NIS2, Are you in scope?
Belgium's new cybersecurity law entered into force.
The regulatory landscape in Belgium and the EU can be hard to navigate. This page covers the main cybersecurity legislations that may impact your organisation and the frameworks, standards, certifications and tools that may help you achieve compliance.
Legislations impacting the whole organisation
Network and Information Security Directive 2 (NIS2)
Scope: Organisations active in sectors of high criticality and other critical sectors
Description: Enhancing the cybersecurity of entities critical to our economy and society
Status: Entered into force on 18th October 2024
Digital Operational Resilience Act (DORA)
Scope: Organisations active in the financial sector and their third-party ICT service providers
Description: Uniform requirements concerning the security of network and information systems supporting the business processes of financial entities
Status: Entered into force on 17th January 2025
Cyber Solidarity Act (CSolA)
Scope: EU Member States
Description: Deployment of a pan-European infrastructure of Security Operations Centres, creation of a Cybersecurity Emergency Mechanism, and establishment of a European Cybersecurity Incident Review Mechanism
Status: Entered into force on 4th February 2025
Legislations impacting products and services
Cybersecurity Act (CSA)
Scope: ICT products, services and processes
Description: Mandatory and voluntary European cybersecurity certifications
Status: EU Regulation entered into force on 27th June 2019, Belgian law entered into force on 5th August 2022
Cyber Resilience Act (CRA)
Scope: Products with digital elements made available on the EU market
Description: Minimum cybersecurity requirements for all products with digital elements put on the EU market
Status: Entered into force on 10th December 2024; however, manufacturers must comply with vulnerability reporting obligations from 11th September 2026
Artificial Intelligence Act (AIA)
Scope: Anyone who makes, uses, imports, or distributes AI systems in the EU
Description: Rules for transparency, placing on the market, putting into service and use of AI systems; prohibition of certain AI practices; specific requirements for high-risk AI systems and their operators; etc.
Status: Entry into force on August 1st, 2024, but its various provisions are being phased in over time. Some rules, like prohibitions on certain unacceptable-risk AI systems, became applicable on February 2nd, 2025. Other sections, including obligations for high-risk AI systems and the rules for general-purpose AI models, have later application dates, with full applicability for most parts expected by August 2nd, 2026.
Radio Equipment Directive (RED)
Scope: Any radiocommunication transmitter or receiver (with certain exceptions)
Description: Regulatory framework for placing radio equipment on the market
Status: Main entry into force date as June 13th, 2016. However, the crucial cybersecurity requirements, detailed in Article 3.3(d), (e), and (f), became applicable on August 1st, 2025
European Digital Identity Regulation (eIDAS2)
Scope: Electronic identification schemes, European Digital Identity Wallets, trust service providers
Description: Update of the 2014 eIDAS Regulation to enable the creation of a European digital identity wallet
Status: Entered into force on 20th May 2024
Frameworks, standards and certifications
CyberFundamentals (CyFun®) Framework
A set of concrete measures to protect data, significantly reduce the risk of the most common cyber-attacks and increase an organisation's cyber resilience
European Union Common Criteria (EUCC)
Voluntary EU certification scheme for ICT products