politique de Sécurité des systèmes et réseaux d’Information), the formal information-security policy of the entity. Second, Article 33 reserves to the King the power to impose, by Royal Decree, additional risk-management measures specific to a sector. Expect sectoral decrees to layer on top of Article 30 over time, especially in energy, transport, and digital infrastructure.

Management body accountability (Article 31)

Article 31 of the NIS2 Law is short but consequential. The management bodies of essential and important entities must approve the cybersecurity risk-management measures, oversee their implementation, and may be held personally liable for breaches. Article 31 §2 mandates regular training for management body members and requires the entity to offer comparable training to its staff. Article 32 assigns responsibility for the risk analysis to the entity itself, and Article 61 extends responsibility further: to legal representatives and to any natural person with decision-making or control powers within the entity.

For boards and executive committees, this means cybersecurity is no longer an “IT topic” delegated to the CISO. It is a board-level matter, with documented oversight, training records, and minute trails. Our article on Board accountability and governance under NIS2 walks through what a defensible governance posture looks like.

Incident reporting under Articles 34 to 37

Articles 34 to 37 reproduce the EU directive’s three-clock reporting regime, which is one of the most operational obligations in the Law.

Notification to the national CSIRT (Art. 34 §1). All significant incidents are notified without undue delay to the national CSIRT (the CCB), which forwards the notification to the relevant sectoral authority. Notifications from essential entities are also transmitted to the NCCN. This single-front-door model is a deliberate Belgian design choice: you talk to the CCB, and the CCB routes.

Early warning, within 24 hours (Art. 35 §1 1°). Within 24 hours of becoming aware of a significant incident, the entity submits an early warning that indicates whether the incident is suspected to have been caused by unlawful or malicious acts and whether it could have a cross-border impact.

Incident notification, within 72 hours (Art. 35 §1 2°). The notification updates the early warning and provides an initial assessment of severity, impact, and (where available) indicators of compromise. Trust service providers operate on a single 24-hour notification clock under Article 35 §2, with no separate 72-hour step.

Interim report on request (Art. 35 §1 3°). The CCB may request an interim report at any point during the incident handling.

Final report, within one month (Art. 35 §1 4°). The report covers a detailed description, the root cause, the mitigation measures applied and ongoing, and cross-border impact. If the incident is still being handled at the one-month mark, the entity provides a progress report under Article 35 §1 5° and a final report within one month of incident handling closure.

The CCB must provide an initial response to the early warning within 24 hours (Article 36), including guidance and operational advice. Voluntary notifications cannot trigger an automatic inspection (Article 38), which matters: an entity that observes a near-miss can share it without fear of triggering supervisory action. The CCB publishes anonymised quarterly reports to ENISA (Article 37 §4).

For the practical guide to running the clocks, see The NIS2 incident reporting timeline. For when an incident actually crosses the “significant” threshold (the hardest call in the first 24 hours), see What makes an incident significant under NIS2.

Conformity assessment and CyberFundamentals (Articles 39 to 43)

Here Belgium has done something unusual, and it is the part of the Law most likely to drive your compliance roadmap: mandatory periodic conformity assessment for essential entities.

Under Articles 39 to 43, every essential entity must demonstrate conformity with Article 30 on a recurring basis. The Law gives the entity a choice. Option one (Article 40) is an external assessment by a conformity-assessment body accredited under a reference framework set by Royal Decree, with the costs borne by the entity. Option two is an inspection conducted directly by the CCB. Important entities may opt in voluntarily under Article 41. Where the entity passes assessment against a recognised framework, Article 42 grants a rebuttable presumption of conformity with Article 30: in the event of a dispute, the burden shifts to the regulator to show that conformity was not in fact achieved.

For critical entities and for the public administration, Article 40 §1 adds a security-clearance requirement: the assessment body and its individual assessors must hold an appropriate security clearance.

In practice, the CCB’s CyberFundamentals (CyFun) framework is the de facto reference framework Belgian entities are adopting to take advantage of this regime. CyFun is published at four assurance levels (Small, Basic, Important, Essential), maps onto recognised international controls (NIST CSF, ISO/IEC 27001, CIS Controls, IEC 62443), and is now the practical baseline most Belgian compliance teams will plan against. If your existing security posture is already certified to ISO/IEC 27001, you have a strong starting point for the equivalent CyFun level. For the broader relationship between NIS2 and recognised standards, see NIS2, ISO 27001 and cybersecurity certification schemes.

Registration and entity duties (Articles 13 and 14)

Two registration tracks apply.

General registration (Article 13 §1). Within five months of the entry into force of the Law (or of the entity’s identification as in-scope), entities must register with the CCB by communicating their company name and BCE / KBO number, address, email, IP ranges, phone, sector and subsector, and the list of EU Member States in which they provide services. Changes must be notified within two weeks (Article 13 §3).

Digital-sector registration (Article 14 §1). DNS service providers, top-level domain registries, domain name registration service providers, cloud and data centre providers, content delivery networks, managed service providers, managed security service providers, and providers of online marketplaces, search engines, and social networking platforms must register within two months, with a more detailed dataset (including IP ranges). The CCB forwards this to ENISA for the EU-wide registry under Article 27 of the directive. Changes here must be notified within three months (Article 14 §2). Article 14 §3 ensures that trust-service-provider data already held by the eIDAS supervisory body is communicated directly to the CCB, avoiding double registration.

If your business is a managed service provider or MSSP, see Are MSPs and MSSPs regulated under NIS2 for the implications. For cloud, data centre, and CDN providers, see Digital infrastructure under NIS2: cloud and data centre.

Coordinated vulnerability disclosure and the Belgian safe harbour (Articles 22 and 23)

If there is one place where Belgian transposition stands out from every other Member State, it is here. The Law institutionalises coordinated vulnerability disclosure (CVD) and, in Article 23, creates a criminal-law safe harbour for ethical hackers that is the strongest in the EU.

Article 22 designates the CCB as the trusted intermediary for CVD. Article 23 then provides immunity from prosecution under Penal Code Articles 314bis, 458, 550bis and 550ter, and under Article 145 of the Law of 13 June 2005 on electronic communications, for a person reporting a vulnerability to the CCB, subject to defined conditions: no fraudulent intent, a simplified notification within 24 hours and a complete notification within 72 hours, proportionality of the testing methods, no public disclosure of the vulnerability without the CCB’s consent, and a prior written agreement with the owner where the in-scope system is operated by a public authority or by the judiciary.

The combined effect of Articles 22 and 23 is to make Belgium the most welcoming EU jurisdiction for responsible vulnerability research. Essential and important entities should expect to receive more inbound disclosures than they would in, say, France or Germany, and they should have a defined intake process to handle them. The freestanding CVD obligation in Article 30 §3 (the Belgian eleventh measure) is the operational counterpart to this national posture. For the EU-level framework and recommended practices, see our reference article on the Vulnerability disclosure framework.

Supervision and enforcement (Articles 44 to 50)

The Law draws a sharp line between essential entities and important entities in how they are supervised.

Essential entities are subject to ex-ante and ex-post supervision. The CCB and the relevant sectoral authority can require regular conformity assessments under Articles 39 to 43, conduct on-site inspections, request information, audit, and intervene proactively.

Important entities are subject to ex-post supervision only (Article 48 §2). Inspections and audits are still possible, but only on the basis of evidence or indications of non-compliance: the regulator must articulate a reason.

The supervisory toolkit under Article 48 §1 is detailed. It includes access to and copies of documents, on-site and remote audits, random checks, targeted independent audits for essential entities, ad-hoc audits after significant incidents, security scans, identity checks for the personnel of the inspected entity, and (under Article 48 §5 and §6) the seizure of IT systems with judicial authorisation. Where access to inhabited premises is required, the inspector must obtain authorisation from the investigating judge, who decides within 48 hours; the entity has a right of appeal to the chambre des mises en accusation. Police assistance may be requested. Sectoral authorities and inspection services can co-lead or take over inspections by agreement with the CCB.

Where the CCB suspects that a personal-data breach is involved, Article 48 §7 requires mandatory cooperation with the Belgian Data Protection Authority (APD/GBA, Autorité de protection des données / Gegevensbeschermingsautoriteit). Article 21 §4 adds an interesting safeguard: the APD/GBA exercises a pre-control function over CSIRT requests for electronic-communications metadata, ensuring that proportionality is reviewed independently.

Our reference article on NIS2 enforcement powers, penalties, and fines walks through how authorities use these tools in practice.

Administrative measures and fines (Articles 58 to 60)

The Law sets out an administrative-measures toolkit (Article 58), a fines schedule (Article 59), and an escalation step reserved for essential entities (Article 60).

Administrative measures (Article 58). The CCB can issue warnings, binding instructions, cease-and-desist orders, compliance orders, orders to inform service recipients of cyber threats, and orders to publish breach details. For essential entities, Article 58 8° introduces a distinctive instrument: a “responsable du contrôle” (monitoring officer) appointed to oversee remediation inside the entity.

Administrative fines (Article 59). The Law sets out a tiered fines schedule:

• Breach of an information obligation under Article 12: 500 to EUR 125,000.
• Retaliation against staff who assist with compliance: 500 to EUR 200,000.
• Breach of supervision obligations: 500 to EUR 200,000.
• Important entities for core operational breaches: 500 to EUR 7,000,000 or 1.4% of total worldwide annual turnover of the previous financial year, whichever is higher.
• Essential entities for core operational breaches: 500 to EUR 10,000,000 or 2% of total worldwide annual turnover of the previous financial year, whichever is higher.

All ceilings are doubled in case of recidivism, defined as the same facts occurring within three years. For deep treatment of how these caps are calibrated and applied, see Administrative fines under NIS2: the EUR 10M and EUR 7M framework.

Escalation for essential entities (Article 60). Where administrative measures and fines prove ineffective, the CCB can pursue two further measures: temporary suspension of a certification or authorisation, and a temporary prohibition on the CEO or legal representative exercising management functions in that entity until remediation is achieved.

Recovery and appeal. Fines are recovered by writ of execution (“contrainte”) served by bailiff; the entity has 15 days to file opposition before the seizure judge (“juge des saisies”), which suspends execution (Article 56 §3). Prescription runs for three years on the facts and five years on measures and fines (Article 57).

Non-bis-in-idem with GDPR (Article 54 §2). Where the APD/GBA has already imposed a GDPR fine for the same conduct, the CCB cannot impose a NIS2 fine, although non-monetary enforcement measures remain available. The interaction is unpacked in NIS2 and GDPR overlap: cybersecurity and data protection.

Public administration carve-out (Article 62). Federal public administration entities are exempt from Articles 59 and 60: they remain subject to the supervisory regime but not to administrative fines or the Article 60 escalation. This is consistent with the directive’s permission for Member States to handle public-sector non-compliance through internal disciplinary channels.

Sectoral overlaps and exemptions

Several overlap areas deserve attention.

DORA (Article 6 §3). As noted in the scope section, banking, financial market infrastructures, and the NBB’s CSD activity are carved out of Titles 3 to 5 of the NIS2 Law where DORA applies. For entities only partially in DORA scope, the NIS2 Law continues to apply to the residual.

CER Law of 19 December 2025. The same instrument that amended the NIS2 Law also implemented the EU Critical Entities Resilience Directive into Belgian law. Critical entities under the CER Law are size-agnostically in NIS2 scope (Article 3 §4). For the full picture of how the three regimes interact, see NIS2, DORA and CER: overlapping regulations explained.

eIDAS (Article 14 §3). Trust-service-provider data communicated by the eIDAS supervisory body to the CCB avoids duplicate registration.

GDPR. Mandatory cooperation with the APD/GBA on suspected personal-data breaches (Article 48 §7), non-bis-in-idem on fines (Article 54 §2), and APD pre-control of CSIRT metadata requests (Article 21 §4) jointly define the boundary.

Sector-specific reading

If your organisation is in a regulated sector, the Annex categorisation maps directly to the corresponding sectoral guidance:

• Energy (Annex I §1): NIS2 in the energy sector.
• Transport (Annex I §2): NIS2 in transport: aviation, rail, maritime, road.
• Banking and financial market infrastructures (Annex I §3 and §4): see the DORA overlap above.
• Health (Annex I §5): NIS2 in healthcare: hospitals and pharmaceuticals.
• Digital infrastructure (Annex I §8): NIS2 for cloud and data centres.
• ICT service management (Annex I §9): Are MSPs and MSSPs regulated under NIS2.
• Manufacturing (Annex II §5): NIS2 in manufacturing.

What to do this quarter

The law has been in force for twenty months. By now, most leadership teams have made some progress; the gap, in our experience, is rarely registration and rarely the first incident-response runbook. The gap is the harder middle: conformity assessment, supply-chain controls, and the documentary trail that survives a CCB audit. A reasonable sequence for the next ninety days:

1. Re-confirm scope. Use the NIS2 scope checker or commission a counsel review of Article 3 against your activities. Pay attention to whether the CER Law of 19 December 2025 has changed your designation.
2. Identify your interlocutor(s). The CCB by default; the NBB for finance (except trading venues); BIPT for digital infrastructure and postal/shipping; FANC for nuclear-power-plant electricity-transport elements.
3. Confirm registration is current. If you registered in 2024 or 2025, check that company contact data, IP ranges, and sectoral classification still reflect reality, and remember the two-week (general) and three-month (digital) change-notification windows.
4. Plan your conformity assessment route. Choose between external assessment (typically against CyberFundamentals at the appropriate level) and CCB inspection. The rebuttable-presumption mechanism in Article 42 makes the framework route the dominant choice for most essential entities.
5. Re-brief the board. Article 31 personal liability is the single most important conversation to have at the management body level. Refresh approval of measures, document training delivered, and capture minute trails. Article 61 extends responsibility to legal representatives and persons with control powers: name them.
6. Tighten the incident regime. Map your detection, classification, and notification flow to the 24h, 72h, and one-month clocks under Article 35. Pre-register your contact data with the CCB. Validate that your runbook accounts for the 24h trust-service-provider variant if relevant.
7. Close the Article 30 gaps, including the eleventh. Run a controls map against the eleven categories. The Belgian addition (coordinated vulnerability disclosure) is the one most teams forget: write the policy, publish the contact point, and tie it back to the safe harbour in Article 23.

For a longer playbook, the NIS2 Compliance guide walks through each obligation in sequence. For comparison with how a neighbouring jurisdiction handled the same directive, our companion article on NIS2 in Luxembourg is a useful read: the same EU text, two notably different national designs.

Sources and references

Primary sources:

• Belgium, Law of 26 April 2024 establishing a framework for the cybersecurity of network and information systems of general interest for public security, Moniteur belge / Belgisch Staatsblad of 17 May 2024 (p. 63179, NUMAC 2024202344). ELI: https://www.ejustice.just.fgov.be/eli/loi/2024/04/26/2024202344/justel.
• Belgium, Law of 19 December 2025 on the resilience of critical entities, Moniteur belge / Belgisch Staatsblad of 19 January 2026 (amending the NIS2 Law, transposing Directive (EU) 2022/2557, and extending CSIRT-related provisions via a new Article 75).
• Directive (EU) 2022/2555 (NIS 2 Directive). Reference page: digital-strategy.ec.europa.eu/en/policies/nis2-directive. Consolidated text on EUR-Lex: eur-lex.europa.eu/eli/dir/2022/2555/oj.
• Regulation (EU) 2022/2554 (DORA), and the related sectoral carve-out under Article 6 §3 of the NIS2 Law.
• Commission Recommendation 2003/361/EC on the definition of micro, small, and medium-sized enterprises.

Belgian bodies:

• Centre for Cybersecurity Belgium (CCB, Centre pour la Cybersécurité Belgique / Centrum voor Cybersecurity België), national competent authority, single point of contact, and national CSIRT: ccb.belgium.be.
• National Crisis Centre (NCCN, Centre national de crise / Nationaal Crisiscentrum), co-lead for cyber-crisis governance.
• National Bank of Belgium (NBB, Banque Nationale de Belgique / Nationale Bank van België), sectoral authority for finance.
• Financial Services and Markets Authority (FSMA, Autorité des services et marchés financiers / Autoriteit voor Financiële Diensten en Markten), cooperating authority for trading-venue operators.
• Belgian Institute for Postal Services and Telecommunications (BIPT, Institut belge des services postaux et des télécommunications / Belgisch Instituut voor Postdiensten en Telecommunicatie), sectoral authority for digital infrastructure and postal/shipping.
• Federal Agency for Nuclear Control (FANC, Agence fédérale de Contrôle nucléaire / Federaal Agentschap voor Nucleaire Controle), sectoral authority for nuclear-power-plant electricity-transport elements.
• Data Protection Authority (APD/GBA, Autorité de protection des données / Gegevensbeschermingsautoriteit), counterpart for GDPR cooperation and pre-control of CSIRT metadata requests.

For a companion analysis of how another EU Member State has transposed the same directive, see NIS2 in Luxembourg: How the Law of 5 May 2026 Transposes the EU Directive.

This article reflects the Law as in force on 2 June 2026, including amendments made by the CER Law of 19 December 2025. The CCB continues to publish implementing guidance and CyberFundamentals updates; check the CCB site for the latest official guidance before finalising operational decisions.