EU NIS2 in Belgium

Belgium picture

EU NIS2 has been transposed in Belgium into national law by the NIS2 Law (la loi NIS2), the Belgian NIS2 implementation law. It will to come into force in late 2024 and transposes EU minimum requirements for cybersecurity of the EU NIS2 directive into Belgian law.

  1. Status of NIS2
  2. NIS2 Requirements
  3. Further information

On April 26, the Belgian parliament adopted the Belgian implementation law of EU NIS2. It was published in the Belgian Official Journal on May 17, 2024 and will come into force on October 18, 2024.

EU NIS2 Webinar

EU NIS2 Implementation in EU Member States

Discussion on NIS2 implementations: CZ, FI, FR, DE, HU, PL
Webinar ∙ Register on LinkedIn ∙ English ∙ August 29, 2024

Implementation in Belgium

Current status

The national implementation in Belgium is carried out by the NIS2 Law. The law replaces the existing NIS1 Law of April 7, 2019.

The Centre for Cybersecurity Belgium (CCB) and the Prime Minister's Cabinet coordinated the development of the NIS2 law. The CCB will become the competent national cybersecurity authority in Belgium.

Following a consultation in December 2023, the Belgian parliament adopted the NIS2 law in April 2024. It was published on May 17 in the Belgian Official Journal and will come into force on October 18, 2024.

The NIS2 law closely aligns with the EU NIS2 directive and features only minor national differences.

up

NIS2 Requirements

National differences

The Belgian draft law is characterized by the following aspects:

Entities and sectors

Belgian NIS2 law is closely aligned with the requirements of the EU NIS 2 Directive in the definition for affectedness and the sector definitions. There are two types of entities:

  1. Essential entities (entités essentielles) based on company size in NIS sectors of Annex 1
    • Companies with ≥ 250 FTE and
    • Companies with ≥ 50m EUR yearly revenue or balance ≥ 43m EUR
    • Size-independent: qTSP, TLD, DNS, telco, public administration, critical entities
    • Critical entities affected by the (upcoming) Belgian CER law
    • Operators of critical infrastructure (Security and the Protection of Critical Infrastructures)
    • Companies classified by the CCB as essential entities on the basis of Article 11
  2. Important entities in NIS sectors of Annex 1 and 2
    • Medium-sized companies that don't meet the requirements for essential entities
    • Companies classified by the CCB as important entities on the basis of Article 11

Belgium implements all sectors of the EU NIS2 directive and does not add any others.

Obligations

Companies are granted a five month period after entry into force to register with the CCB. Art. 13 Some entities must provide data within two months: DNS, TLD, and domain name registration service providers, as well as Cloud Computing providers, data centre service providers, CDNs, managed service providers, managed security service providers, providers of onlice marketplaces, online search engines, social networking services platforms. Art. 14

Risk management measures cover EU NIS2 measures and add another requirement that obliges companies to draw up a directive on the coordinated disclosure of vulnerabilities. Art. 30

Companies have a number of options to choose from for how they can provide evidence. Important entities can conduct a self-assessment Art. 41, essential entities must choose between audits carried out by the CCB and audits by conformity assessment bodies Art. 39.

The reporting obligations include three deadlines by which entities must report to the national CSIRT, namely 24 hrs, 72 hrs and 1 month. Art. 35

up

Further Information

Additional legislation

  1. News and Publications on NIS2, Website of the Centre for Cybersecurity Belgium, n.d.

Sources

  1. Belgian NIS2 Law of April 26, 2024, Website of the Belgian Federal Public Service of Justice, May 17, 2024
  2. Adoption of the NIS2 Law by the Parliament, Website of the Centre for Cybersecurity Belgium, May 21, 2024