The NIS2 Directive Explained: EU Cybersecurity Law
The NIS2 Directive is the EU's updated cybersecurity law. It replaced the original NIS Directive in January 2023 and now covers 18 critical sectors across 160,000+ organizations. If you run a business in Belgium, this law shapes your cybersecurity obligations. Here is what it says, in plain language.
What Is the NIS2 Directive?
NIS2 stands for the Network and Information Security Directive 2. Its official name is Directive (EU) 2022/2555. The European Parliament and Council adopted it on December 14, 2022. It entered into force on January 16, 2023.
- It replaces the original NIS Directive from 2016
- It sets minimum cybersecurity requirements for organizations in critical sectors
- It applies to both "essential" and "important" entities
- Each EU member state must transpose it into national law
Want to know if NIS2 applies to your organization? Check who must comply.
NIS1 vs NIS2: What Changed?
The original NIS Directive (2016) was the EU's first cybersecurity law. NIS2 is a major upgrade. Here are the key differences:
| Aspect | NIS1 (2016) | NIS2 (2022) |
|---|---|---|
| Sectors covered | 11 sectors | 18 sectors |
| Scope | Operators of essential services only | Essential + important entities (size-based criteria) |
| Penalties | Left to member states | Up to EUR 10M or 2% of global turnover |
| Management liability | None | Personal liability for board members |
| Incident reporting | No fixed timeline | 24h early warning, 72h full notification |
| Supply chain security | Not addressed | Mandatory supply chain risk assessment |
| Supervision | Reactive (post-incident) | Proactive (audits, inspections) |
| Harmonization | Fragmented across member states | Stronger minimum standards |
Key Articles of the NIS2 Directive
The directive has 46 articles. Three are especially important for businesses:
Cybersecurity Risk Management Measures
Article 21 lists 10 categories of security measures that every in-scope organization must implement. These include risk analysis, incident handling, business continuity, supply chain security, network security, vulnerability management, cyber hygiene practices, cryptography, human resources security, and access control.
Incident Reporting Obligations
Article 23 requires organizations to report significant incidents to their national authority. The timeline: an early warning within 24 hours, a full incident notification within 72 hours, and a final report within one month. Failure to report triggers separate penalties.
Supervision and Enforcement
Articles 32 and 33 give national authorities the power to conduct audits, inspections, and on-site checks. They can issue binding instructions and impose administrative fines. Essential entities face stricter supervision than important entities.
See the full list of NIS2 requirements.
Legal Status: Directive vs Regulation
NIS2 is a directive, not a regulation. This distinction matters:
A directive sets goals
Each member state must achieve the result but can choose how to implement it in national law.
A regulation applies directly
Unlike GDPR (which is a regulation), NIS2 needs national transposition before it binds organizations.
Transposition deadline: October 17, 2024
All EU member states were required to adopt national laws by this date. Some missed the deadline.
National variations exist
Each country's implementation may differ slightly. Belgium's version has its own specific requirements.
Belgian Transposition: The NIS2 Law
Belgium was one of the first EU countries to transpose the NIS2 Directive into national law. The Belgian NIS2 law was adopted on April 26, 2024 — months ahead of the October deadline.
- The Centre for Cybersecurity Belgium (CCB) is the national authority
- Belgium uses the CyberFundamentals framework to implement NIS2 requirements
- Organizations must register with the CCB
- The self-assessment deadline for essential entities is April 18, 2026
Learn more about the Belgian approach: NIS2 in Belgium. Also check the NIS2 deadlines.
The 10 Security Measure Categories
Article 21 of the NIS2 Directive requires organizations to implement measures in these 10 categories:
Risk analysis and information security policies
Formal policies based on a risk assessment of your organization.
Incident handling
Procedures for detecting, managing, and recovering from security incidents.
Business continuity and crisis management
Backup management, disaster recovery, and crisis response plans.
Supply chain security
Security requirements for your suppliers and service providers.
Security in network and information systems
Acquisition, development, and maintenance of secure systems.
Vulnerability handling and disclosure
Policies for assessing and managing vulnerabilities.
Cybersecurity risk assessment effectiveness
Procedures to evaluate whether your security measures actually work.
Cyber hygiene and training
Basic security practices and regular cybersecurity awareness training.
Cryptography and encryption
Policies on the use of cryptography and, where appropriate, encryption.
Human resources and access control
Security vetting, access management, and asset management policies.
Board Accountability: A New Reality
One of the most significant changes in NIS2 is that management bodies are personally accountable for cybersecurity. Board members must:
- Approve the organization's cybersecurity risk management measures
- Oversee the implementation of those measures
- Follow cybersecurity training themselves
- Be prepared to face personal consequences for non-compliance
Learn more about NIS2 penalties and personal liability.
How Easy Cyber Protection Helps You Comply
Our platform maps directly to the NIS2 Directive's requirements through Belgium's CyberFundamentals framework:
Frequently Asked Questions
Is the NIS2 Directive a law?
NIS2 is an EU directive, which means it sets binding goals for member states. Each country must transpose it into national law. In Belgium, this was done through the Law of April 26, 2024. So yes, NIS2 obligations are legally binding for in-scope organizations.
What is the difference between a directive and a regulation?
A directive (like NIS2) requires each member state to create its own national law to achieve the directive's goals. A regulation (like GDPR) applies directly in all member states without national transposition. This means NIS2 implementation can vary slightly between countries.
When did the NIS2 Directive enter into force?
The NIS2 Directive was adopted on December 14, 2022, and entered into force on January 16, 2023. Member states had until October 17, 2024 to transpose it into national law. Belgium completed transposition on April 26, 2024.
Does NIS2 apply to my organization?
NIS2 applies to medium and large organizations in 18 critical sectors, including energy, transport, health, digital infrastructure, ICT services, and more. Some smaller organizations may also be in scope if they provide critical services. Check our detailed guide on who must comply.
What happens if my country has not transposed NIS2 yet?
Several member states missed the October 2024 deadline. However, the directive's requirements still serve as the benchmark. Organizations should prepare now, as national laws will follow. In Belgium, the law is already in force, so Belgian organizations are already bound.
Related Articles
Sources
- NIS2 Directive (EU) 2022/2555 — Full text of the directive
- Centre for Cybersecurity Belgium (CCB) — Belgian national authority for NIS2
- ENISA NIS2 Guidelines — EU Agency for Cybersecurity
- Belgian NIS2 Law of April 26, 2024 — National transposition