NIS2 Belgium Compliance Guide: CCB Requirements and CyberFundamentals Framework for 2026

Belgium made history as the first EU Member State to fully transpose the NIS2 Directive into national law, passing the Law of 26 April 2024 well ahead of the 17 October 2024 EU deadline. The Centre for Cybersecurity Belgium (CCB — Centre pour la Cybersécurité Belgique) now oversees one of the most structured NIS2 compliance frameworks in Europe, built around the CyberFundamentals (CyFun) assurance framework.

For Belgian organizations — and the cyber insurance professionals who underwrite them — this guide covers everything you need to know: the legal framework, entity classification, the CyFun compliance tracks, sector-specific obligations, penalties (including personal liability for management), and the critical 18 April 2026 deadline for essential entities to submit compliance proof.

Belgium’s NIS2 Legal Framework

The Law of 26 April 2024

Belgium transposed NIS2 through the “Wet van 26 april 2024 / Loi du 26 avril 2024” establishing a framework for the cybersecurity of networks and information systems of general interest for public security. The law entered into force on 18 October 2024, making it fully operational.

The implementing Royal Decree (published June 2024) completed the transposition by:

• Designating the CCB as the national cybersecurity authority and national CSIRT
• Identifying sectoral authorities that support the CCB in supervision
• Setting out conformity assessment procedures and making regular assessments mandatory for essential entities
• Recognizing CyberFundamentals (CyFun) and ISO/IEC 27001 as reference frameworks for demonstrating compliance

This dual-track approach — linking legal obligations to a concrete assurance framework rather than leaving compliance abstract — makes Belgium’s model one of the most structured NIS2 implementations in the EU.

Key Differences from NIS1

Aspect	NIS1 (Previous)	NIS2 Belgium (Current)
Scope	~300 Belgian entities	~4,000+ Belgian entities (1,500 essential + 2,500 important)
Entity types	Operators of Essential Services + DSPs	Essential + Important entities
Sectors	7 sectors	18 sectors (expanded significantly)
Compliance framework	General, principle-based	CyberFundamentals (CyFun) with 4 levels
Incident reporting	72 hours	24h early warning + 72h incident + 30 days final
Penalties	Limited administrative fines	Up to €10M or 2% global turnover + personal liability

Who Is in Scope: Entity Classification

Belgium applies the NIS2 threshold criteria: organizations must comply if they meet one or both of:

• 50+ full-time employees
• Annual turnover exceeding €10 million

Essential Entities (11 Sectors)

Essential entities face the strictest obligations, including ex-ante supervision (proactive inspection before incidents occur):

Sector	Examples
Energy	Electricity, gas, hydrogen, district heating operators
Transport	Air, rail, water, road transport infrastructure
Banking	Credit institutions, payment systems
Financial infrastructure	Trading venues, central counterparties, central securities depositories
Health	Hospitals, laboratories, medical device manufacturers
Drinking water	Production and distribution
Wastewater	Collection and treatment
Digital infrastructure	DNS, TLD registries, cloud, data centers, CDNs
ICT service management (B2B)	Managed service providers, managed security providers
Public administration	Federal, regional, and local government entities
Space	Space-ground infrastructure operators

Important Entities (7 Sectors)

Sector	Examples
Postal and courier services	National postal operators, parcel delivery
Waste management	Collection, treatment, disposal
Chemicals	Production, distribution, and storage
Food	Production, processing, distribution
Manufacturing	Critical products (explosives, pharmaceuticals, medical devices)
Digital providers	Online marketplaces, search engines, social networks
Research	Public and private research organizations

The CyberFundamentals (CyFun) Framework

Belgium’s CyberFundamentals framework — commonly known as CyFun — is the national cybersecurity assurance framework developed by the CCB. It’s based on internationally recognized standards (NIST CSF, ISO 27001, CIS Controls) and provides four progressive compliance levels:

CyFun Levels

Level	Controls	Coverage	Target Entities
Small	Core basics	Micro-organizations	Sub-threshold entities (voluntary)
Basic	34 controls	Stops 82% of CERT.be documented attacks	Essential entities (minimum required)
Important	99+ controls	Comprehensive security	Important entities
Essential	185+ controls	Full enterprise security	Essential entities (full certification by April 2027)

Why CyberFundamentals Matters for Insurance

The CyFun framework creates an objective, measurable compliance baseline that cyber insurers can use to assess risk:

• Organizations with CyFun Basic verification demonstrate fundamental security hygiene
• CyFun Important or Essential verification signals mature security practices
• Lack of any CyFun verification indicates potential compliance failure and higher risk

Two Compliance Tracks

Belgian entities can choose between two compliance pathways:

Track 1: CyberFundamentals (Recommended)

1. Register on Safeonweb@Work portal (requires KBO/BCE number)
2. Run a gap analysis using the CyFun toolbox
3. Implement the required controls (start with 34 Basic controls)
4. Obtain a Verification Statement from an accredited assessment body
5. Submit proof via Safeonweb@Work portal

Best for: Most Belgian organizations, especially those without existing ISO certification.

Track 2: ISO/IEC 27001

1. Register on Safeonweb@Work portal
2. Submit:
   • Certification scope
   • Statement of Applicability (SoA)
   • Most recent internal audit report
3. Full ISO 27001 certification deadline: April 2027

Best for: Organizations with existing ISO certification or those in complex multinational environments.

Track 3: Direct Inspection (Not Recommended)

Entities may submit a self-assessment with supporting documentation and formally request an inspection. The CCB explicitly warns: “This pathway may lead directly to supervisory measures.” This is effectively volunteering for a regulatory audit without the structure of CyFun or ISO.

The 18 April 2026 Deadline: What Essential Entities Must Do

The CCB issued a formal request requiring essential entities to submit compliance information and supporting evidence for ex-ante supervision by 18 April 2026. This is not a procedural formality — it’s a regulatory checkpoint with enforcement consequences.

What Essential Entities Must Submit

Via CyberFundamentals track:

• Obtain, or be actively obtaining, at least a Basic or Important verification
• OR hold a signed agreement with an accredited assessment body

Via ISO 27001 track:

• Submit certification scope, Statement of Applicability, and most recent internal audit report

Failure to submit complete or timely information may result in administrative measures, financial penalties, and further supervisory action.

Registration Requirement

All NIS2 entities must register via the Safeonweb@Work portal. The general registration deadline was 18 March 2025 (now passed). As of late 2025, Belgium had registered approximately 1,500 essential entities and 2,500 important entities — but roughly 25% of registered businesses had not yet started implementation.

Incident Reporting Requirements

Belgian NIS2 entities must report significant incidents to the CCB within strict timelines:

Report	Deadline	Content
Early warning	Within 24 hours of detection	Initial assessment, likely impact, indicators of compromise
Incident notification	Within 72 hours	Updated assessment, severity, cross-border impact
Final report	Within 30 days	Full incident analysis, root cause, remediation measures

Reports are submitted via the Safeonweb@Work portal or directly to the CCB’s CSIRT function. The CCB coordinates with relevant sectoral authorities and may issue EU-wide alerts through the CSIRT network.

Penalties and Personal Liability

Financial Penalties

Entity Type	Maximum Fine
Essential entities	Up to €10,000,000 or 2% of global annual turnover (whichever is higher)
Important entities	Up to €7,000,000 or 1.4% of global annual turnover (whichever is higher)

Personal Liability for Management

Belgium’s NIS2 law includes personal liability provisions for C-level executives and board members:

• Personal fines for management failures related to cybersecurity governance
• Temporary prohibition from holding management positions in similar entities
• The CCB can order public disclosure of compliance failures

This is one of the most significant aspects of Belgium’s NIS2 implementation: management cannot delegate cybersecurity responsibility without personal accountability.

Supply Chain Ripple Effect

Even sub-threshold companies (those below the 50-employee or €10M turnover thresholds) will face compliance pressure:

Large organizations under NIS2 are required to manage cybersecurity risk across their supply chain. In practice, this means they’ll be asking their suppliers, partners, and service providers to demonstrate security compliance.

Belgian SMEs that serve essential or important entities will receive security questionnaires, audit requests, and contractual cybersecurity clauses — even if they aren’t directly regulated by NIS2.

Sector-Specific Requirements

Financial Sector (FSMA Oversight)

The Financial Services and Markets Authority (FSMA — Autoriteit voor Financiële Diensten en Markten) shares supervisory responsibility with the CCB for financial entities. Belgian banks and financial infrastructure operators must comply with both NIS2 and DORA (Digital Operational Resilience Act), creating overlapping but complementary requirements.

Energy Sector (CREG/ELIA Coordination)

Energy sector entities in Belgium — including the transmission system operator ELIA and distribution system operators — face CCB oversight coordinated with the Commission for Electricity and Gas Regulation (CREG). The Belgian energy sector’s high interconnection with neighboring countries (France, Netherlands, Luxembourg, Germany) means cross-border incident reporting is particularly important.

Healthcare (eHealth Platform)

Healthcare entities must coordinate with Belgium’s eHealth platform and the Federal Public Service for Health. Given the sensitivity of health data, NIS2 obligations overlap significantly with GDPR requirements in this sector.

Digital Infrastructure

Belgium’s role as a hub for EU institutions (Brussels hosting the European Commission, Council, and Parliament) means digital infrastructure providers in Belgium face heightened scrutiny. DNS providers, cloud services, and data center operators serving EU institutions are under particular pressure to demonstrate robust NIS2 compliance.

Practical Compliance Checklist for Belgian Entities

1. Check your scope — Use the CCB scope checker
2. Register immediately — Via Safeonweb@Work (requires KBO/BCE number)
3. Select your compliance track — CyberFundamentals (recommended) or ISO 27001
4. Run a gap analysis — Download the tool from the CyFun toolbox
5. Prioritize the 34 Basic controls — Access control, patch management, backups, incident detection
6. Document everything — Written policies, procedures, formal incident response plan
7. Submit compliance proof — Via Safeonweb@Work portal before the deadline
8. Plan for ongoing assessment — Essential entities face regular inspections

How Belgium Compares to Other EU Countries

Belgium’s NIS2 implementation is notable for its speed and structure:

• France (ANSSI): Used ordonnance fast-track transposition, already enforcing
• Germany (BSI): Amended BSI Gesetz, conducting supervisory visits
• Italy (ACN): Established AgID/ACN framework, sector-specific decrees
• Spain (INCIBE): Amended Ley de Ciberseguridad, designated INCIBE as coordinator
• Netherlands (NCSC-NL): Uitvoeringswet framework, MIDO designation
• Poland (NCSA): Amended Ustawa o cyberbezpieczeństwie, building on existing framework

Belgium stands out for being first to transpose, having the CyFun compliance framework ready at launch, and actively enforcing the 18 April 2026 compliance proof deadline. For the complete EU-level classification framework, see our NIS2 Essential vs Important Entities Guide.

Cyber Insurance Implications for Belgian Entities

NIS2 compliance in Belgium directly affects cyber insurance availability and pricing:

• CyFun-verified entities demonstrate measurable security maturity — insurers are beginning to recognize CyFun levels as a proxy for risk quality
• Non-compliant entities face higher premiums, coverage exclusions, or outright declinations
• The 18 April 2026 deadline creates urgency — entities that miss it may face both regulatory penalties AND insurance complications
• Personal liability provisions mean that D&O insurance may also be affected by NIS2 compliance failures

For insurance professionals assessing Belgian risks, see our NIS2 Underwriting Questions for Brokers and Cyber Insurance Buying Guide.

Key Resources for Belgian Entities

• CCB official website: ccb.belgium.be — official guidance, regulation updates
• Safeonweb@Work portal: atwork.safeonweb.be — registration, compliance submission, FAQs
• CyFun toolbox: atwork.safeonweb.be/cyberfundamentals-toolbox — gap analysis tools, control catalogs
• NIS2 Brochure (PDF): Download — comprehensive compliance guide
• NIS2 FAQ: Download — frequently asked questions
• Belgian Law text: ejustice.just.fgov.be

The Bottom Line

Belgium’s NIS2 implementation is one of the most advanced in the EU. The country was first to transpose the directive, built a concrete compliance framework around CyberFundamentals, and is actively enforcing deadlines — the 18 April 2026 compliance proof submission for essential entities is imminent and carries real enforcement consequences.

For Belgian organizations, the roadmap is clear: classify your entity, register on Safeonweb@Work, select your compliance track (CyFun or ISO 27001), run a gap analysis, implement the required controls, and submit proof before the deadline. Management personal liability means this is not just an IT project — it’s a board-level governance issue.

For a broader NIS2 compliance framework applicable across all EU Member States, start with our NIS2 Compliance Guide and IT Manager Action Plan. For supply chain risk management obligations, see our NIS2 Supply Chain Security Guide.

Related NIS2 Country Guides:

• NIS2 France (ANSSI) | NIS2 Germany (BSI) | NIS2 Italy (ACN) | NIS2 Netherlands (NCSC-NL) | NIS2 Spain (INCIBE) | NIS2 Poland (NCSA)

---

Resiliently provides cyber insurance intelligence for EU risk professionals. Explore our tools for compliance cost assessment and coverage comparison to make informed decisions about your cybersecurity investments.