NIS 2 status in Belgium
What the directive requires, how Belgium transposes it, and where the CCB sits inside the picture.
Overview
The NIS 2 directive is the EU layer. It binds every member state, including Belgium, with one cybersecurity floor for essential and important entities. Belgium must put that floor into Belgian law and run a supervision regime under it.
Belgium transposes NIS 2 through the Law of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security. The law was published in the Moniteur belge / Belgisch Staatsblad on 17 May 2024 and entered into force on 18 October 2024, alongside a Royal Decree that fills in the operational detail. Belgium is one of the few member states that met the directive's 17 October 2024 deadline.
The Centre for Cybersecurity Belgium (CCB) is the lead competent authority. CERT.be operates as a service inside the CCB. Registration runs through the Safeonweb@work portal. Sector regulators stay in the loop where they already exist: the National Bank of Belgium (NBB) and FSMA for finance, where DORA acts as lex specialis; BIPT for electronic communications.
EU directive
Directive (EU) 2022/2555 (NIS 2)
The EU-wide cybersecurity directive. Sets the obligations every member state must transpose, including the size and sector tests for essential and important entities.
EU implementation
Commission Implementing Regulation (EU) 2024/2690
Technical and methodological measures for digital infrastructure providers. Directly applicable in Belgium without national transposition.
Belgian transposition
Law of 26 April 2024 (NIS 2 law)
The Belgian NIS 2 transposition, published in the Moniteur belge on 17 May 2024 and in force from 18 October 2024. The implementing Royal Decree of June 2024 and CCB guidance fill in the operational detail. The law repeals the Law of 7 April 2019 (the Belgian NIS 1 transposition).
Law of 26 April 2024
Carries the NIS 2 obligations into Belgian law. Defines essential and important entities, the supervision powers of the CCB, incident reporting duties, and sanctions. Most operational detail sits in the Royal Decree of June 2024 and in CCB guidance.
CCB as supervisor, CERT.be as CSIRT
The Centre for Cybersecurity Belgium runs supervision, audits and sanctions. CERT.be operates inside the CCB as the national CSIRT for incident handling. Safeonweb@work is the public-facing portal for registration and guidance.
Registration and reporting
Digital sector providers had to register on Safeonweb@work by 18 December 2024. All other essential and important entities had to register by 18 March 2025. Significant incidents follow the directive's 24h early warning, 72h notification and one-month final report cadence.
Local law applies inside Belgium
Operations on Belgian territory follow the Belgian transposition. A German managing director running a Belgian subsidiary reads the Law of 26 April 2024 for that subsidiary, not the German BSIG. The directive obligations are the same; the procedure, the portal and the sanctions live in Belgian law.
Belgium cannot go below the EU floor
The directive is a minimum harmonisation instrument. Belgium can go stricter, and in practice does so via the CyberFundamentals framework and the Royal Decree. It cannot drop below the directive on essential and important entity duties, incident reporting deadlines or management body accountability.
CCB
Centre for Cybersecurity Belgium, the national cybersecurity authority sitting under the Prime Minister's office. Lead competent authority for NIS 2: supervision, audits, sanctions, and the Safeonweb@work registration portal. Publishes the CyberFundamentals framework, where a validated implementation grants a presumption of conformity with the NIS 2 risk-management measures.
CERT.be
The national Computer Security Incident Response Team. Operates as a service inside the CCB rather than as a separate agency. Handles incident notifications, technical coordination, and operational cooperation with other EU CSIRTs.
ENISA
The EU cybersecurity agency. Publishes guidance, manages the European vulnerability database, and supports cross-border coordination. Not a supervisor for Belgian entities; the CCB is.
Belgium is on the same timeline as Germany.
Belgium met the 17 October 2024 deadline. The Law of 26 April 2024 was published in the Moniteur belge on 17 May 2024 and entered into force on 18 October 2024, with registration deadlines that already passed in December 2024 and March 2025. Germany, by contrast, is still finalising its NIS2UmsuCG. Belgian entities cannot use the German delay as cover; their supervisor is active and registration is overdue if missed.
There is no functioning registration portal yet.
Safeonweb@work is live and operational. Digital sector providers had to register by 18 December 2024; all other essential and important entities by 18 March 2025. Late registration is a compliance gap that the CCB can act on, and registration data must be kept up to date under Article 27 of the directive.
Only the sectors that already had a NIS 1 regulator are in scope.
NIS 2 widens the perimeter well beyond the NIS 1 OES list. New sectors include public administrations, manufacturing, food, postal and courier services, waste management and chemicals, among others. The size test caps at medium and large enterprises by default, but small entities can be captured where they are sole providers or where the law adds them. The applicability check has to be done case by case.
Belgium is the rare EU country where NIS 2 is operational, not theoretical. The CCB is staffed, the registration portal works, the Royal Decree is in force, and the CyberFundamentals framework gives entities a concrete implementation path with a built-in presumption of conformity. Belgian operators that have not registered yet are not ahead of the curve, they are behind it.
The practical move is the same as everywhere else in the EU: confirm scope under the directive, register on Safeonweb@work, set up the four continuous obligations (registration upkeep, incident reporting, supply chain risk, management body oversight), and document the minimum. The CyFun framework helps with the substantive controls, but it does not replace the NIS 2 obligation register.
We build the NIS 2 obligation register on the EU layer, not on any single national transposition. The same checklist works for a Belgian subsidiary using the Law of 26 April 2024, a German parent using BSIG, and a Dutch sister using the Cyberbeveiligingswet. Article references switch per locale; the substantive obligations do not.
For Belgian scope you start with the applicability check, then move to Safeonweb@work registration, incident reporting cadence, supply chain clauses and management body sign-off. Where the CCB publishes CyFun guidance, we reference it; we do not duplicate it.
- Directive (EU) 2022/2555 (NIS 2) — EUR-Lex
- Commission Implementing Regulation (EU) 2024/2690
- Law of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security — Moniteur belge / Belgisch Staatsblad, 17 May 2024
- Royal Decree of June 2024 implementing the NIS 2 law — Moniteur belge / Belgisch Staatsblad
- Centre for Cybersecurity Belgium (CCB) — ccb.belgium.be
- Safeonweb@work — atwork.safeonweb.be (NIS 2 registration portal)
- CERT.be — national CSIRT, operating inside the CCB
- CyberFundamentals (CyFun) framework — CCB