The NIS2 directive (Directive (EU) 2022/2555) is one of the most consequential regulatory changes of the decade in cybersecurity — and, unlike its predecessor NIS1, it reaches far beyond the circle of large critical-infrastructure operators. Many Belgian SMEs are now in scope without realising it, either directly because they operate in a covered sector, or indirectly because they are subcontractors to a regulated entity.

This article offers a plain-language reading: what NIS2 is, who falls within its scope, what the obligations are in concrete terms, where Belgian transposition stands, and where to begin. The goal is not to alarm you with regulatory jargon, but to give you a realistic roadmap.

NIS2 in plain terms

NIS2 is a European directive aimed at raising the overall level of cybersecurity across the Union, by imposing risk-management measures and incident-reporting obligations on the organisations it covers. It replaces and considerably broadens the first NIS directive of 2016, which targeted only a limited number of "operators of essential services".

The major change rests on two things: a much wider scope (more sectors, more medium-sized organisations) and a supply chain that is explicitly addressed. In practice, a large regulated entity must now ensure that its suppliers and providers also apply security measures — which "pulls" many SMEs into the framework through their contracts, even when they are not directly designated by the law.

Essential and important entities

NIS2 distinguishes two categories: essential entities (for example energy, transport, healthcare, drinking water, digital infrastructure) and important entities (for example manufacturing, waste management, postal services, chemicals, digital providers). The distinction mainly affects the intensity of supervision: essential entities face more proactive oversight, while important entities are inspected more after the fact, in response to an incident. The substantive obligations, however, are largely similar.

Who is in scope?

The general rule combines a sector criterion and a size criterion. In summary, the organisations targeted are those active in a covered sector that exceed the medium-enterprise thresholds — in practice, the figures often cited are 50 employees or more, or an annual turnover of at least €10 million. Some entities are moreover covered regardless of their size because of their critical role (for example certain providers of digital services or infrastructure).

These thresholds and sector lists carry many nuances. If you are not certain of your situation, do not rely on a quick reading: verify your exact scope with the Centre for Cybersecurity Belgium (CCB) or a specialist. And even below the thresholds you may be concerned indirectly: if you supply a regulated entity, expect it to impose security requirements on you contractually, derived from NIS2.

The key obligations

Risk-management measures

NIS2 requires covered entities to adopt "appropriate and proportionate" risk-management measures. The directive lists several families of measures that every organisation should cover:

policies on risk analysis and information-system security;
incident handling (detection, response, recovery);
business continuity and backup management;
supply-chain security;
security in the acquisition, development and maintenance of systems;
policies to assess the effectiveness of measures;
basic cyber-hygiene practices and training;
cryptography and encryption policies;
human-resources security, access control and asset management;
use of multi-factor authentication and secured communications.

You will recognise here the skeleton of proven standards. This is the moment to build on what you may already have put in place during a cybersecurity and GDPR audit: MFA, segmentation, tested backups and an incident procedure are common to both exercises.

Incident reporting (24h / 72h)

NIS2 introduces phased reporting. As a rule, a concerned entity must submit an early warning within 24 hours of becoming aware of a significant incident, then a fuller notification within 72 hours, and finally a final report later. These deadlines are the ones most commonly cited, but the precise arrangements (what constitutes a "significant" incident, the exact recipient, the expected content) fall under national transposition and the guidelines of the competent authority — to be verified for your case.

Note that this timetable is separate from the personal-data breach notification obligation under the GDPR (72 hours): a single incident can trigger both regimes in parallel.

Management accountability

This point is often underestimated: NIS2 explicitly holds management bodies accountable. They must approve the risk-management measures, oversee their implementation, and follow cybersecurity training. In other words, cybersecurity is no longer a purely technical matter delegated to IT: it is now a governance issue. Failures can lead to significant penalties, and management can, in certain cases, be held liable — we remain cautious about the exact figures, which depend on national law.

The Belgian context

In Belgium, NIS2 has been transposed into national law and the legislation entered into force in 2024. The competent authority is the Centre for Cybersecurity Belgium (CCB), which plays both a supervisory and a supporting role. The CCB publishes guides and tools for the organisations concerned — this is the first source to consult to confirm your status and your precise obligations.

A practical advantage of the Belgian framework is how it dovetails with existing reference standards. If you are already certified to ISO 27001 or have deployed the CyberFundamentals framework promoted by the CCB, you already have much of the structure NIS2 expects. These approaches are not an automatic guarantee of compliance, but they cover most of the families of measures and make achieving compliance considerably easier.

A pragmatic roadmap for an SME

There is no need to do everything at once. Here is a realistic progression, in the spirit of our "audit then execute" approach.

1. Gap assessment. First determine whether — and how — you are concerned: sector, size, and exposure through the supply chain. Then map your existing measures against the NIS2 families of measures to identify the gaps.

2. Risk-management measures. Prioritise high-impact, low-cost actions: organisation-wide MFA, tested backups, patch management, access control. A healthy network foundation makes everything else easier — we detail those foundations in our article on network infrastructure for SMEs.

3. Incident response process. Document who does what, the emergency contacts, and a reporting template compatible with the 24h / 72h deadlines. Provide a backup communication channel independent of the systems that may be affected.

4. Governance. Have the measures approved by management, schedule its training, and put in place regular follow-up. This is the easiest requirement to forget — and the most visible during an inspection.

An honest note on complexity

The exact scope of NIS2, the thresholds and the reporting arrangements carry real subtleties, and national transposition clarifies certain points. This article is an orientation guide, not legal advice. Before committing to structural decisions, verify your specific obligations with the CCB or a specialist. Our role at ITOPS.be is precisely to do this clarification work with you, and then to implement it concretely. Explore our full range of cybersecurity services for SMEs and the Benelux.

Frequently asked questions

Is my SME in scope for NIS2?

It depends on two combined criteria: your sector of activity and your size (as a rule, from 50 employees or €10 million in turnover in a covered sector). Some entities are targeted regardless of their size. And even below the thresholds you may be concerned indirectly if you supply a regulated entity, through contractual requirements. When in doubt, verify your exact scope with the CCB or a specialist.

What are the reporting deadlines?

As a rule, an early warning within 24 hours of becoming aware of a significant incident, a fuller notification within 72 hours, then a final report later. The exact arrangements (definition of a significant incident, recipient, content) fall under Belgian transposition and the CCB's guidelines — to be confirmed for your specific case.

How does NIS2 relate to GDPR?

The two regimes are distinct but complementary. The GDPR concerns the protection of personal data; NIS2 concerns the security of network and information systems. A single incident can trigger both: for example, a cyberattack leading to a leak of personal data may require both a NIS2 report and a GDPR breach notification within 72 hours. The technical measures overlap to a large extent.

Where do we start?

With a gap assessment: first confirm whether you are concerned, then compare your current measures against the NIS2 families of measures. Next, prioritise high-impact, low-cost actions (MFA, tested backups, access management), document your incident response process, and involve management. If you have already run a cybersecurity audit or deployed ISO 27001 / CyberFundamentals, you start with a head start.