Navigating NIS2: Understanding Belgium's Transposition Law for Cybersecurity Compliance | Fieldfisher
Skip to main content

Navigating NIS2: Understanding Belgium's Transposition Law for Cybersecurity Compliance



On 19 April 2024, the Belgian House of Representatives adopted the transposition law implementing the NIS2 Directive, aimed at harmonizing cybersecurity standards across the EU.

The NIS2 Directive applies to organizations providing services in critical sectors, referred to as "essential entities" and "important entities," such as energy, transport, banking, ICT service management, waste management, etc.

The Belgian Center for Cybersecurity has been designated as the competent authority to oversee compliance with the NIS2 transposition law.

By 18 March 2025, essential and important entities are required to register with the Belgian Center for Cybersecurity.

Key requirements under the NIS2 Directive include:

Cybersecurity Risk Management Measures and Governance:

Essential and important entities must implement appropriate and proportionate measures to manage risks related to their networks and information systems used in their activities or when providing services.

These measures encompass, among other things:

  • Policies related to risk analysis and information systems security.
  • Incident management.
  • Business continuity and crisis management.
  • Supply chain security.
  • Security of human resources, access control policies, and asset management.
  • Use of multi-factor authentication, secure voice, video, and text communications, and secure emergency communication process within the entity.
  • Implementation of a coordinated vulnerability disclosure policy.

Members of management bodies must complete training to demonstrate that they have acquired competencies in assessing risk, cybersecurity management measures and related impact on the services provided.

Mandatory Notification

Essential and important entities must promptly notify the Belgian Center for Cybersecurity of any significant incidents.


Failure to comply with the transposition law (notably with the mandatory notification obligation) may result in administrative fines:

  • up to EUR 7 million or 1.4% of the global annual turnover for important entities, and
  • up to EUR 10 million or 2% of the global annual turnover for essential entities. 

Fines are doubled in case of repeated offence within three years.

The management bodies of essential and important entities that approve the cybersecurity risk management measures and oversee their implementation are responsible for any violation thereof.

Next steps : The transposition law will come into effect on 18 October 2024.


If you need any assistance preparing for NIS2, contact our Tech & Data team: 

Tim Van Canneyt, Olivier ProustNathalie PoupaertInès BenazzouzLouis VanderdoncktEliot Sanam IlungNaomi Capelle