The NIS 2 Directive: State-of-play and Implementation in Belgium

On 27 December 2022, the Directive on Measures for a High Common Level of Cybersecurity across the Union (the ‘NIS 2 Directive’) was published in the Official Journal of the European Union.

The NIS2 Directive significantly broadens the scope of the previous NIS Directive, which has been in force since 2016, as it is directed to a wider range of industries to extend and strengthen cybersecurity requirements across the EU. This includes: addressing supply chain security, streamlining incident reporting obligations and introducing strict supervisory and enforcement measures. NIS 2 requires a large number of organisations to implement a comprehensive cybersecurity risk management framework, with the objective of increasing the overall level of cyber resilience within the EU.

After official entry into effect on 16 January 2023, the directive must now be transposed into national legislation by October 2024. Shortly thereafter, competent authorities in the member states will ensure compliance oversight and enforce their national implementation law, through severe administrative penalties and remedial measures where necessary.

In Belgium, the preliminary draft law and royal decree to transpose the NIS2 Directive were published in December 2023. They outline stringent regulatory standards, assessments, and enforcement measures, as detailed below.

Who is affected?

The first new element introduced by NIS 2 concerns the scope of the directive, which is significantly broader than its predecessor. Whereas the original NIS Directive only applied to ‘Operators of Essential Services’ (OES) and ‘Digital Service Providers' (DSP), NIS 2 applies to all ‘essential’ and ‘important’ entities within the EU. 

These entities are considered as critical for the EU’s economy and society and thus include providers of public electronic communications services, digital services, waste water and waste management companies, manufacturers of critical products, postal and courier services, and public administrations, at central and regional levels. 

If you are unsure whether the NIS 2 Directive applies to your organisation, please refer to our PwC scoping tool below, tailored to the preliminary Belgian implementation law of the NIS2 Directive:

Interaction with other (sector-specific) cybersecurity legislation

Cyber security man working on a lot of computers

NIS 2 is a horizontal piece of legislation covering a broad range of sectors. Where sector-specific legislation requires essential or important entities under NIS 2 to adopt cybersecurity risk-management measures or to notify significant incidents, NIS 2 shall not apply to these entities if the sector-specific requirements are at least equivalent in effect to the obligations laid down in the NIS 2 Directive. If sector-specific legislation does not cover all entities in a specific sector falling within the scope of the NIS 2 Directive, the relevant provisions of NIS 2 shall apply to the entities not covered by the sector-specific legislation. Clear interlinkages arise here with regards to the Digital Operational Resilience Act (DORA) and its own set of cybersecurity controls, as well as with the Critical Entities Resilience Directive (CERD), the Cyber Resilience Act, and, more extensively, the Artificial Intelligence Act (AI Act).

When will the Belgian implementation law of the NIS 2 Directive impact your organisation?

By 17 October 2024, Member States must adopt and publish the transposition measures necessary to comply with the NIS 2 Directive, which shall apply from 18 October 2024 onwards. 

In Belgium, the preliminary draft law and draft royal decree to transpose the NIS 2 Directive have been published in December 2023. The following timeline outlines the key phases in the development and enforcement of NIS 2 in Belgium:

 

 

October 2024 - Registration as essential or important entities

After 18 October 2024, organisations will have 5 months to register with the Center for Cybersecurity Belgium (CCB) as an essential or important organisation. Failing to meet this deadline can result in financial penalties. This does not limit the power of the CCB to identify organisations before or after this deadline.

April 2026 - Verification of self-assessments

Entities that have opted for the “Basic” or “Important” reference frameworks must have their initial self-assessments verified by a “Trusted NIS Provider” and those verification reports approved by the CCB.

April 2027 - Certification for essential entities

By April 2027, essential entities are to obtain a certification at the level of the chosen reference framework or an ISO27001, based on frequent audits facilitated by a “Trusted NIS Provider”.

The Belgian implementation law aligns with the EU Directive and places a strong emphasis on critical infrastructure operators, certification standards and assessments. It also outlines more stringent enforcement measures. The competent authority is the Center for Cybersecurity Belgium (CCB). 

How does NIS 2 impact your organisation?

Three major pillars emerge for which organisations will have to step up their efforts in order to ensure compliance:

Comprehensive cybersecurity risk management

Under NIS 2, organisations are required to take a proactive rather than reactive approach to risk management by introducing strong information security policies to ensure systematic and thorough risk analysis. Taking into consideration this principle of proportionality, organisations are expected to implement industry-accepted and state-of-the-art cybersecurity measures.

To aid in achieving NIS 2 compliance, the Center for Cybersecurity Belgium (CCB) has launched the CyberFundamentals Framework, a set of guidelines to ensure and improve cyber security of Belgian organisations. The CyberFundamentals comprise four levels: Small, Basic, Important, and Essential.

  • The starting level (Small) provides guiding tools for initial assessments; it is destined to micro-organisations and organisations with limited technical knowledge.
  • The assurance level (Basic) includes standard information security measures applicable to all enterprises.

  • The assurance level (Important) is intended to minimise risks of targeted cyber-attacks by actors with common skills and resources, in addition to known cyber risks.

  • The assurance level (Essential) addresses the risk of advanced cyber-attacks by actors with extensive skills and resources.

The Important and Essential levels are subject to the requirements of the NIS 2 Directive. Essential entities must adhere to the corresponding assurance level or obtain an ISO 27000 certification. The ultimate objective, as outlined by the CCB, is for every Small and Medium organisation in our country to achieve the Basic level.

Conformity to the framework's requirements can be analysed through the CyberFundamentals Conformity Assessment Scheme (CAS), conducted by accredited conformity assessment bodies or through self-assessment, depending on the nature of the entity and the voluntary or mandatory basis for seeking such assessment.

Incident prevention, detection and response

Under NIS 2, essential and important entities need to have a robust Incident Management Framework (IMF) in place, which is tested regularly and communicated to all relevant parties. Moreover, the new directive requires organisations to implement clear procedures to prevent attacks, investigate root causes and adopt mitigating measures. Consequently, the CCB published an in-depth Cybersecurity Incident Management Guide in which it recommends the tools and means to prepare, detect, respond and communicate regarding the development of a threat or incident, as well as how to manage the follow-up of the event. 

Business continuity and crisis management

Under NIS 2, essential and important entities need to ensure the continuity of their operations in the event of a major cybersecurity incident. As such, organisations must implement a comprehensive resilience framework - encompassing business continuity, disaster recovery and crisis management - in order to minimise disruption. Through the CyberFundamentals, we can observe a close alignment with the frameworks regarding the requirements set by the ISO27001 / ISO27002, in which the requirements and guidance set by the CyberFundamentals are complemented through the ISO27k as a baseline for their application.

Supply chain security

As supply chain security becomes ever more relevant, the draft implementation law requires essential and important entities to engage in Third Party Risk Management (TPRM). Ensuring TPRM across their digital value chain will be a challenging task for organisations, and a comprehensive supply chain resilience framework could be warranted.

Incident reporting and supervision

Incident reporting

The Belgian implementation law requires all essential and important entities to report to the CCB any incident that has a significant impact on the provision of their services, in accordance with the following procedure:

  • Early warning (within 24h): issued without undue delay, and no later than 24 hours of becoming aware of the incident, to the national CSIRT, stating whether the event is thought to have been the result of unlawful or malicious activity or could have cross-border ramifications

  • Incident notification (within 72h): issued without undue delay, and no later than 72 hours, to the national CSIRT of becoming aware of the incident, thereby updating the information provided in the early warning and giving a preliminary evaluation of the incident's severity and effects

  • Intermediate report: issued upon request of the CCB or the appropriate national authority, highlighting relevant status updates on incident and crisis management

  • Final report: must be submitted no later than one month after the incident notification was submitted. A thorough description of the incident - including its root cause, any adopted mitigation strategies, and any cross-border effects - must be included in the final report.

For an incident to be classified as significant, it should result in a serious operational disruption or financial losses for the entity concerned, or must be capable of causing this. An incident shall also be classified as significant if any natural or legal person could possibly be subject to significant material or non-material damage - discussions are still ongoing regarding the exact threshold. The European Commission is expected to deliver by 17 October 2024 further implementing acts on incident reporting DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers and providers of online marketplaces, search engines and social networking platforms. These acts would also indicate the cases in which an incident will be considered significant.

Supervisory Framework

When compared to its predecessor, NIS 2 provides a tough enforcement framework in order to ensure a higher level of compliance. 

First and foremost, the CCB will be able to rely on a robust enforcement and investigation framework, the limits of which depend on the classification of your organisation.

  • Essential entities: subject to a comprehensive, ex ante, supervisory regime, in which the supervisory powers of the national authorities include the ability to conduct random raids, perform (ad hoc) security audits as well as the ability to request certain information and evidence of compliance.

  • Important entities: subject to lighter, ex post, supervisory regime that is applicable in the event of evidence and/or indications of non-compliance.

Consequently, the CCB can have the following competences to ensure compliance:

  • Information request regarding the state of cybersecurity in the organisation, including the results of all previous cybersecurity audits
  • On-site (sample) testing or cybersecurity controls

  • Targeted audits for essential companies, on the basis of CCB priorities

  • Security scans 

     

  • Asking for personal identification of people involved in the organisation’s level of cybersecurity maturity

  • On-site inspection of cybersecurity capabilities

  •  

Moreover, the CCB also plays a role in imposing fines for non-compliance. 

Enforcement and management liability

Management responsibility and liability

According to the NIS 2 Directive and subsequent Belgium implementation law of the NIS 2 Directive, management bodies are considered to be entitled to the responsibility of compliance if their entities fall within the scope of essential and important entities, and therefore must approve cybersecurity risk-management measures, oversee their implementation and can be held liable for infringements by their organisation.

In this context, all members of management bodies will also be required to follow training on a regular basis in order to gain sufficient knowledge and skills to identify risks and assess cybersecurity risk management practices and their impact on the services provided by their organisation.

Enforcement

Under NIS2, member states must provide the appropriate national authority with the discretionary power to impose considerable fines on organisations that do not comply with the national transposition laws.

  • Essential entities: At least up to €10 million or 2% of their worldwide annual turnover

  • Important entities: At least up to €7 million or 1.4% of their worldwide annual turnover

How can PwC assist your organisation? 

PwC can assist your organisation in achieving compliance with NIS 2 by supporting you throughout your resilience journey. 

Scoping assessment

Determining whether your company falls into the scope of the NIS 2 regulation can be a challenging task. In light of the Belgian Implementation Law,  it is of utmost importance for companies operating in Belgium to determine whether they qualify as essential or important entities, and what compliance frameworks they need to comply with - small, basic, important, essential - in order to achieve full preparedness and avoid severe consequences for non-compliance. Our team can assist you with a tailored scoping assessment to help you define which regulatory requirements apply to your company.


Maturity & gap assessment

Once it has been determined whether you fall within the “important” or “essential” category, it will be crucial to identify which steps are necessary to achieve compliance. In Belgium, if not already ISO27000-compliant, your company will need to get certified for one of the Cyber Fundamentals Framework assurance levels defined by the CCB. 

Whether you are at the early stages or already moving forward in your resilience journey, our teams can support you in understanding where your organisation stands in terms of maturity, and what efforts are still required to ensure full compliance with the requirements of the Belgian Implementation Law. Our teams can perform a thorough gap analysis to identify gaps in your current readiness and guide you in implementing the necessary measures to meet regulatory requirements. Additionally, we can evaluate your organisation's level of resilience, and provide tailored recommendations for improvement.


NIS2 compliance support & implementation

Based on the identified needs, our teams can support your company throughout your compliance journey. We offer a broad range of expertise across all NIS2 pillars, and can help you implement the compliance framework that best fits your organisation (cybersecurity frameworks such as ISO27000, business continuity, crisis management, CyberFundamentals frameworks, etc.).

With the formal adoption of NIS 2, it is imperative for all entities in scope to carefully plan and implement the necessary steps to comply with national transposition measures, as well as identify areas that require further investment and prioritisation.

The NIS 2 Directive emphasises that resilience is a concerted effort, and that all entities have a shared responsibility as cybersecurity actors in creating a healthy and safe cyber environment.

Contact us

Roy Coppieters

Director, Ghent, PwC Belgium

+32 477 81 49 11

Email

Wessel Doldersum

Manager, Brussels, PwC Belgium

+32 472 88 33 90

Email

Koen Maris

Assurance Partner, Cyber, Privacy & Resilience, Brussels, PwC Belgium

+352 49 48 48 2096

Email

Connect with PwC Belgium