The NIS2 Directive (Directive (EU) 2022/2555) is the successor to the original NIS Directive (2016/1148) and represents a substantial expansion of the EU's cybersecurity regulatory framework. It was published in December 2022 and required transposition into national law by 17 October 2024. NIS2 replaces the original NIS Directive in its entirety, introducing stricter obligations, broader scope, mandatory supervisory measures, and a more harmonised enforcement regime across EU member states.
NIS2 matters because it extends the EU's cybersecurity obligations from critical infrastructure operators (the original NIS scope) to a much wider range of sectors and entities. Where the original NIS applied to operators of essential services in sectors like energy, transport, water, and healthcare, NIS2 covers 18 sectors divided into "essential entities" and "important entities", with different supervisory and enforcement regimes for each. Any organisation of a certain size operating in a covered sector needs to understand whether it falls within NIS2's scope and, if so, what obligations it faces.
NIS2 applies to medium and large entities operating in 11 "high-criticality sectors" (Annex I: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space) and 7 "other critical sectors" (Annex II: postal and courier services, waste management, chemicals, food, manufacturing, digital providers, and research). The size threshold is generally 50 or more employees or EUR 10 million in annual turnover, but certain categories of entities are in scope regardless of size (DNS providers, TLD registries, cloud providers, data centres, content delivery networks, and certain critical infrastructure operators).
Member states may also designate additional entities as essential or important in sectors of particular national concern. Belgium's transposition of NIS2, through the NIS2-wet (Law of 26 April 2024), implements the Directive's scope requirements and designates the Centre for Cyber Security Belgium (CCB) as the national NIS2 competent authority and Computer Security Incident Response Team (CSIRT).
NIS2 imposes four categories of obligations on covered entities. First, risk management: entities must implement appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risks, covering incident handling, supply chain security, access control, encryption, vulnerability disclosure, and multi-factor authentication, among other requirements. Second, incident reporting: significant incidents must be notified to the competent authority within 24 hours (early warning), 72 hours (incident notification with initial assessment), and one month (final report). Third, governance: management bodies must approve the cybersecurity risk management measures, oversee their implementation, and be liable for violations. Fourth, supply chain security: entities must assess and address cybersecurity risks in their supply chain relationships with suppliers and service providers.
A distinctive feature of NIS2 compared to its predecessor is the personal liability of management body members: NIS2 requires member states to provide that management bodies of essential entities can be held personally liable for failing to comply with the cybersecurity risk management obligations, and provides for temporary prohibition from management roles as a sanction. This provision creates direct personal accountability for cybersecurity governance that goes beyond the general corporate law framework in most member states.
NIS2 and GDPR address overlapping but distinct risks. GDPR governs the protection of personal data and imposes breach notification obligations when personal data is compromised. NIS2 governs the cybersecurity of network and information systems in covered sectors and imposes incident reporting obligations for security incidents affecting service availability and integrity, regardless of whether personal data is involved. A ransomware attack on a hospital system may trigger both NIS2 incident reporting (security incident affecting essential services) and GDPR breach notification (personal data of patients potentially compromised). Organisations in NIS2-covered sectors need compliance frameworks that address both regimes in an integrated way.
NIS2 sets minimum harmonised penalty levels. For essential entities, administrative fines must be at least EUR 10 million or 2% of global annual turnover, whichever is higher. For important entities, the minimum is EUR 7 million or 1.4% of global annual turnover. These penalty levels are similar in structure to GDPR fines and signal that cybersecurity non-compliance is now in the same regulatory risk tier as data protection violations. Belgium's NIS2 transposition implements these penalty levels and grants the CCB enforcement powers including binding instructions, security audits, and fines.
NIS2 generally exempts micro and small enterprises (fewer than 50 employees and annual turnover below EUR 10 million) from its scope, except for certain categories of entities that are in scope regardless of size (DNS service providers, TLD registry operators, certain digital service providers, and entities designated as critical by member states). SMEs that are part of the supply chain of NIS2-covered entities should also be aware that they may face contractual cybersecurity requirements imposed by their customers as part of supply chain security obligations under Article 21 NIS2.
%402x.svg){kind=icon}
%402x.svg){kind=small}
%402x.svg){kind=icon}
