NIS2 Compliance in Belgium: The Practical Checklist for 2026

The NIS2 deadline in Belgium is April 18, 2026. That's not a typo and it's not far away. If your company has 50 or more employees, or turns over more than 10 million euros, and you operate in one of 18 critical sectors - this law applies to you. Right now, roughly one in four registered businesses hasn't even started implementation. The CCB (Centre for Cybersecurity Belgium) can fine you up to 10 million euros or 2% of your global turnover. And here's the part that gets board members' attention: they can be held personally liable.

So let's skip the theory and get into what you actually need to know - and what you need to do.

Who Falls Under NIS2 in Belgium?

NIS2 splits organisations into two categories: Essential entities and Important entities. The difference matters because it determines your compliance obligations and the size of potential fines.

Essential entities include sectors like energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space. Important entities cover postal services, waste management, chemicals, food, manufacturing, digital providers, and research.

That's 18 sectors in total. The size thresholds are straightforward: 50 or more full-time employees, or annual turnover exceeding 10 million euros. Hit either one and you're in scope.

The legal basis for all of this is EU Directive 2022/2555 and the Belgian Law of 26 April 2024 that transposed it into national legislation.

The CyberFundamentals (CyFun) Framework - Belgium's Answer to NIS2

This is where Belgium actually did something smart. Instead of leaving businesses to figure it out on their own, the CCB created the CyberFundamentals framework - CyFun for short. It gives you a concrete, structured path to compliance.

CyFun has four levels:

• Small - for micro-organisations, a lightweight starting point
• Basic - 34 controls, suitable for smaller in-scope entities
• Important - 99+ controls, for Important entities under NIS2
• Essential - 185+ controls, for Essential entities under NIS2

CyFun isn't some random Belgian invention either. It's built on internationally recognised frameworks: NIST CSF, ISO 27001, and CIS Controls. If you've done any security work before, a lot of these controls will look familiar.

The CCB provides a full toolbox for self-assessment and implementation at atwork.safeonweb.be/cyberfundamentals-toolbox. It's free to use and surprisingly well put together.

We wrote a detailed guide on how NIST CSF 2.0 maps to CyFun - read it here.

The April 2026 Deadline - What Exactly Is Due?

There are two compliance tracks, and you need to pick one.

Track 1: CyFun - Submit a Verification Statement for CyFun Basic or Important level to the CCB. This means you've gone through the self-assessment (or had a third party do it) and can demonstrate you meet the required controls. For most Belgian SMEs, this is the faster and more practical route.

Track 2: ISO 27001 - If you already have ISO 27001 certification, or you're close to it, you can submit your Statement of Applicability (SoA) to the CCB instead. This route makes sense if you've already invested in ISO certification.

Both tracks require submission by April 18, 2026.

Looking further ahead: by April 2027, Essential entities will need full Essential-level certification. That's a much bigger lift, so plan accordingly.

The Practical Checklist

Here's what you need to do, step by step. This is based on the CCB's quickstart guide, but translated into plain language.

1. Check if you're in scope

   Use the CCB scope checker on Safeonweb@Work to determine whether NIS2 applies to your organisation. Don't assume you're out of scope just because you're not in an obvious sector like energy or healthcare. Digital service providers, managed IT services, and food manufacturing all count.

2. Register on Safeonweb@Work

   If you haven't done this already, you're late. The registration deadline passed in March 2025. Go to atwork.safeonweb.be and get it done now. You'll need your company's KBO/BCE number.

3. Pick your track: CyFun or ISO 27001

   If you already have ISO 27001 certification, go with Track 2. For everyone else, CyFun is the way forward. It's designed for this purpose and the CCB provides all the tools you need.

4. Run a gap analysis

   Download the CCB's self-assessment tool from the CyFun toolbox and work through it honestly. Mark what you already have in place and what's missing. This gives you a clear picture of how much work is left.

5. Prioritise fixes - start with the 34 Basic controls

   Don't try to do everything at once. The 34 controls in CyFun Basic cover the fundamentals: access control, patch management, backup procedures, incident detection. Get these right first, then build up to Important or Essential level if required.

6. Document everything

   This is where most companies underestimate the effort. You need written policies, documented procedures, and a formal incident response plan. The CCB wants to see evidence that your security measures are structured and repeatable - not just that you installed antivirus software.

7. Submit your proof to the CCB before April 18, 2026

   For Track 1, submit your CyFun Verification Statement. For Track 2, submit your ISO 27001 SoA. Both go through the Safeonweb@Work portal. Don't leave this to the last week - the portal will likely be hammered as the deadline approaches.

What Happens If You Don't Comply?

The fines are significant. And unlike GDPR, where enforcement was slow to start, the CCB has been signalling clearly that they intend to act.

Essential entities face fines of up to 10 million euros or 2% of global annual turnover - whichever is higher.

Important entities face fines of up to 7 million euros or 1.4% of global annual turnover.

These enforcement powers are laid out in the Belgian NIS2 Law and the CCB's mandate as the national supervisory authority.

The Supply Chain Effect - Why This Matters Even If You're Small

Here's something that doesn't get enough attention. NIS2 has a ripple effect that goes well beyond the companies directly in scope.

Large organisations under NIS2 are required to manage cybersecurity risk across their supply chain. In practice, this means they'll be asking their suppliers, partners, and service providers to demonstrate security compliance. If you're a 20-person IT company that provides managed services to a hospital or an energy company, expect to start receiving detailed security questionnaires. And "we take security seriously" won't be an acceptable answer anymore.

What We'd Recommend

If you haven't started, don't panic - but don't wait either. The 34 controls in CyFun Basic are achievable for most SMEs in a few weeks with the right guidance. They cover the things you should probably be doing anyway: managing who has access to what, keeping systems patched, having backups that actually work, and knowing what to do when something goes wrong.

The hardest part isn't the technical implementation. It's the documentation and governance. Writing policies, defining procedures, creating an incident response plan that people actually know about - that's where companies get stuck. The technical controls are often half-done already. The paperwork rarely is.

One thing worth considering: AI agents can automate a surprising amount of compliance work - from monitoring logs and generating reports to flagging policy gaps. It won't replace the thinking, but it can handle the repetitive parts.

We help Belgian businesses with NIS2 compliance - from gap analysis to CCB submission. If you want someone to walk you through it, get in touch.