Is Your Organization Ready for NIS2 Directive Compliance? Key Requirements Explained

October 18th, 2024. Mark this date, as it might bring significant changes to your organization! On the 18th of October, the Belgian NIS2 legislation will come into force. This new legislation will replace the outdated NIS1. While NIS1 may be out of date, the aim of the new NIS2 remains the same: to strengthen cybersecurity measures, incident management, and oversight of entities providing services essential for maintaining critical societal or economic activities, while also enhancing the coordination of government policies on cybersecurity.

But how do you know if your organization falls within the scope of NIS2, and what does it mean if you are within scope? Let’s find out.

Determining NIS2 scope for your organization

Criteria for NIS2 scope determination

To determine whether your organization falls within the scope of NIS2, three criteria must be met:

  1. Your organization must be established in and provide its services in Belgium.
  2. Your organization offers a critical service as defined and listed in annex I (energy, transport, banking, health, …) and II (Postal services, waste management, manufacturing, …) of the NIS2 directive of the European Union.
  3. Your organization has at least 50 full-time employees or €10 million in annual turnover or annual balance sheet total.

The Centre for Cybersecurity Belgium (CCB), the appointed national authority for cybersecurity, has provided an assessment on its website to help organisations determine whether they fall within the scope of NIS2.

Automatic inclusion under specific circumstances

Besides meeting the above-mentioned criteria, your organization might automatically fall within the scope of NIS2 under two circumstances:

  1. If your organization is identified as an operator of critical infrastructure under the law of 1st July 2011 on the security and protection of critical infrastructure. If you are designated as such, the size of your organisation is irrelevant, as these operators are considered essential entities under NIS2.
  2. If your organization is identified as an operator of essential services (OES) or a digital service provider (DSP) under NIS1.

Indirect impact of NIS2 compliance on organizations

It is important to note that organizations not included within the scope of NIS2 can still be affected by it in two ways:

First, the CCB can identify certain organizations, regardless of their size, as essential or important entities under the NIS2 law. If the CCB identifies you as such, you must comply with NIS2.

The CCB can identify your organization as an essential or important entity under the NIS2 law under four circumstances:

  1. The entity is the sole provider in Belgium of a service essential for the maintenance of critical societal or economic activities;
  2. Disruption of the service provided by the entity could significantly impact public safety, public security, or public health;
  3. Disruption of the service provided by the entity could induce significant systemic risk, particularly in sectors where such disruption could have a cross-border impact;
  4. The entity is critical due to its specific importance at national or regional level for the particular sector or type of service, or for other interdependent sectors in Belgium.

Second, an organization not included in the scope can still be affected by NIS2 if it is part of the supply chain of an organization that is included. Being part of the supply chain means that you might be required to implement cybersecurity risk-management measures due to contractual obligations.

Check out our blog

5 Key Steps in Effective Risk Management

NIS2 compliance guidelines

NIS2 registration process

Once you have determined that your organization is within the scope of NIS2, the real work begins. It all starts with registering your organization with the CCB. This can be done through a form on Safeonweb@Work.

Most organizations will have five months to complete their registration, meaning they must do so by 18th March 2025. If your organization has been registered before, it is important to keep this information up to date.

If your organization falls into any of the following categories, you will only have two months to complete your registration, which means by 18th December 2024 at the latest:

  • DNS service providers
  • TLD name registries
  • Entities providing domain name registration services
  • Cloud computing service providers
  • Data centre service providers
  • Content delivery network providers
  • Managed service providers
  • Managed security service providers
  • Online marketplace providers
  • Online search engine providers
  • Social networking service platform providers

NIS2 security measures

After registering, organizations within scope need to take appropriate measures. These measures should be technical, organizational, and operational, aimed at eliminating or reducing the impact of incidents on the recipients of their services and on other services.

NIS2 defines 11 minimum measures that every entity must implement:

  1. Policies on risk analysis and information system security
  2. Incident handling
  3. Business continuity, such as backup management and disaster recovery, and crisis management
  4. Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
  5. Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
  6. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
  7. Basic cyber hygiene practices and cybersecurity training
  8. Policies and procedures regarding the use of cryptography and, where appropriate, encryption
  9. Human resources security, access control policies and asset management
  10. The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications, and secured emergency communication systems within the entity, where appropriate
  11. A coordinated vulnerability disclosure policy

NOTE: The CCB advises the use of the CyberFundamentals framework to facilitate the implementation of these measures.

NIS2 incident notification requirements

Under NIS2, organizations within scope are required to notify the CCB of any significant incident affecting the provision of their services in the (sub-)sectors listed in the annexes of the law. This includes, where appropriate, information that makes it possible to determine whether the incident has a cross-border impact.

An incident is considered significant if it significantly impacts the provision of services in the sectors or subsectors listed in the annexes of the NIS2 law. It must also cause, or be likely to cause, serious disruption to the operation of any services in these sectors or subsectors, financial loss to the concerned entity, or significant material, personal, or non-material damage to other natural or legal persons.

Once an incident is identified as significant, notification must be made to the CCB in several stages:

  1. Within 24 hours of becoming aware of the significant incident, the entity shall submit an early warning.
  2. Within 72 hours (24 hours for trust service providers) of becoming aware of the significant incident, the entity shall submit an incident notification.
  3. Submit an interim report if requested to do so by the CCB.
  4. Submit a final report no later than one month after the submission of the incident notification referred to in point 2.
  5. If the incident is ongoing at the time of the final report, the entity shall submit a progress report and then, within one month after handling the incident, a final report.

It is also important for entities to inform the recipients of their services if the incident could impact the services provided to them.

Management's role in NIS2 compliance

The management of organizations within the scope of NIS2 must approve the cybersecurity risk management measures and oversee their implementation. If the organization breaches its obligations regarding risk management measures, the management is liable.

Members of the management are obliged to undergo training to ensure their knowledge and skills are sufficient to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the organization.

Cooperation with CCB for NIS2 compliance

Organizations within the scope of NIS2 are obligated to cooperate with the CCB and the sectoral authorities. This cooperation generally involves exchanging information on the security of networks and information systems and includes cooperation between the organization and the CCB’s or the sectoral inspection service.

Check out our webinar

Navigating NIS2: Understanding the EU Directive

NIS2 supervision and sanctions

NIS2 compliance assessment

The type of supervision an organization is subjected to depends on the category it is assigned based on NIS2. An organization can be classified as either “Important” or “Essential”.

  • Important organizations are primarily subject to reactive supervision, which means supervision occurs after an incident or based on evidence, indications, or information that the organization is not complying with the law’s obligations.
  • Essential organizations are subject to both proactive and reactive supervision. They must undergo mandatory regular conformity assessments.

These conformity assessments are carried out based on the organization’s choice among three options:

  1. A CyberFundamentals certification (level Essential) or verification (level Important or Basic) with the relevant scope of application, granted by a conformity assessment body (CAB) approved by the CCB after accreditation from BELAC.
  2. An ISO/IEC 27001 certification with the relevant scope of application, issued by a CAB accredited by an accreditation body that has signed the mutual recognition agreement (MLA) governing the ISO 27001 standard within the framework of the European co-operation for Accreditation (EA) or the International Accreditation Forum (IAF).
  3. An inspection by the CCB inspection service (or by a sectoral inspection service).

Once a conformity assessment is successfully completed, the organization receives a conformity assessment statement, presuming compliance with its obligations.

Due to the proactive and reactive supervision of essential organizations, the inspection service may inspect them at any time. For important organizations, supervision is only carried out reactively by the inspection service. However, these organizations may voluntarily submit to the same regime as essential organizations and thereby receive a presumption of conformity.

Deadlines for NIS2 compliance

Starting from 18th October 2024, essential organizations will have one and a half years to perform a conformity assessment.

By 18th April 2026, at the latest, essential organizations must at least:

  • Obtain CyberFundamentals level “important” verification, or
  • Submit to the CCB the scope and statement of applicability as part of an assessment carried out by a CAB based on the ISO/IEC 27001 norm, or
  • Submit to the CCB a CyberFundamentals level important self-assessment, or
  • Submit to the CCB the information security policy, the scope, and the statement of applicability of the ISO/IEC 27001 norm.

NOTE: Essential organizations opting for a CyberFundamentals or ISO/IEC 27001 certification must obtain it no later than 18th April 2027.

NIS2 non-compliance penalties

During conformity assessments, inspectors will create reports based on their on-site observations. If these findings indicate a violation of NIS2, the inspector can order the organization to cease the violation and, if necessary, take appropriate administrative measures. These measures can range from warnings to administrative fines.

NIS2 imposes the following administrative fines:

  • €500 to €125.000 for non-compliance with information obligations from Article 12 (identification process).
  • €500 to €200.000 for sanctioning an employee or subcontractor for performing their obligations under the law in good faith and within the scope of their duties.
  • €500 to €200.000 for non-compliance with supervision obligations.
  • €500 to €7.000.000 or 1.4% of the total worldwide annual turnover in the preceding financial year of the undertaking to which the entity belongs, whichever is higher (for important entities).
  • €500 to €10.000.000 or 2% of the total worldwide annual turnover in the preceding financial year of the undertaking to which the entity belongs, whichever is higher (for essential entities).

NOTE: The fined amount can be doubled for repeated behaviour within a period of three years.

The CCB may also impose the following administrative measures:

  • Issue warnings or binding instructions.
  • Order to cease conduct or bring risk management measures or reporting obligations into compliance.
  • Order to inform the natural or legal persons to whom they provide services or to publicise aspects of non-compliance.
  • Designate a monitoring officer (for essential entities).
  • Order the implementation of the provided recommendations.
  • Temporarily suspend a certification or authorisation concerning part or all of the relevant services provided (for essential entities).
  • Temporarily prohibit the exercise of managerial functions (for essential entities).

The goal of these measures and fines is to enhance the level of cybersecurity for essential and important organizations, thereby improving the overall cybersecurity landscape in Belgium.

Upgrade your privacy approach

Book a free demo with one of our experts today! Don’t worry, they won’t bite.

Understanding NIS2 legislation: Compliance requirements and cybersecurity measures for organizations

Navigating the complexities of the new NIS2 legislation is crucial for organizations operating within its scope. As outlined, the NIS2 framework seeks to enhance cybersecurity measures, incident management, and oversight of essential services, ensuring a robust and coordinated approach to cybersecurity across the country.

Understanding whether your organization falls within the scope of NIS2 is the first step. This involves assessing criteria related to your establishment, the nature of your services, and your organizational size. Once within scope, timely registration with the CCB and adherence to specified measures are mandatory. Implementing the 11 minimum cybersecurity measures is critical to reducing incident impact and ensuring compliance.

Regular and thorough supervision, especially for essential organizations, highlights the need for constant alertness and active cybersecurity management. The emphasis on conformity assessments, whether through certifications like CyberFundamentals or ISO/IEC 27001 or through direct inspections, highlights the need for structured and verifiable security practices.

Non-compliance carries significant financial and operational penalties, reinforcing the necessity for organizations to align their cybersecurity practices with NIS2 requirements. The outlined administrative measures and fines aim to drive higher standards of cybersecurity, protecting both individual organizations and the broader societal and economic fabric of Belgium.

In conclusion, the NIS2 legislation represents a pivotal shift in Belgium’s approach to cybersecurity. For organizations affected by it, embracing these changes is crucial to ensure compliance and contribute to a safer, more resilient digital landscape. By doing so, organizations not only protect themselves but also play a critical role in safeguarding national and European digital security.

Liked reading this article? Spread the word!

Get the inside scoop on simplified privacy management

Get exclusive tips ‘n tricks straight to your inbox. Join +1,100 privacy professionals already subscribed and stay ahead of the game!

Written by

Stijn Van de Cauter

Implementation Consultant @ RESPONSUM