IT Partner? See how to deliver NIS2 audit-readiness

View partner offer →

NIS2 in Belgium: Law, Deadlines & CyberFundamentals

Belgium was one of the first EU countries to transpose NIS2 into national law. The Belgian law of April 26, 2024 gives the Centre for Cybersecurity Belgium (CCB) full authority over NIS2 compliance. Belgium chose a unique path: the CyberFundamentals framework. Here is everything you need to know.

NIS2 compliance in Belgium with CyberFundamentals framework

The Belgian NIS2 Law (April 26, 2024)

Belgium transposed the EU NIS2 directive into national law on April 26, 2024. This makes Belgium one of the fastest EU member states to act. The law establishes the Centre for Cybersecurity Belgium (CCB) as the single national authority for NIS2 compliance.

Early adopter

Belgium published its NIS2 law before the EU deadline of October 17, 2024. Most member states missed that deadline.

Single authority

The CCB handles registration, compliance monitoring, incident reporting and enforcement. One point of contact for everything.

Broader scope

Belgium added sectors beyond the EU minimum. More organizations fall under the Belgian law than the directive requires.

Management liability

Senior management is personally responsible for cybersecurity. They can face fines or suspension for non-compliance.

Role of the CCB (Centre for Cybersecurity Belgium)

The CCB is Belgium's national cybersecurity authority. Under NIS2, it takes on several critical roles:

Registration portal

All in-scope entities must register via Safeonweb@Work. The CCB maintains the official register of essential and important entities.

Framework provider

The CCB developed CyberFundamentals, a tiered compliance framework tailored to Belgian organizations.

Incident response

Significant incidents must be reported to the CCB within 24 hours. The CCB coordinates response and shares threat intelligence.

Enforcement

The CCB can impose fines, order corrective measures, and in severe cases suspend management of non-compliant organizations.

CyberFundamentals: Belgium's Unique Framework

CyberFundamentals (CyFun) is what makes Belgium different. Instead of relying solely on ISO 27001, the CCB created a practical, tiered framework. It maps to international standards (NIST CSF, ISO 27001, CIS Controls) but is simpler to adopt. Read our full CyberFundamentals guide .

The 4 CyFun Tiers

TierControlsCostFor whom
Small 7 controls Free Micro-enterprises and starting point for all
Basic 25 controls Paid Important entities, SMEs with basic risk
Important 117 controls Paid Important entities in critical sectors
Essential 140 controls Paid Essential entities, critical infrastructure

Belgian Registration: The Numbers

Belgium's registration process is well underway. Here are the latest figures:

2,410 critical-sector entities

Nearly all estimated in-scope organizations from critical sectors have registered with the CCB.

4,000+ total registrations

Across all sectors, over 4,000 entities have registered. This includes both essential and important entities.

75% chose CyFun

Three out of four registered entities selected CyberFundamentals as their compliance framework. The rest chose ISO 27001.

Registration is mandatory

If you fall under NIS2 scope and have not registered yet, do so immediately at Safeonweb@Work.

Belgian NIS2 Deadlines

Belgium has set clear milestones. Missing them puts your organization at risk of enforcement action. See all NIS2 deadlines in detail .

April 26, 2024

Belgian NIS2 law adopted (Loi NIS2)

April 18, 2026

Self-assessment submission deadline (CyFun or ISO 27001)

July 17, 2026

Critical infrastructure operators auto-classified as critical entities

April 2027

Full Essential certification required for essential entities

How Belgium Differs from Other EU Countries

Belgium stands out in the EU NIS2 landscape. Here is how:

CyFun is unique

No other EU country has a tiered, practical framework like CyberFundamentals. Most rely on ISO 27001 alone, which is expensive and complex for SMEs.

Ahead of schedule

Belgium transposed NIS2 months before the EU deadline. Many member states still have not finished their transposition in 2026.

Free starting point

CyFun Small is free and has only 7 controls. This lowers the barrier for small organizations. Other countries offer no such entry point.

Single authority model

Belgium uses one authority (CCB) for everything. Some countries split responsibilities across multiple agencies, creating confusion.

Broader sector coverage

Belgium extended NIS2 scope beyond the EU minimum. More sectors and smaller entities are included.

Belgian Enforcement: CAB Audits

Enforcement is becoming real. The CCB has been working with Conformity Assessment Bodies (CABs) to prepare for audits.

CAB accreditation concluding April 2026

The accreditation process for audit bodies is wrapping up. Certified auditors will be ready to conduct formal assessments.

Audits already started

Early adopters have already undergone CyFun audits. The audit process follows a structured approach based on the chosen CyFun tier.

Self-assessment first

Before a formal audit, entities must submit a self-assessment. This is your first proof of compliance effort.

Proportional enforcement

The CCB considers your organization size, sector, and demonstrated effort. Good-faith progress matters.

How Easy Cyber Protection Helps

We help Belgian organizations get audit-ready for CyberFundamentals:

CyFun-native — Built specifically for the CyberFundamentals framework. Not a generic tool adapted for Belgium.
Start free with Small — Begin with CyFun Small level at no cost. 7 controls, clear guidance.
Evidence collection — Build your audit trail as you implement each control. Ready when the auditor arrives.
Progress tracking — See exactly where you stand against your chosen CyFun tier.
MSP collaboration — Share tasks with your IT partner or managed service provider.

Frequently Asked Questions

Is NIS2 already law in Belgium?

Yes. Belgium transposed NIS2 into national law on April 26, 2024. The law gives the Centre for Cybersecurity Belgium (CCB) authority over registration, compliance and enforcement. Belgium was one of the first EU countries to complete transposition.

What is CyberFundamentals and why does Belgium use it?

CyberFundamentals (CyFun) is a tiered cybersecurity framework developed by the CCB. It has 4 levels: Small (7 controls, free), Basic (25 controls), Important (117 controls), and Essential (140 controls). Belgium created it as a practical alternative to ISO 27001. 75% of registered entities chose CyFun.

When is the NIS2 self-assessment deadline in Belgium?

Essential entities must submit their self-assessment by April 18, 2026. This can be a CyFun self-assessment or ISO 27001 documentation. Full Essential certification is due by April 2027. Critical infrastructure operators will be auto-classified by July 17, 2026.

How many Belgian companies must comply with NIS2?

2,410 critical-sector entities have registered with the CCB, and over 4,000 across all sectors. Belgium extended the scope beyond the EU minimum, so more organizations are included than in most other member states.

How do I get audit-ready for CyberFundamentals in Belgium?

Start by registering at Safeonweb@Work if you have not already. Choose your CyFun tier based on your entity classification. Begin with CyFun Small (free, 7 controls) and work upward. Document your controls and gather evidence. Easy Cyber Protection helps you track progress and build your audit trail.

Related Articles

Sources

  1. Belgian NIS2 Law (April 26, 2024) — Belgisch Staatsblad / Moniteur belge
  2. Centre for Cybersecurity Belgium (CCB) — National cybersecurity authority
  3. CyberFundamentals Framework — CCB
  4. NIS2 Directive (EU) 2022/2555 — Official Journal of the European Union
  5. Safeonweb@Work — Registration portal