NIS2 Deadlines Belgium: April 18, 2026 Self-Assessment Due
Belgium's NIS2 compliance is moving fast. Essential entities must submit their CyFun Basic/Important self-assessment or ISO 27001 documentation by April 18, 2026 — just 10 weeks away. With ~2,000 entities already registered and audits underway, here's your complete timeline and action plan.
NIS2 Timeline: Where We Are Now
Understanding the full NIS2 timeline helps put the current situation in perspective.
NIS2 directive officially adopted by the EU
NIS2 entered into force (20 days after publication)
Member states deadline to transpose into national law
EU proposed NIS2 amendments and Cybersecurity Act 2
Belgium: Self-assessment submission deadline (CyFun or ISO 27001)
Critical infrastructure operators automatically classified as critical entities
Full Essential certification deadline for essential entities
What Does This Mean for Your Business?
NIS2 is now legally binding in Belgium, with approximately 1,500 essential and 500 important entities registered with the CCB. Here's what this means in practice:
April 18, 2026: Self-assessment deadline
Essential entities must submit their CyFun Basic/Important self-assessment or ISO 27001 documentation to the CCB. This deadline is 10 weeks away.
Registration is progressing
Around 2,000 entities have registered with the CCB. If you haven't registered yet and fall under NIS2, do so immediately.
Incident reporting is mandatory
Significant cyber incidents must be reported within 24 hours. New ransomware-specific reporting requirements include attack vector and whether ransom was paid.
Audits are underway
Conformity Assessment Body (CAB) accreditation is concluding in April 2026. Audits have already started for early adopters.
Good News: It's Not Too Late
If you haven't started your NIS2 compliance journey yet, don't despair. Here's why starting now still makes sense:
Gradual enforcement
Regulators understand the scale of the challenge. Active audits are expected to increase throughout 2025, giving you time to make progress.
Good faith efforts matter
Organizations that can demonstrate they're actively working toward compliance are in a much better position than those doing nothing.
CyberFundamentals provides a path
The Belgian CCB's framework gives you a clear, structured approach to compliance - start with the Small level and build from there.
Better security anyway
NIS2 compliance isn't just about avoiding fines - it's about protecting your business from real cyber threats.
April 18, 2026: Self-Assessment Submission
Essential entities must submit their self-assessment by April 18, 2026 — that's just 10 weeks away. Here's what you need to do:
Confirm your registration
Ensure you're registered with the CCB at ccb.belgium.be. ~2,000 entities have already registered.
Complete your self-assessment
Implement CyberFundamentals Basic or Important level, or prepare your ISO 27001 documentation
Gather documentation
Prepare your CyFun self-assessment or ISO 27001 information security policy, scope, and statement of applicability
Submit by April 18, 2026
Submit your documentation to the CCB via the Safeonweb@Work portal before the deadline
NIS2 Penalties: What's at Risk?
Non-compliance can result in significant fines. The penalties are designed to be proportionate but meaningful:
| Entity Type | Maximum Fine | Additional Consequences |
|---|---|---|
| Essential entities | €10 million or 2% of global turnover | Personal liability for management |
| Important entities | €7 million or 1.4% of global turnover | Management can be suspended |
| Late incident reporting | Administrative fines | Public disclosure possible |
Your Action Plan: Start Today
Here's what to do right now, regardless of where you are in your compliance journey:
Assess your scope
Determine if your organization falls under NIS2 (essential or important sector, size thresholds)
Start with CyberFundamentals Small
Begin implementing the 7 controls in the CCB's baseline level - it's free and provides a solid foundation
Document everything
Keep records of what you're implementing and when. This shows good faith effort.
Set up incident reporting
Ensure you have a process to detect and report incidents within 24 hours
Plan for higher levels
Based on your sector, plan your path to Basic, Important, or Essential assurance levels
How Easy Cyber Protection Helps
We make NIS2 compliance manageable for organizations catching up:
Frequently Asked Questions
Is it too late to start NIS2 compliance?
No, it's not too late. While the deadline has passed, enforcement is ramping up gradually. Organizations that demonstrate active efforts toward compliance are in a much better position than those doing nothing. Start with CyberFundamentals Small level today.
What happens if I'm not compliant by the deadline?
Technically, organizations in scope should already be compliant. However, regulators understand the scale of the challenge. Focus on making demonstrable progress. Fines are typically reserved for organizations that show negligence or refuse to act.
When will audits and enforcement actually start?
Enforcement capacity is being built throughout 2025. While spot checks and incident-triggered investigations can happen anytime, widespread systematic audits are expected to increase gradually. This gives you a window to make progress.
Do I need to register with the CCB?
If your organization qualifies as an essential or important entity under NIS2, you may need to register with the Centre for Cybersecurity Belgium (CCB). Check ccb.belgium.be for current registration requirements and guidance.
What's the fastest way to get started with compliance?
Start with the CyberFundamentals Small level - it has only 7 controls and provides a solid baseline. You can begin implementing these today with Easy Cyber Protection's free tier. Then work your way up to higher levels based on your sector requirements.
Related Articles
Sources
- NIS2 Directive (EU) 2022/2555 — Official Journal of the European Union
- NIS2 Article 41: Transposition — October 17, 2024 deadline
- Centre for Cybersecurity Belgium (CCB) — CyberFundamentals Framework & Registration
- NIS2 Article 34: Administrative Fines — Penalty amounts for essential and important entities
- NIS2 Directive Overview — European Commission