The law integrating the new NIS2 Directive on cybersecurity was published in the Belgian Monitor on Friday May 17, 2024, and will come into force on October 18, 2024. It aims to increase attention on cybersecurity in the public sector and certain key private sectors.

In Belgium, some 2,500 entities are now concerned, compared with around a hundred under the previous NIS1 Directive. Medium-sized and large companies active in two types of sectors are targeted: highly critical sectors such as ICT service management, public telecom providers, domain name registries and DNS providers, banking, healthcare, transport, or digital infrastructures; and other critical sectors such as chemical production and distribution, manufacturing of IT products, vehicles and medical devices, and digital providers.

Companies will be classified into two categories: essential and important, depending on their size and sector of activity. Some smaller companies will also be impacted if they are part of the supply chain of an essential or important entity.

To comply with the Directive, covered entities must register with the Center for Cybersecurity Belgium (CCB) by March 18, 2025. Entities must put in place a robust risk management framework to reduce the consequences of cyber incidents.

A major challenge will be the management of risks originating from supply chain companies. In addition to internal measures, the entities concerned will have to implement a resilience framework for their supply chain, considering the vulnerabilities specific to each link. The law also imposes obligations to report cyber incidents, as well as endorsing a policy on information systems security and setting out the endorsed measures.

Essential entities will be subject to rigorous ex-ante and ex-post monitoring, with periodic checks and severe penalties of up to €10 million or 2% of annual worldwide turnover.

To help you through this transition, don’t hesitate to contact Antoine DECLEVE.