12 March 2026 Update - The transposition of NIS 2 in Belgium
Belgium is not in the same position as several other Member States that missed the NIS 2 deadline. As of today, Belgium has transposed the NIS 2 Directive, and it did so early enough to be presented by its own national cybersecurity authority as the first EU Member State to complete the transposition before the 17 October 2024 deadline.
The Belgian framework is built around the Law of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security, usually referred to as the Belgian NIS2 law, together with the implementing Royal Decree published in June 2024. The Centre for Cybersecurity Belgium, or CCB, states expressly that the law transposes Directive (EU) 2022/2555 into Belgian law, and that the Royal Decree completed that transposition.
A major milestone came with the entry into force on 18 October 2024. The CCB repeatedly described that date as the moment when the Belgian NIS2 law and Royal Decree became effective, and from that point the reporting obligations under the new regime started to apply. Belgian entities in scope had to begin notifying significant incidents to the CCB within the NIS2 timetable: an initial warning within 24 hours, further information within 72 hours, and a final report within 30 days. In other words, Belgium did not stop at formal transposition on paper; the regime became operational in the autumn of 2024.
Another milestone was the creation of a practical compliance architecture around the law. The Royal Decree designated the CCB as the national cybersecurity authority and national CSIRT, while also identifying sectoral authorities that support the CCB in supervision. The decree also set out the conformity assessment procedures, made regular assessments mandatory for essential entities, and recognized CyberFundamentals and ISO/IEC 27001 as reference frameworks for demonstrating compliance. This is one reason Belgium is often discussed as a particularly structured NIS 2 implementation model: it linked legal obligations to a concrete assurance framework rather than leaving compliance entirely abstract.
Belgium also moved quickly on the practical obligation to identify entities in scope. The CCB required NIS2 entities to register via the Safeonweb@Work portal, with the general deadline set at 18 March 2025, while some digital-sector entities had to register earlier. By October 2024, the CCB was already communicating that in-scope entities had to register through a legal representative and begin taking security measures. By March 2025, the CCB was still pushing organizations to complete registration before the deadline, and by late November 2025 it reported that Belgium had already registered 1,500 essential entities and 2,500 important entities, adding that this meant the vast majority of organizations falling under the directive had now been identified.
The main milestones have already been passed. What remains is the completion of the implementation cycle across all sectors, especially in those areas where registrations or compliance maturity still lag. Belgium is no longer asking whether NIS2 has been transposed. The main question in Belgium today is how effectively the transposed regime is being absorbed, evidenced, supervised, and enforced across the full population of essential and important entities.
EU - Transposition, Member States