Belgium has transposed the NIS 2 EU Directive into its local legislation by publishing its NIS2 cybersecurity law in April 2024, and it is one of the first EU countries to do so.
This law has quite a lengthy name: Loi établissant un cadre pour la cybersécurité des réseaux et des systèmes d’information d’intérêt général pour la sécurité publique (in French), and Wet tot vaststelling van een kader voor decyberbeveiliging van netwerk- en informatiesystemen van algemeen belang voor de openbare veiligheid (in Dutch) — so let’s call it Belgium’s NIS2 Law.
So, how does Belgium’s NIS2 Law compare with the NIS 2 Directive, and what are the additional requirements?
Belgium’s NIS2 Law follows the NIS 2 EU Directive very closely when it comes to governance, cybersecurity measures, and incident reporting. Belgium’s law clarifies more precisely some points from NIS 2 about conformity assessment and supervision.
The basics of Belgium’s cybersecurity law
As prescribed by the NIS 2 Directive, the main purpose of Belgium’s NIS2 Law is to reduce cybersecurity risks related to critical infrastructure organizations (essential and important entities), and to increase the resilience of their network and information systems.
Belgium’s NIS2 Law replaces the existing Act of April 7, 2019, for establishing a framework for the security of networks and information systems of general interest for public security, and it amends several related laws and regulations in its Section 7 (General provisions).
The official text of Belgium’s NIS2 Law can be found here (in French) and here (in Dutch).
The rest of this article will focus on cybersecurity requirements that essential and important entities need to comply with — the focus of this article is not to describe the role of government bodies that need to enforce compliance with Belgium’s NIS2 Law.
The key similarities and differences between Belgium’s NIS2 Law and the NIS 2 EU Directive are summarized in the table below:
Belgium’s NIS2 Law compared to EU NIS 2 Directive | |
Which companies must comply | The same criteria as in the NIS 2 Directive, but only for companies that are registered in Belgium. The exceptions are providers of public electronic communications networks and providers of publicly available electronic communications services — they have to be compliant with NIS2 Law if they provide services in Belgium no matter where they are registered. |
Deadlines | Belgium’s NIS2 Law comes into force on October 18, 2024 (the same as the NIS 2 Directive). Companies that belong to the sectors of digital infrastructure and digital providers must register with the national cybersecurity authority by December 18, 2024, while all other essential and important organizations must do so by March 18, 2025. The government will set the deadline for the first conformity assessment for essential entities. |
Responsibilities of senior management | The same as the NIS 2 Directive (see Article 20). |
Importance of training | The same as the NIS 2 Directive (see Article 20). |
Risk-based approach to cybersecurity | The same as the NIS 2 Directive (see Article 21). |
Cybersecurity measures | The same as the NIS 2 Directive (see Article 21). |
Supply chain security | The same as the NIS 2 Directive (see Article 21). |
Incident reporting obligations | The same as the NIS 2 Directive (see Article 23). |
Using certified IT products and services | The same as the NIS 2 Directive; however, Belgium’s NIS2 Law defines that the national cybersecurity strategy will specify the use of IT products and services. |
Supervision and enforcement | Essential entities must go for periodic conformity assessment, whereas important entities may go for conformity assessment on a voluntary basis. |
Fines | For essential entities, between €500 and €10 million or up to 2% of annual turnover (whichever criteria is higher). For important entities, between €500 and €7 million or up to 1.4% of annual turnover (whichever criteria is higher). The fines are doubled in the case of a repeat offense. |
Completely new requirements | Certain types of digital service providers, if they provide services within the EU but are based outside of the EU, must appoint a representative in the EU. Essential and important entities must register on their own initiative with the national cybersecurity authority. Processing of personal data in line with the GDPR. |
Which companies must comply with Belgium’s NIS2 Law?
Like the NIS 2 Directive, Belgium’s NIS2 Law prescribes that mid-sized and larger companies from the 18 specified sectors are in the scope; on top of this, some smaller organizations from those 18 sectors also need to be compliant with Belgium’s NIS2 Law — read the details here: Which companies must comply with NIS 2? Essential vs. important entities.
The main difference is that these companies (that are considered essential and important entities) need to be registered in Belgium to fall under the scope of Belgium’s NIS2 Law. The only exceptions are the providers of public electronic communications networks and publicly available electronic communications services — such companies need to comply with Belgium’s NIS2 Law no matter where they are registered if they provide such services within Belgium.
Belgium’s NIS2 Law also specifies that public administration entities must comply if they depend on the federal government, or if they depend on the federated entities.
Deadlines
Although Belgium’s NIS2 Law comes into effect on the same day as the NIS 2 Directive (October 18, 2024), the actual deadlines for essential and important entities to become compliant will be after this date:
- Companies from the sectors of digital infrastructure and digital providers — DNS service providers, top-level domain name registries, entities providing domain name registration services, cloud computing service providers, data center service providers, content delivery network providers, managed service providers, and managed security service providers, as well as providers of online marketplaces, online search engines, and social networking service platforms — must report to the national cybersecurity authority within 2 months of the Law’s entry into force (i.e., by December 18, 2024).
- All the remaining essential and important entities must register with the national cybersecurity authority within 5 months of the Law’s entry into force (i.e., by March 18, 2025).
On top of that, the Law specifies that the government will set the deadlines for essential entities to perform their first periodic conformity assessments — this deadline has not been set at the time of writing this article.
Supervision and enforcement
Belgium’s NIS2 Law specifies that essential entities must go for a periodic compliance assessment (even though the frequency is not specified), and that such assessment can be:
- Conformity assessment against a reference framework that will be determined by the government, and that will be performed by an accredited body approved by the national cybersecurity authority, or
- Inspection by the national cybersecurity authority
Important entities are not obliged to go for compliance assessment, but can do so on a voluntary basis.
If an essential entity is not compliant with Belgium’s NIS2 Law, a competent authority can “temporarily suspend a certification or authorization concerning all or part of the relevant services provided or relevant activities carried out by the entity concerned,” and “temporarily prohibit any individual exercising managerial responsibilities at the level of managing director or legal representative in the entity concerned from exercising managerial responsibilities in that entity.”
Fines
There are several fines that are prescribed by Belgium’s NIS2 Law:
- Between 500 and 125,000 euros if an entity that is in the scope does not register with the national cybersecurity authority.
- Between 500 and 200,000 euros if an entity “causes a person acting on its behalf to suffer adverse consequences as a result of its performance.”
- Between 500 and 7 million euros, or 1.4% of the total worldwide annual turnover, for an important entity that does not comply with cybersecurity risk management and/or incident reporting.
- Between 500 and 10 million euros, or 2% of the total worldwide annual turnover, for an essential entity that does not comply with cybersecurity risk management and/or incident reporting.
The fine is doubled if a company repeats the same offense within 3 years.
New requirements in Belgium’s NIS2 Law
Belgium’s NIS2 Law does not bring any major novelties when compared to the NIS 2 Directive, but the following should be mentioned.
Essential and important entities must register with the national cybersecurity authority on their own initiative — only in some rare cases will the national cybersecurity authority designate certain organizations as the ones that must comply.
If an entity belongs to any of these categories — DNS service providers, top-level domain name registries, entities providing domain name registration services, cloud computing service providers, data center service providers, content delivery network providers, managed service providers, and managed security service providers, as well as providers of online marketplaces, online search engines, or social networking service platforms — and they provide services in the European Union, but they are not registered in the European Union — they must appoint a representative in the European Union.
Finally, Belgium’s NIS2 Law explicitly specifies how personal data that is processed because of NIS2 needs to be handled in the context of the GDPR.
Requirements that are the same as in the NIS 2 Directive
There is a lot in Belgium’s NIS2 Law that is the same as in NIS 2:
- Responsibilities of the senior management — see the details here: What is NIS 2 Directive? A detailed and straightforward guide
- Importance of training — learn more: How to perform training and awareness according to NIS 2
- Risk-based approach to cybersecurity — learn more: The 8 most important cybersecurity and reporting requirements in NIS2
- Cybersecurity as a mixture of technical, operational, and organizational measures — see also: List of required documents according to NIS 2
- Supply chain security
- Incident reporting obligations — see also: What are reporting obligations according to NIS 2?
- Using certified IT products and services
However, Belgium’s NIS2 Law defines that the Belgian government will introduce rules for the items mentioned above — for example, it specifies that the national cybersecurity strategy will specify cybersecurity requirements for the use of IT products and services in public procurement, for example certification, encryption, open source, etc.
Belgium’s NIS2 Law vs. the NIS 2 Directive
Overall, Belgium’s NIS2 Law follows the NIS 2 Directive very closely, especially related to governance, cybersecurity measures, and incident reporting.
Belgium’s law clarifies some points from NIS 2 about conformity assessment and supervision, and it allows essential entities to choose how they will perform the conformity assessment.
Of course, it remains to be seen what kind of decisions the Belgian government will make with regards to deadlines for conformity assessments, for reference frameworks for conformity assessment, and for cybersecurity measures. Such decisions will influence the compliance effort a lot.
To find all the documents needed for complying with the NIS 2 Directive, check out this NIS 2 Documentation Toolkit that includes all policies, procedures, plans, and other templates.