NIS2 Implementation in Belgium: What you need to know

NIS2 replaces NIS1, addressing the lack of harmonisation across the EU    

Over the last decade, the EU cybersecurity landscape has been rapidly evolving, bringing forward new challenges for the EU economy and society at large. The ransomware business model is projected to cost more than USD 10 trillion by 20251 and it is now followed by highly sophisticated organisations2. Furthermore, the variety of sectors affected is widening. In 2022, public administration, SMEs and the health sector represented more than two-thirds of the ransomware victims in France3. 

Against this background, the EU institutions put forward several pieces of legislation with the objective of increasing the level of cybersecurity within the EU. In 2016, the General Data Protection Regulation (GDPR) set privacy and data provisions to protect EU citizens. The same year, the Directive on network and information systems (NIS1) represented the first horizontal regulation seeking to improve the network and information system security across EU critical infrastructures. Lately, the Cybersecurity Act provided a permanent mandate for ENISA and a stronger basis in the EU cybersecurity certification framework, the Cybersecurity Resilience Act (CRA) proposal put forward horizontal cybersecurity requirements for hardware and software products marketed within the EU, and eventually the Digital Operational Resilience Act (DORA) aims at protecting digital finance. 

Following the implementation of NIS1 across Member States (MS) the European Commission (EC) mandated Wavestone to perform an evaluation with the objective of assessing its efficiency, effectiveness, coherence, relevance and added value at EU level. The study concluded that, while increasing the cybersecurity resilience inside the Union, NIS1 fell short in addressing the fragmentation of the EU legislative framework on cybersecurity. In fact, it called for a revision of NIS1 to cope with the disparities in the implementation of the Directive across Member States (MS) as well as the everchanging and rapidly evolving digital economy.  

Based on these conclusions, the EC launched the work for an updated Directive which was meant to address the shortcomings identified in NIS1. On 27 December 2022, NIS2 was published in the EU Official Journal, replacing NIS1. NIS2 aims to minimise the divergences in the implementation of cybersecurity requirements at national level, while providing businesses with a common playing field. The following paragraphs highlight its main novelties and what it entails for organisations in Belgium.  

What is changing 

The scope includes more sectors and SMEs 

The scope of NIS2 is larger than its predecessor. NIS2 overcomes the traditional distinction between Operators of Essential Services (OES) and Digital Service Providers (DSP). The new provisions distinguish between Essential (EE) and Important Entities (IE) based on the sector in which such entities operate. In this regard, NIS2 broadens the scope of NIS1 by including sectors such as space, manufacturing, and public administration (see figure below). Moreover, size limits also apply, resulting in some SMEs to be concerned by the scope of the Directive. Therefore, according to some estimates4, we can expect a 7-fold increase in the number of entities falling under the scope of NIS2. This increase appears to be evident in Belgium where estimates foresee at least a 20-fold increase (from 100 entities to more than 2 000)5 6.  

Explicit security measures 

An additional change brought by NIS2 is the explicit listing of baseline security measures to be implemented in each MS. EEs and IEs are required to put into place a set of new security measures, concerning, among others, the use of cryptography and encryption, the supply chain security, and business continuity as well as cyber hygiene practices and trainings. These measures should respect a risk-based approach, as Belgium did for NIS1. At present, the Centre for Cyber Security Belgium - the national competent authority - has designed its Cyberfundamentals Framework which provides guidance to all entities for security improvement. We expect this framework to become the baseline of measures aligned with the expectations of NIS2. 

Clearer but stricter reporting obligations 

Other novelty concerns the incident reporting obligations for entities. In fact, whereas NIS1 foresaw notification mechanisms, NIS2 introduces mandatory reporting in case of threats or events leading to a significant incident with a defined time frame and specific information to disclose. In addition, under NIS2, the CCB will have the power to inform the public about such incidents or require the affected entity to do so. The CCB is implementing a secure web platform (i.e. Unified Notification Platform) for incident reporting which is expected to stay in use for critical entities (those nominated under NIS1), while EEs and IEs will most likely benefit from a different submission system.   

Unified supervisory and enforcement measures 

Lastly, NIS2 sets a distinction in the supervisory and enforcement framework for EEs and IEs. In this regard, in comparison with IEs, EEs are subject to regular controls and more comprehensive audits and thus, in case of infringement, they face higher penalties. While the Belgian act transposing the NIS1 Directive already foresees financial penalties, NIS2 set them up to 20 times higher. Additionally, NIS2 makes top management accountable, with temporary bans from managerial functions in case of failure to implement and supervise organisational compliance. On the other hand, the Belgian law transposing NIS1 already imposes criminal liability in case of failure to comply with its provisions. At present, it is still unclear whether criminal liability provisions will still complement NIS2 supervisory and enforcement framework and thus, we look forward to having more visibility on the national competent authority approach under the new directive.  

Many exceptions and other key provisions 

Eventually, every key article of the Directive includes specific exceptions. Some organisations will fall under the scope of NIS2 regardless of their size, and some others will have different reporting obligations. The article stays deliberately high-level to highlight the key requirements for organisations and to ensure clarity. On that matter, we decided to focus on key elements that will help you initiate the work to raise your organisation’s security level. 

Which actions can already be undertaken today 

Whereas the deadline for NIS2 transposition at national level is set on 17 October 2024, the European Commission is already encouraging MS to take the necessary measures to anticipate its implementation. Although it is too soon to know precisely how NIS2 will impact Belgian organisations, we strongly believe that many initiatives can already be undertaken by public and private entities. Indeed, the CCB recently called organisations to start their anticipation work. 

Follow the evolution of the legislative framework  

Knowledge is key. As a co-chair of the focus group on EU Regulations of the Belgian Cyber Security Coalition7, I gather and provide technical insights on NIS2 implementation in Belgium to Wavestone clients as it is being discussed and built. This seat represents a privileged point of view to oversee and participate to the ongoing discussions between the public authorities and their private counterparts on the national implementation, allowing me to understand the challenges across sectors and company size. Some of the most relevant operational challenges that will likely include (i) the switch from a passive to an active accreditation process (i.e., under NIS2 companies need to accredit themselves to public authorities rather than being selected by them); and (ii) the translation of requirements into standards while accounting for continuity with the NIS1 legal framework. Building on my previous experience with NIS1 implementation at French and Belgian level, my recommendations to clients will be driven to ensure compliancy while guaranteeing operational excellence and business resilience.  

Define if my organisation is in the scope  

Planning is everything. The first step is to define whether one’s organisation is under the scope of the NIS2 Directive, and in some cases, which parts of the organisation. Every organisation under the scope of NIS1 are automatically concerned by the NIS2 Directive, and its structure allows answering this question before its transposition into the Belgian law. We are developing a decision tree that can assist you in this process, and our experience can help clarifying any doubts. Reach out for more information.  

Carry out a cybersecurity maturity assessment 

Assess the current level of cybersecurity of my organisation.  For those falling under the scope, we strongly encourage to start assessing the cybersecurity maturity of your organisation to better determine the security strengths and weaknesses. You need to know where you are to decide where to go. In this process, Wavestone developed a well-renown Cyber Benchmark that allows, just in a couple of days, to assess the 360° cybersecurity maturity. Like icing on the cake, it helps positioning your organisation against the market and the industry. It supports you, as a CISO, to define the priority cybersecurity projects to launch and liaise with your Board to prepare the budget for the NIS2 programme. 

Conduct a preliminary gap analysis 

Anticipate possible gaps on the already known high-level requirements. While the Belgian law implementing NIS2 still needs to be acted (we don’t yet know the detailed security measures to comply with!), we are aware that entities shall comply with a set of minimum explicit cybersecurity measures. Assessing the necessary effort to comply with NIS2 is of paramount importance for an organisation as it provides visibility on its cyber maturity and consequently on the required effort and time needed to setup a more cybersecure business environment. In turn, such preliminary assessment will also allow the organisation to raise internal awareness and can be used as a catalyser to obtain the resources necessary to launch the desired actions. We encourage and we assist our clients to develop initiatives to detect and assess emerging implementation and compliance risks.  

Define the roadmap to compliance 

Design a pragmatic roadmap. Once the maturity level of cybersecurity is assessed, the gaps with the security measures required by the Directive are identified, and a comprehensive risk analysis is performed, the whole necessary information is available to create the roadmap that will merge compliance with operational excellence. Wavestone has built a great level of experience in this exercise in the light of the aforementioned pieces of regulations, by consistently focusing on a pragmatic approach.  

The implementation of NIS2 represents a major step forward in boosting the cybersecurity of the EU Single Market. However, while ultimately benefitting from the adoption of comprehensive cybersecurity measures, many organisations will need to rethink their approach to cybersecurity. Hence, every effort put forward by entities to anticipate NIS2 implementation represents an investment with indubitable yield, entailing guaranteed strategical benefits in the long run.  

Our team focuses significantly on this key topic to provide a high-quality information, analysis, and work. Thank you to Leonardo Barone , Corentin Decock , Guillaume Dizes , and Xavier Zuinen for their involvement. Reach out to us to plan a 30 minutes call to exchange learnings on this big topic!  

References 

1 ENISA (2022). Threat landscape for ransomware attacks. July 2022. 

2 See also: Wavestone (2022). Ransomware: Inside the former CONTI group. Available at: https://www.riskinsight-wavestone.com/en/2022/07/ransomware-inside-the-former-conti-group/  

3 ANSSI, Cyber Threat Overview 2022. Available at: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-002.pdf 

4 Sievers, P., (2021), proposal for a NIS directive 2.0: companies covered by the extended scope of application and their obligations 

5 https://blog.cybersecuritycoalition.be/webcasts/the-nis2-directive-a-high-common-level-of-cybersecurity-in-the-eu/ 

6 Moniteur Belge - Belgisch Staatsblad (fgov.be). Available at:  

https://www.ejustice.just.fgov.be/eli/loi/2019/04/07/2019011507/moniteur 

7 https://www.cybersecuritycoalition.be/