The cybersecurity landscape has become a major concern for all businesses, regardless of size. Cyber threats are proliferating and affect hospitals, industrial SMEs, service providers, and digital infrastructures alike. Every incident may lead to significant financial losses, business disruption, or lasting reputational damage.
It is in this context that the European NIS2 Directive (Network and Information Security Directive 2), also referred to as the NIS2 law, was adopted. Coming into force in October 2024, this new European directive replaces the 2016 NIS1 directive and imposes stricter cybersecurity requirements. It aims to establish a harmonized cybersecurity framework across member states in order to strengthen collective resilience to cyber threats.
Unlike the first version, NIS2 broadens its scope to a large number of organizations. These include essential entities and important entities, as well as network providers and digital service providers. Thus, all concerned entities must prepare to comply with the obligations imposed by the directive.
What Is the NIS2 Directive?
The NIS2 directive, adopted under Regulation (EU) 2022/2555, aims to strengthen cybersecurity of networks and information systems. It stipulates that essential entities and important entities must adopt all necessary measures to ensure the security of their systems.
Cybersecurity Requirements under NIS2
- Risk Management: Businesses must assess management practices and identify risks associated with their information systems.
- Detection and Response: Entities must implement the necessary technical measures to react to significant incidents.
- Incident Notification: Any major incident must be reported within 24 hours to competent authorities.
- Governance: The executive bodies must actively engage in cybersecurity policy.
Which Businesses Are Affected?
NIS2 precisely defines the entities concerned. These are critical entities belonging to these categories:
- Essential entities: sectors such as energy, transport, health, digital infrastructures, water, public administration, etc.
- Important entities: critical manufacturing industries, digital services, postal services, the food sector, etc.
Thus, essential and important entities must implement the required cybersecurity measures, even if they are companies of modest size or with more than 50 employees but strategic in nature. Belgium, in particular, has specified that entities must register with the Centre for Cybersecurity Belgium (CCB) within 2 months after their identification.
What Are the Risks in Case of Non‑Compliance?
Non-compliance with the obligations of the law raises the severity of sanctions. Fines may reach up to €10 million or 2 % of global turnover. But the consequences are not only financial. They may include:
- Loss of customer trust
- Breakdown in relationships with strategic partners
- Exclusion from certain markets
As NIS2 serves as a legal framework, it imposes direct responsibility on management bodies. This means that executives may be held liable in the event of a breach. In Belgium, corporate cybersecurity is a national issue, and the CCB monitors compliance.
How to Prepare for NIS2?
Essential and important entities can hardly adapt on their own. Expert support is highly recommended. Companies must:
- Evaluate system vulnerabilities
- Implement NIS2 requirements into their internal processes
- Strengthen existing cybersecurity measures and reduce risks
- Define incident management procedures
- Train employees
Suppliers, as well as critical entities, must also ensure that their subcontractors adhere to the standards imposed by the directive.
Why Get Support?
Under the NIS2 law, the requirements are technical, organizational, and legal. European companies must ensure they are ready before 18 March 2025. This involves:
- A NIS2 compliance audit
- Certification or authorization regarding information systems
- Continuous monitoring
Important entities may benefit from personalized assistance to comply with all measures required by the directive. In Belgium, cybersecurity is taken very seriously and companies must register in a sustainable process.
What Happens After 18 March 2025?
After 18 March 2025, all essential and important entities must have fully applied the requirements of the NIS2 directive. This includes the ability to notify significant incidents within the required deadlines and to document their security processes. The directive also imposes a duty of continuous oversight, with regular audits to ensure adherence to the legal framework.
The directive specifies that companies must also take into account aspects related to their supply chains and vendors. Digital service providers and postal services must actively demonstrate compliance. Many organizations will need to adapt their contracts and internal policies to align with the new requirements.
Finally, Article 21 of the directive reminds that companies must register with the competent authorities, within a reasonable time after being identified as essential or important entities. This requirement constitutes a crucial control mechanism in the implementation of European cybersecurity policies.
Conclusion
The NIS2 directive is not merely an update of NIS1. It represents a paradigm shift for corporate cybersecurity. Understand the obligations, implement best practices, and commit today to NIS2 compliance.
Essential and important entities must comply with the new rules by 18 March 2025. By acting now, they secure their competitiveness and credibility with clients, partners, and investors. Ignoring the directive exposes them to sanctions and business continuity risk.
NIS2: What Businesses Must Know in 2025
Cybersecurity in Belgium has changed dimension: all companies, as well as suppliers, must adapt. NIS2 also clarifies the responsibilities of leadership teams, ending an era when cybersecurity could be delegated unchecked. Compliance is an opportunity for transformation, not a burden.
👉 Want to evaluate your compliance level or get support for your NIS2 compliance? Contact Iterates now for tailored assistance.
