NIS2: 18 April 2026 deadline – What essential entities must have in place

Following the formal request issued by the CCB's inspection service, all essential entities are required to submit specific information and supporting evidence to enable ex-ante supervision and verification of their cybersecurity posture (full details of the procedure are provided in the letter).

What is expected by 18 April 2026?

Depending on the compliance approach selected, essential entities are required to meet the following conditions:

• CyberFundamentals (CyFun®): Obtain, or be actively in the process of obtaining, at least a Basic or Important verification, or hold a signed agreement with an accredited assessment body.
• ISO/IEC 27001: Submit the certification scope, Statement of Applicability (SoA) and the most recent internal audit report, with full certification to be completed by April 2027.
• Direct inspection: Provide a self-assessment and relevant supporting documentation, and formally request an inspection (noting that this pathway may lead directly to supervisory measures).

These requirements derive from the Belgian NIS2 law, which entered into force on 18 October 2024 and is designed to strengthen cybersecurity across essential services through risk management, incident reporting and supervision.

A regulatory checkpoint not just a formality

The 18 April 2026 deadline constitutes a binding regulatory obligation, not a procedural formality. Failure to submit complete or timely information may result in administrative measures or financial penalties, as well as further supervisory action.

Stay informed

For detailed guidance on obligations, procedures and practical considerations, we invite you to consult our FAQ: https://atwork.safeonweb.be/frequently-asked-questions-faq-nis2-and-cyberfundamentals

Ensuring timely and complete compliance is essential to strengthening your organisation's cybersecurity resilience and fulfilling your regulatory obligations.