NIS2 Compliance in Belgium: What businesses must do now post-deadline

As of March 18, 2025, organizations covered by the NIS2 Directive were required to register with the Cybersecurity Center of Belgium (CCB). If your organization has not yet taken action, it's crucial to begin your compliance journey now to avoid regulatory enforcement, audits, or financial penalties. Cresco Cybersecurity is here to help guide you through the next steps.

What is NIS2? 

The NIS2 Directive (EU 2022/2555), which came into force in December 2022, was transposed into Belgian law with the Act of April 26, 2024. This regulation focuses on reinforcing cybersecurity measures, improving incident management, and overseeing entities that provide critical services necessary for maintaining essential societal and economic activities. 

This directive was designed to better coordinate government cybersecurity policies and ensure that critical infrastructure is protected against increasingly sophisticated cyber threats. 

What are the key dates and deadlines? 

  • October 18, 2024: NIS2 law comes into force in Belgium.  

  • March 18, 2025: Deadline for essential and important entities to register with the Cybersecurity Center of Belgium (CCB) via the Safeonweb@Work portal. Note that entities within the digital sector have an earlier registration deadline. 

  • April 2026: verification of self-assessments.  

  • April 2027: deadline for essential entities to obtain certification. 

  • Who must comply? 

Entities considered essential (e.g., energy, health, water, transport) or important (e.g., digital service providers, postal services, food production) are obligated to comply with NIS2. These sectors face varying requirements, such as tighter reporting obligations and oversight. 

If you operate in a critical infrastructure or digital service sector and meet size or service thresholds, you are most likely required to comply. 

If your organization is involved in critical services or infrastructure, you are most likely required to comply with this law. 

What are the key steps to NIS2 compliance? 

NIS2 compliance requires a multi-faceted approach that includes: 

  1. Risk management: Identifying and addressing cybersecurity risks across your network and information systems. 

  2. Employee training: Ensuring your team has the skills and knowledge needed to detect, respond to, and manage cyber threats. 

  3. Cybersecurity measures: Implementing both technical and organizational strategies to prevent attacks and minimize disruptions. 

  4. Incident response: Preparing a plan to respond to and recover from cyber incidents to limit business impact. 

How should entities comply? 

Under the NIS2 Directive, top management can be held personally liable for inadequate cybersecurity governance. This includes the responsibility to ensure cybersecurity training, allocate sufficient resources, and maintain an up-to-date risk management plan.  

Compliance requires not just organizational changes but technical, operational, and human resource measures. The law calls for entities to take steps to: 

  • Implement cybersecurity measures proportional to their risk exposure 

  • Regularly train employees and management in cybersecurity practices 

  • Develop a robust incident response plan to manage any potential breaches or attacks 

For more detailed information, visit the Cybersecurity Center of Belgium's official website. 

Board and management accountability 

The law also holds management accountable for decisions concerning cybersecurity risk management. It is their responsibility to ensure the necessary training and systems are in place for their teams to effectively manage cybersecurity. 

How can Cresco Cybersecurity help? 

At Cresco Cybersecurity, we specialize in helping businesses implement comprehensive cybersecurity solutions aligned with NIS2 requirements. Our services are designed to help you: 

  • Ensure timely registration with the Cybersecurity Center of Belgium (CCB) 

  • Develop and implement cybersecurity measures that are proportionate to your risk exposure 

  • Train your employees and management to effectively identify and mitigate cybersecurity risks 

  • Create an incident response plan to ensure quick recovery from potential cyber incidents 

VLAIO cybersecurity support 

For SMEs and other eligible businesses, VLAIO offers a subsidy program to assist with the costs of cybersecurity improvements. Through this initiative, VLAIO covers up to 50% of the costs for SMEs and social enterprises seeking external cybersecurity guidance, and up to 35% for larger entities that fall under NIS2. 

If your company qualifies, Cresco Cybersecurity can help you leverage this funding to implement robust cybersecurity measures and ensure that your business stays protected and compliant. 

Not yet compliant? Let’s fix that. 

Book a free 30-minute consultation with our team to assess your current status and build your compliance roadmap. Don’t wait for audits or fines; be proactive and protected. 

Ready to strengthen your cybersecurity?

Contact us today to discuss how Cresco's services can help your organisation can protect and secure your organisation.