As the cybersecurity landscape continues to evolve, so do the regulatory requirements that aim to protect critical sectors from cyber threats. The upcoming Network and Information Security Directive 2 (NIS2) legislation is a significant development for businesses operating across the EU. This blog post outlines the essentials of NIS2 and highlights the short-term, upcoming key deadlines for businesses operating in Belgium.
Toreon Office | Grotehondstraat 44 1/1 - 2018 Antwerpen | +32 3 369 33 96
Navigating the Upcoming NIS2 Legislation: Key Short-Term Deadlines and Compliance Essentials for Belgian Organizations
Navigating the Upcoming NIS2 Legislation: Key Short-Term Deadlines and Compliance Essentials for Belgian Organizations
What is NIS2?
NIS2 builds upon the original Network and Information Security Directive (NIS), first introduced in 2016 to enhance the EU’s cybersecurity resilience, particularly for critical infrastructure. The new NIS2 directive extends the scope of the original law, intensifies cooperation between EU member states, and imposes more stringent security and reporting standards.
Set to take effect in Belgium on 17th October 2024, NIS2 requires organizations within its scope to adopt enhanced cybersecurity measures, conduct regular risk assessments, and promptly notify relevant authorities of any significant cybersecurity incidents. The legislation will roll out in stages, with several key deadlines you need to keep in mind.
Scope: Does Your Organization Fall Under NIS2?
Under NIS2, the scope of organizations that need to comply has been expanded. The new directive will apply to a wide range of sectors and industries, categorized into two groups: essential entities and important entities. These include sectors such as energy, transportation, banking, healthcare, digital infrastructure, and certain digital services.
For a detailed breakdown of whether your organization falls within the scope of NIS2, we recommend consulting the Belgian Cybersecurity Centre (CCB) for further guidance on how the directive is being applied to organizations in Belgium. You can find a helpful guide on the scope of organizations required to comply with the law on the CCB’s website: Is My Organization in Scope of the NIS2 Law?.
NIS2 is Closer Than You Think! Key Deadlines are coming up for Compliance:
While NIS2 may feel like something to think about in the future, the reality is that important deadlines are fast approaching. Organizations must act now to ensure they meet the compliance requirements in time. Below are three short-term key dates to mark on your calendar:
1. 18 October 2024 – Notification of Significant Incidents
By this date, organizations must update their incident response plans to ensure that any significant incidents are reported to Belgium’s national Computer Security Incident Response Team (CSIRT), coordinated by the CCB. This means adjusting your processes to notify authorities swiftly when a major cybersecurity event occurs, helping to mitigate broader impacts and ensuring compliance with NIS2.
A significant incident is defined as: any incident that has a significant impact on the provision of services in the sectors or subsectors listed in the annexes of the NIS2 law, and which:
- has caused or is likely to cause serious disruption to the operation of any of the services in the sectors or subsectors listed in Annexes I and II or financial loss to the concerned entity; or
- has caused, or is likely to cause, significant material, personal or non-material damage to other natural or legal persons”.
Notification takes place in several stages, which should be reflected in your incident response plan:
- without undue delay and at the latest within 24 hours of becoming aware of the significant incident, the entity shall transmit an early warning;
- without undue delay and at the latest within 72 hours (24 hours for trusted service providers) of becoming aware of the significant incident, the entity communicates an incident notification;
- at the request of the national CSIRT or, where appropriate, the sectoral authority concerned, the entity shall submit an interim report;
- no later than one month after the incident notification referred to in 2., the entity sends a final report;
- if the final report cannot be sent because the incident is still in progress, the entity sends a progress report and then, in the month following the final handling of the incident, the final report.
Incidents need to be reported through a notification portal: https://notif.safeonweb.be/. In emergencies, essential entities can use the contact number +32 (0)2 501 05 60 to report incidents
2. 18 December 2024 – Registration on Safeonweb@Work for Specific Entities
For certain organizations, the registration deadline is 18 December 2024. These organizations must register through the cybersecurity portal, Safeonweb@Work, managed by the CCB (Register My Organization). The subset of organizations required to meet this deadline includes:
- DNS service providers
- TLD name registries
- Entities providing domain name registration services
- Cloud computing service providers
- Data center service providers
- Content delivery network providers
- Managed service providers
- Managed security service providers
- Online marketplace providers
- Online search engine providers
- Social networking service platform providers
Special attention should be given to the broad definition of Managed Service Providers (MSPs):
ICT Service Management (business to business) – Managed Service Provider: ‘Managed Service Provider’ means an entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely;
This could impact a large portion of the technology sector, such as ISV’s and IT service providers, even businesses with a limited B2B footprint.
If your organization falls into any of the categories above, register before 18 December 2024 using the Safeonweb@Work platform: Register My Organization.
3. 18 March 2025 – Registration on Safeonweb@Work for All Other Entities
For those organizations not falling under the December 2024 deadline, the final date to register with Safeonweb@Work is 18 March 2025. This ensures that all entities in the scope of NIS2 are covered under the new directive.
The same registration portal can be used: Register My Organization.
What Comes After These Deadlines?
As key deadlines approach, a significant amount of work remains to be done. NIS2 introduces a range of essential information security measures that organizations must implement to achieve compliance. To get started, businesses should take the following steps:
- Select a compliance framework (Cybersecurity Fundamentals or ISO 27001),
- Educate the board of directors and management on information security,
- Conduct an information security risk assessments, and
- Implement risk treatment controls based on the chosen framework.
Verification of progress and compliance with NIS2 legislation is scheduled for April 18th, 2026, and April 18th, 2027. The specific elements to be verified by these deadlines depend on whether the organization is essential or important (see Scope: Does Your Organization Fall Under NIS2?), the selected compliance framework, and the chosen inspection body.
18 months after the law comes into force, i.e. before 18th April 2026:
- Those who determine that they must comply with the CyFun® Basic or Important assurance levels must have a verification carried out by an accredited CAB approved for CyFun®. Those who determine that they must comply with the CyFun® Essential assurance level must also have such a Basic or Important verification carried out;
- Those who have opted for ISO 27001 certification must send the scope and statement of applicability to the CCB;
- Those who have opted for inspection by the CCB must submit the CyFun® selfassessment or the information security policy, scope and ISO 27001 statement of applicability to the CCB.
30 months after the law comes into force, i.e. before 18th April 2027:
- Those who determine that they must comply with the CyFun® Essential assurance level must, in addition to the Basic or Important verification mentioned above, acquire a certification from an accredited and approved CAB for CyFun®;
- Those who have chosen an ISO 27001 certification must obtain the certification from an accredited CAB approved for ISO 27001;
- Those who have opted for inspection by the CCB must submit a progress report on compliance.
NIS2 is more than just a new set of cybersecurity requirements; it marks a significant change in how organizations must manage and report cyber risks. Businesses covered by NIS2 must align their cybersecurity strategies, policies, and incident reporting processes with the directive, or they risk facing penalties and potential reputational harm. For many, especially those newly included in the expanded scope, navigating the full range of compliance steps can be daunting.
At Toreon, we specialize in preparing organizations for regulatory compliance, including the NIS2 legislation. Whether you need help updating your incident response plan, registering with Safeonweb@Work, or understanding your full obligations, we are here to assist every step of the way.