EN
  • Cyber stability
  • Secops
  • Risks management
  • Digital transformation
  • Digital Sovereignty
  • Cybercrime
  • Industry and OT
  • Fraud
  • Digital identity
  • Cyber +
    • From theory to practice: Belgium’s experience implementing the NIS2 directive
    • Home
    • Cybersecurity
    • From theory to practice: Belgium’s experience implementing the NIS2 directive

    From theory to practice: Belgium’s experience implementing the NIS2 directive

    Written by
    Phédra Clouner
    Directrice Générale Adjointe
    03.02.26
    Cybersecurity Digital transformation
    08
    MIN
    From theory to practice: Belgium’s experience implementing the NIS2 directive
    From theory to practice: Belgium’s experience implementing the NIS2 directive
    From theory to practice: Belgium’s experience implementing the NIS2 directive
    Image Chinese Cyber-Espionage Group Exploits Critical 0-Day in Dell RecoverPoint
    Cybersecurity
    02.19.26 Cybersecurity
    Next article
    Chinese Cyber-Espionage Group Exploits Critical 0-Day in Dell RecoverPoint
    Read
    02
    MIN
    Image Cyber startups: 10 tips for moving from concept to commercialization
    Cyber +
    02.19.26 Cyber +
    Next article
    Cyber startups: 10 tips for moving from concept to commercialization
    Read
    08
    MIN
    Image Cyberattacks Targeting the Defense Industrial Base Are Increasing
    Cybersecurity
    02.17.26 Cybersecurity
    Next article
    Cyberattacks Targeting the Defense Industrial Base Are Increasing
    Read
    01
    MIN
    Image United States: Joshua Rudd could be appointed to lead Cyber Command and the NSA
    Cybersecurity
    02.13.26 Cybersecurity
    Next article
    United States: Joshua Rudd could be appointed to lead Cyber Command and the NSA
    Read
    01
    MIN
    Phédra Clouner is Deputy Director General of the Centre for Cybersecurity Belgium (CCB) and Chair of the Advisory Board of the InCyber Forum Europe. Phédra is a founding member of the Women4Cyber initiative launched by the European Cyber Security Organisation (ECSO), co‑founder of the Belgian chapter of Women4Cyber, and Vice President of the Belgian Cybersecurity Coalition.

    Could you briefly introduce the Centre for Cybersecurity Belgium (CCB) and yor role in implementing the NIS 2 Directive?

    The CCB is Belgium’s national authority responsible for cybersecurity, equivalent to France’s ANSSI. We define and implement the national cybersecurity strategy, act as the national CERT for incident management, and play a central role in disseminating information on threats, vulnerabilities and best practices to mitigate them.

    We are also the competent authority for implementing the NIS2 Directive, with a significant responsibility for adapting Belgium’s national regulatory framework on cybersecurity. A distinctive feature of Belgium is that our target audience is very broad, covering vital operators, public administrations, private organisations, and the general public alike.

    Finally, we also serve as the national certification authority under the EU Cybersecurity Act, and as the National Coordination Centre (NCC) within the European network of cybersecurity centres.

    How does the NIS2 Directive change the landscape compared to NIS1?


    The most striking change lies in the expansion of the scope. NIS2 now covers sectors such as public administrations and certain essential services like waste or water management, raising the number of covered sectors from 7 to 18. The identification of entities is also far clearer and more consistent, based on objective criteria such as the sector of activity, number of full‑time equivalent staff, or turnover. Under NIS1, identification was largely left to member states’ discretion, leading to divergent approaches and gaps.

    NIS2 is also more specific regarding the security measures to be implemented (multi‑factor authentication, policies and procedures on cryptography, training, etc.), which provides clearer guidance for both authorities and organisations. Finally, the Directive directly addresses management accountability, an essential lever to raise overall resilience levels.

    Belgium was the first EU country to transpose the NIS2 Directive into national law. We conducted extensive consultations with sectoral authorities, professional federations, and field actors to ensure the law was truly applicable to each sector. NIS2 entered into force in Belgium on 18 October 2024.

    How did implementation unfold in practice for Belgian organisations?


    The entities concerned had until 18 March 2025 to register on our portal safeonweb@work. To date, around 7,380 organisations have registered, including just over 1,574 essential entities and more than 2,617 important ones, with the rest registering voluntarily. NIS2 entities have until 18 April 2026 to demonstrate the implementation of a minimum level of cybersecurity (Basic or Important) under our national framework, and until 18 April 2027 to obtain CyFun or ISO 27001 certification.

    Through the safeonweb@work portal, registered entities can access a wide range of services: document templates, videos, webinars, vulnerability scanning tools, and targeted information to enhance their security. More than just an administrative interface, this portal aims to be a genuine ecosystem of support and continuous learning.

    What factors motivated the creation of this CyFun framework specific to Belgium?

    Under NIS1, we mainly recommended ISO 27001, but we realised that many organisations needed a more concrete and accessible framework. We therefore designed our own reference framework, CyFun, based on international standards (ISO 27001, NIST, CIS Controls, IEC 62443) and our operational experience as a national CERT. It is structured along four levels – Small (basic cyber hygiene), Basic, Important, and Essential – allowing organisations to progress gradually in maturity.

    This modular approach has been very well received and has sparked considerable interest at the European level. It addresses the real need for harmonisation among NIS2 entities active across several countries, who clearly do not wish to repeat the entire compliance exercise for different frameworks in each member state. Romania and Ireland have already joined the initiative as contributors, and other countries, such as Malta, are considering adopting or adapting it. The goal is to harmonise practices between member states to make compliance easier for cross‑border organisations.

    The Directive highlights a more proactive approach to cybersecurity. How have you put this into practice?

    Belgium advocated for the inclusion of the concept of Active Cyber Protection in NIS2, so as to move beyond a purely reactive approach. This concept is underpinned by four principles: proactivity, adaptation to entities’ size and type (one cannot impose the same obligations on an SME as on a large corporation), automation to keep pace with threats, and participation of both NIS2 entities and citizens.

    In practice, Active Cyber Protection translates into several major projects. While CyFun forms the backbone, the Belgian Anti‑Phishing Shield (BAPS) alerts Internet users when they attempt to access fraudulent or malicious sites, in collaboration with Internet service providers. In 2024, the warning page was displayed around 240 million times, illustrating the scale of this system. For several years, the CCB has also encouraged citizens to forward suspicious emails to suspect@safeonweb.be. The CCB receives about 30,000 such emails per day, continuously reinforcing Belgium’s digital protection through this participative approach.

    Similarly, the Spear Warning project aims to identify vulnerable, infected or data‑exposed systems through various sources of information. When such a system is detected, we directly inform the organisation concerned so they can remedy the issue. Spear Warning perfectly illustrates our proactive cybersecurity mindset: rather than waiting for incidents to occur, we actively look for weaknesses. In parallel, we also run nationwide awareness campaigns for the Belgian public.

    Have you already observed any impact from NIS2 on the number of incidents reported?


    Since NIS2 came into force, we have observed a significant increase in the number of incidents notified, from an average of around 25 to over 45 each month. This rise is partly due to the mandatory notification requirement for NIS2 entities, but it also reflects greater trust in the CCB’s role and a better understanding of our support mission. Our objective is to help organisations contain and manage incidents, not merely to oversee them.

    What are the main difficulties reported by organisations when applying NIS2?


    The first challenge is the growing number of overlapping European regulations to which some organisations must comply: NIS2, DORA, CER, GDPR, and various sectoral frameworks. This creates considerable complexity, particularly for incident reporting, with differing deadlines and requirements across regulations. The European Union is working to address this fragmentation through initiatives such as the Digital Omnibus and the revision of the Cybersecurity Act, aimed at simplifying and harmonising obligations.

    A second key challenge concerns supply chain management. SMEs providing services to large NIS2 entities often find themselves subject to stringent security requirements without having the necessary maturity or resources.

    Finally, while awareness of increased management accountability is growing, it remains uneven. Some top executives have not yet fully grasped that they can now be held personally liable in cases of serious non‑compliance.

    Are certain sectors particularly struggling – or conversely, more advanced?


    Sectors such as banking or energy were already highly mature before NIS2 due to strict existing regulations. Conversely, newly covered sectors, such as waste management or parts of the water sector, had not previously prioritised cybersecurity.

    Certain sectors, such as the public and healthcare sectors, are particularly targeted because of their strong attractiveness to cybercriminal. And indeed, some sectors are more mature than others. It is precisely for these less mature sectors that we have developed reinforced support and a set of accessible resources through the CyFun portal.

    Does the staggered transposition of the directive across member states affect your work?


    For the CCB itself, transposition timelines elsewhere have not hindered our progress. However, they do complicate matters for organisations operating across several countries, which may face stricter obligations in one member state while working within a less defined framework in another. This is precisely why convergence around common frameworks such as CyFun is so important.

    NIS2 also stresses enhanced European cooperation. How does this materialise for the CCB?


    Cooperation with other member states is in the CCB’s DNA. We already work closely with our counterparts through several European networks, such as the NIS Cooperation Group, the CSIRT Network, which enables very concrete operational collaboration, or the EU‑CyCLONe Network, dedicated to crisis management. These structures facilitate information sharing, cross‑border incident coordination, and the joint development of best practices. In a landscape where cyberattacks know no borders, close cooperation is essential. We are also implementing bilateral cooperations.

    To conclude, how would you summarise Belgium’s philosophy in implementing the NIS2 Directive?


    We wanted to be fast, but above all pragmatic and close to the field. NIS2 is not merely a control framework, even though we do hold inspection and sanction powers in cases of non‑compliance. It is an opportunity to strengthen national cyber‑resilience through a clear framework, tangible tools, and a gradual, supportive approach. The goal is simple: to ensure that every organisation, regardless of its size, can improve its security posture and contribute to raising the overall level of cybersecurity in the country.

    Phédra Clouner
    03.02.26
    Continue reading
    1
    06.30.25 Cybersecurity
    GLIMPS: A French Success Story in North America
    Read
    03
    MIN
    2
    09.09.15 Secops
    The Security of Executives: A Challenge for CISOs by Guillaume Tissier, CEIS
    Read
    08
    MIN
    3
    01.17.22 Digital Sovereignty
    The European Parliament fined for transferring data outside the EU
    Read
    01
    MIN
    4
    04.28.25 Cybercrime
    The Netherlands targeted by attempted Russian cyber sabotage
    Read
    01
    MIN
    Image Chinese Cyber-Espionage Group Exploits Critical 0-Day in Dell RecoverPoint
    Cybersecurity
    02.19.26 Cybersecurity
    Next article
    Chinese Cyber-Espionage Group Exploits Critical 0-Day in Dell RecoverPoint
    Read
    02
    MIN
    Image Cyber startups: 10 tips for moving from concept to commercialization
    Cyber +
    02.19.26 Cyber +
    Next article
    Cyber startups: 10 tips for moving from concept to commercialization
    Read
    08
    MIN
    Image Cyberattacks Targeting the Defense Industrial Base Are Increasing
    Cybersecurity
    02.17.26 Cybersecurity
    Next article
    Cyberattacks Targeting the Defense Industrial Base Are Increasing
    Read
    01
    MIN
    Image United States: Joshua Rudd could be appointed to lead Cyber Command and the NSA
    Cybersecurity
    02.13.26 Cybersecurity
    Next article
    United States: Joshua Rudd could be appointed to lead Cyber Command and the NSA
    Read
    01
    MIN
    Stay tuned in real time
    Subscribe to
    the newsletter
    By providing your email address you agree to receive the Incyber newsletter and you have read our privacy policy. You can unsubscribe at any time by clicking on the unsubscribe link in all our emails.
    Stay tuned in real time
    Subscribe to
    the newsletter
    By providing your email address you agree to receive the Incyber newsletter and you have read our privacy policy. You can unsubscribe at any time by clicking on the unsubscribe link in all our emails.