The Network and Information Security Directive (NIS2), as transposed into Belgian law on 26 April 2024, splits regulated sectors into two annexes. Annex I (Essential): energy; transport (air, rail, road, water); banking; financial market infrastructure; health; drinking water; waste water; digital infrastructure (Domain Name System providers, datacenters, clouds, content delivery networks, trust services); ICT service management (Managed Service Providers and Managed Security Service Providers); public administration; space. Annex II (Important): postal and courier; waste management; chemicals; food; manufacturing; digital providers; research organisations.
Three categories are routinely misread. The Centre for Cybersecurity Belgium (CCB) frames them tightly:
"Digital providers" (Annex II) means online marketplaces (multi-vendor sales platforms like the Bol.com style), online search engines, and social networking services. It does NOT include business-to-business Software-as-a-Service, vertical industry software, e-commerce stores you operate yourself, or websites you build for clients.
"Digital infrastructure" (Annex I) means Domain Name System providers, top-level domain registries, public cloud computing providers (selling on-demand scalable compute), datacenter operators, content delivery network providers, trust service providers, and electronic communications providers. It does NOT cover a company that simply hosts its own application in the cloud.
"ICT service management" (Annex I) means MSPs and MSSPs that manage other organisations' IT or security as a primary commercial activity. It does NOT cover software vendors who happen to support their own product, or in-house IT teams.
If none of these strict definitions match, select "None of the above" and let our report's supply-chain analysis catch the indirect obligations from your customers. The full reasoning is in the report we generate.