1. Am I affected by NIS2?

A. In scope: NIS2 entities

Use our scope test tool to determine whether or not your organisation falls within the scope of the Belgian NIS2 Law.



B. In the supply chain of a NIS2 entity

Since NIS2 entities have to manage the cybersecurity of their supply chain, they may require your organisation to take cybersecurity measures: The Centre for Cybersecurity Belgium recommends to identify those who are vital to your cybersecurity and to invite them to implement at least the CyberFundamentals assurance level Basic.

2. Register your NIS2 entity ASAP

All NIS2 entities are required to register on Safeonweb@Work:

  • Entities in the digital sectors of the law must register before 18th December 2024.
  • All other NIS2 entities must register before 18th March 2025 at the latest.

The current registration portal will soon be updated to include registration forms specific to NIS2.

3. Report significant incidents

Starting from the 18th October 2024, all NIS2 entities are required to notify the CCB about significant incidents, i.e. any incident that has a significant impact on the provision of their services and that:

  • has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned
  • has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage


Notification timeline

Significant incidents can be notified to the CCB via its incident notification platform (coming soon) or by phone via +32 (0)2 501 05 60 (only for emergencies for NIS Entities)

Incident notification is just one element of an incident response plan. If your organisation does not yet have an incident response plan, it might be useful to start from our policy templates. 

4. Determine your CyberFundamentals (CyFun®) level

Our CyFun® Selection Tool allows you to determine the appropriate assurance level (basic, important or essential) for your organisation.

5. Plan cybersecurity training

Boards and management need to be trained on cybersecurity to assume their responsibilities and liabilities as required by the NIS2 legislation. For making management decisions on cyber security strategies and measures at board level, basic knowledge of risk management and cyber security are indispensable. It would be reasonable to plan management training before April 2025.

In addition to management training, employee training is always part of your cybersecurity measures.

6. Implement the security measures

NIS2 entities can use the CyFun® framework in 3 steps to comply with NIS2:

  1. Perform a gap analysis using the CyFun® Self-Assessment Tool
  2. Implement the required measures. Your implementation plan shall gradually implement cybersecurity measures taking into account the review deadlines as indicated in step 7
  3. Update your self-assessment and gather required evidence to confirm implementation

7. Have your security reviewed

Essential entities shall have their implementation regularly assessed and reviewed by a third party. This can be done through a CyFun® certification granted by an accredited and authorised conformity assessment body (CAB). Essential entities have to obtain the assurance level basic or important before 18/04/2026, the final level needs to certified before 18/04/2027.

Important entities may subject themselves to the same regular conformity assessment under CyFun®, which gives them a presumption of conformity. 

Please be aware that having the appropriate CyFun® label or certificate might be very important for the Boards and management to be able to demonstrate compliance in case of an incident.

List of authorised and accredited conformity assessment bodies: (coming soon).


This page is a recommendation from the CCB and is not meant to be exhaustive. For further information, see the NIS2 page, the law and the royal decree.