The regulatory landscape in Belgium and the EU can be hard to navigate. This page covers the main cybersecurity legislations that may impact your organisation and the frameworks, standards, certifications and tools that may help you achieve compliance.

Legislations impacting the whole organisation

Network and Information Security Directive 2 (NIS2)

Scope: Organisations active in sectors of high criticality and other critical sectors

Description:  Enhancing the cybersecurity of entities critical to our economy and society

Status:  Entry into force in Belgium on 18th October 2024

To our NIS2 quickstart guide

Digital Operational Resilience Act (DORA)

Scope: Organisations active in the financial sector and their third-party ICT service providers

Description: Uniform requirements concerning the security of network and information systems supporting the business processes of financial entities

Status: Applicable in the EU on 17th January 2025

To the EU Commission page on DORA

Cyber Solidarity Act (CSolA)

Scope: EU Member States

Description: Deployment of a pan-European infrastructure of Security Operations Centres, creation of a Cybersecurity Emergency Mechanism, and establishment of a European Cybersecurity Incident Review Mechanism

Status: Awaiting formal approval by European Parliament and Council

To the EU Commission page on the CSolA

Legislations impacting products and services

Cybersecurity Act (CSA)

Scope: ICT products, services and processes

Description: Mandatory and voluntary European cybersecurity certifications

Status: EU Regulation entered into force on 27th June 2019, Belgian law entered into force on 5th August 2022

To the EU Commission page on the CSA

Cyber Resilience Act (CRA)

Scope: Products with digital elements made available on the EU market

Description: Minimum cybersecurity requirements for all products with digital elements put on the EU market

Status: Awaiting formal adoption by the European Council

To the EU Commission page on the CRA

Artificial Intelligence Act (AIA)

Scope: Anyone who makes, uses, imports, or distributes AI systems in the EU

Description: Rules for transparency, placing on the market, putting into service and use of AI systems; prohibition of certain AI practices; specific requirements for high-risk AI systems and their operators; etc.

Status: Awaiting formal adoption by the European Council

To the EU Commission page on the AI act

Radio Equipment Directive (RED)

Scope: Any radiocommunication transmitter or receiver (with certain exceptions)

Description: Regulatory framework for placing radio equipment on the market

Status: Entered into force in Belgium on 13th June 2016

To the BIPT page on the RED

European Digital Identity Regulation (eIDAS2)

Scope: Electronic identification schemes, European Digital Identity Wallets, trust service providers

Description: Update of the 2014 eIDAS Regulation to enable the creation of a European digital identity wallet

Status: Entered into force on 20th May 2024

To the FOD Economy page on the eIDAS

Frameworks, standards and certifications

CyberFundamentals (CyFun®) Framework

A set of concrete measures to protect data, significantly reduce the risk of the most common cyber-attacks and increase an organisation's cyber resilience

To the CyFun® page

European Union Common Criteria (EUCC)

Voluntary EU certification scheme for ICT products

To the ENISA page on EUCC