IT Partner? See how to deliver NIS2 audit-readiness

View partner offer →

Missed the Belgian NIS2 Deadline? What Changes on April 18, 2026

April 18, 2026 was the Belgian conformity self-assessment deadline under NIS2. If your organization is in scope and didn't submit, here is what actually changes — and the three concrete remediation paths the CCB CyberFundamentals framework leaves open.

What April 18, 2026 Actually Required

The Belgian NIS2 transposition law of April 26, 2024 sets two deadlines that matter for the CyberFundamentals framework run by the Centre for Cybersecurity Belgium (CCB):

  • 1
    April 18, 2026 — Conformity self-assessment. Important entities owe a CyFun self-assessment at minimum BASIC tier (34 controls). Filed through the CCB Safeonweb @work portal.
  • 2
    April 18, 2027 — Full certification. Essential entities owe a Conformity Assessment Body (CAB) audit at IMPORTANT (132 controls) or ESSENTIAL tier (217 controls). The CAB must be accredited by BELAC, the Belgian accreditation body.

If you are not sure whether your organization is classified as important or essential, start with who must comply with NIS2.

What Actually Changes If You Didn't Submit

A passed deadline shifts your position from "on track" to "in remediation". Three specific things change:

1. The burden of explanation moves to you

Before the deadline, "we are working on it" was sufficient. After the deadline, when a regulator, insurer, or enterprise client asks, you owe a documented late-submission plan with target dates and evidence of progress.

2. Supply-chain pressure compounds

NIS2 Article 21(2)(d) requires in-scope organizations to manage supplier risk. Enterprise clients that are in scope start asking for proof at contract renewal — typically a CyFun self-assessment summary, an ISO 27001 certificate, or an equivalent statement of applicability.

3. The 2027 certification window narrows

A CAB audit cycle for IMPORTANT or ESSENTIAL tier typically requires 3–6 months of evidence collection plus the audit itself. Starting now still leaves runway. Starting in Q4 2026 with no documented baseline does not.

Three Remediation Paths

Pick the path that matches your NIS2 classification and the audit posture your enterprise clients actually ask for. All three are accepted by the CCB.

A

Late CyFun BASIC self-assessment

Best for: important entities below the essential-entity size threshold

The fastest path back on track. 34 controls grouped under five NIST CSF functions (Identify, Protect, Detect, Respond, Recover). No external auditor required — the assessment is filed by the organization itself through the CCB Safeonweb @work portal.

What you owe: evidence per control (policy reference, screenshot, log sample, training record), a documented gap list, and target remediation dates. Time to submission: 4–8 weeks for an organization with reasonable existing security hygiene.

B

CAB audit at IMPORTANT or ESSENTIAL tier

Required for: essential entities · Optional for: important entities seeking a defensible certificate

The April 18, 2027 endpoint for essential entities. Audit performed by a Conformity Assessment Body accredited by BELAC. IMPORTANT tier covers 132 controls; ESSENTIAL tier covers 217 controls and is mandated only for the most critical sectors.

What you owe: a complete CyberFundamentals workbook with evidence per control, a tested incident response plan, supplier risk register, and a maintained change log. Time to certificate: 3–6 months from a baseline self-assessment to a CAB audit, plus the audit cycle itself (typically 4–8 weeks).

C

ISO 27001 with a NIS2 Statement of Applicability

Best for: organizations with existing or in-progress ISO 27001 certification

The CCB recognizes ISO/IEC 27001 with a NIS2-mapped Statement of Applicability (SoA) as an equivalence path. The SoA must explicitly map ISO 27001 Annex A controls to CyberFundamentals controls so that any gap is visible.

What you owe: a current ISO 27001 certificate, an SoA that names every CyberFundamentals control by ID, and evidence that the NIS2-specific requirements (24-hour incident notification, supply-chain due diligence, board-level cybersecurity oversight) are operationalized — these are not 1:1 with ISO 27001 Annex A.

How to Submit a Late CyFun BASIC Self-Assessment

The mechanical steps the CCB Safeonweb @work portal expects, in order:

  1. 1

    Register your organization on Safeonweb @work

    Use itsme or eID to authenticate as a legal representative. The CCB cross-references the registration against Crossroads Bank for Enterprises (KBO/BCE) data.

  2. 2

    Confirm your NIS2 classification

    Important or essential. The portal walks through the size and sector test that maps to NIS2 Annex I and II.

  3. 3

    Download the CyberFundamentals workbook

    Excel file maintained by the CCB. Each control has an evidence column the CCB expects to be filled with a reference (document name, screenshot, log path).

  4. 4

    Score each control honestly

    The CyFun maturity scoring uses a 1–5 rubric per control. Auditors and the CCB lose patience with self-assessments that score every control as 5. A baseline of 2–3 with a documented improvement plan reads as more credible than a wall of green.

  5. 5

    Upload the workbook and attach a remediation roadmap

    For a late submission, the roadmap is the document that turns "missed the date" into "actively remediating". Target dates per control, owner per control, and evidence references for what is already in place.

What the CCB Has Actually Said About Enforcement

The Centre for Cybersecurity Belgium publishes its enforcement posture through formal guidance, annual reports, and the Safeonweb @work portal — not through enforcement leaks. Two signals are visible from public CCB material:

  • Incident notifications are rising fast. The CCB recorded 635 mandatory incident notifications across NIS2-relevant categories in 2025 — a roughly 70% year-over-year increase per the CCB 2025 annual activity report. That signals attention bandwidth at the regulator, not a quiet inbox.
  • Remediation-first posture. Published CCB guidance on the BELAC accreditation process and the CyberFundamentals framework consistently frames enforcement as a structured escalation: notice → remediation order → administrative fine. That is the same pattern the Belgian Data Protection Authority (DPA / Gegevensbeschermingsautoriteit) uses for GDPR.

Both signals point in the same direction: the cost of a documented late submission is lower than the cost of a documented refusal. The point is to be on the record as remediating before someone asks.

How Easy Cyber Protection Shortens the Catch-Up Loop

We built a compliance engine around the CCB CyberFundamentals workbook because that file is the artifact every late submitter, CAB auditor, and ISO 27001 SoA reviewer ultimately reads. The April 2026 release shipped CCB Excel export and auditor reimport, so the workbook a late submitter prepares in ECP can be handed straight to a CAB without rework.

  • Every BASIC, IMPORTANT, and ESSENTIAL control mapped, with the CCB evidence column wired to a real document store.
  • CCB-compatible Excel export — same workbook the Safeonweb @work portal expects.
  • Auditor reimport: the CAB sends back a marked-up workbook, ECP merges the findings into the live state without manual reconciliation.
  • Multi-tier progression: start at BASIC for the late self-assessment, promote to IMPORTANT or ESSENTIAL when the 2027 audit window opens.

Frequently Asked Questions

What does the April 18, 2026 NIS2 deadline actually require in Belgium?

Important entities under the Belgian NIS2 law of April 26, 2024 owed a conformity self-assessment against the Centre for Cybersecurity Belgium (CCB) CyberFundamentals framework — at minimum the BASIC tier — by April 18, 2026. Essential entities are on the same registration timeline but face a separate April 18, 2027 deadline for a full Conformity Assessment Body (CAB) audit at IMPORTANT or ESSENTIAL tier. The self-assessment is filed via the CCB Safeonweb @work platform.

I missed the deadline. Will I be fined immediately?

No. The CCB has not published a fine schedule tied to a missed self-assessment date, and Belgian regulators historically prefer remediation orders over immediate sanctions for first-time non-compliance. The risk is cumulative: missing the self-assessment, then missing the April 18, 2027 certification deadline, then missing a remediation order is what creates real exposure (up to €10M or 2% of turnover for essential entities, €7M or 1.4% for important entities under NIS2 Article 34).

Can I still submit a CyFun self-assessment after the deadline?

Yes. The CCB Safeonweb @work portal accepts late self-assessments. Document the date you started catch-up work, the evidence you collected, and a remediation roadmap with target dates. Late submission with a credible plan is a stronger position than no submission.

What is the difference between the three remediation paths?

CyFun BASIC self-assessment (34 controls) is the minimum viable path for important entities — internal review, no external auditor required. A CAB audit at IMPORTANT (132 controls) or ESSENTIAL (217 controls) tier is mandatory for essential entities by April 18, 2027 and recommended voluntarily for any entity that wants a defensible certificate. ISO 27001 with a NIS2 Statement of Applicability mapped to CyberFundamentals is recognized by the CCB as an equivalence path for organizations that already hold or are pursuing ISO 27001.

Will my supply chain partners ask for proof?

Yes — increasingly. Article 21(2)(d) of NIS2 makes supply chain security a required control area, which means in-scope organizations must vet their suppliers. Even if you are not directly in scope, an enterprise client that is in scope will typically ask for a CyFun self-assessment summary or ISO 27001 certificate before renewing a contract.

How does a managed compliance platform help with a late submission?

A platform that maps every CyFun control to evidence collection and produces a CCB-compatible Excel export shortens the catch-up loop from "draft from blank" to "fill the gaps the platform already identified". The April 2026 ECP release shipped CCB Excel export and auditor reimport, so the same workbook a late submitter prepares can be handed straight to a CAB without rework.

Related Articles

Sources

  1. Directive (EU) 2022/2555 (NIS2) — Articles 21, 23, 34
  2. Belgian NIS2 Law of 26 April 2024
  3. CCB CyberFundamentals Framework + Workbook
  4. Centre for Cybersecurity Belgium (CCB)
  5. BELAC — Belgian Accreditation Body
  6. D3 Security industry survey (April 2026) — Belgian NIS2 readiness statistics. Cited for the 84% / 25% figures.
TARS AI