Cyber security has become a major issue for all businesses, whatever their size. Cyber threats are on the increase, affecting hospitals, SMEs, service providers and digital infrastructures alike. Each incident can result in considerable financial loss, disruption of business or lasting damage to reputation.
It was against this backdrop that the European NIS2 Directive (Network and Information Security Directive 2), also known as the NIS2 Act, was adopted. Coming into force in October 2024, this new European directive replaces the 2016 NIS1 directive and imposes stricter cyber security requirements. It aims to establish a harmonised cybersecurity framework across Member States, to strengthen collective resilience against cyber threats.
Unlike the first version, NIS2 extends its scope to a large number of organisations. This includes critical and large entities, as well as network providers and digital service providers. This means that all the entities concerned must be prepared to comply with the obligations imposed by the directive.
What is the NIS2 directive?
The aim of the NIS2 Directive, adopted under Directive (EU) 2022/2555, is to strengthen the cybersecurity of networks and information systems. It specifies that essential entities and large entities must adopt all necessary measures to ensure the security of their systems.
Among the cybersecurity requirements imposed by the directive :
- Risk management: companies need to assess management practices and identify the risks associated with their information systems.
- Detection and response: entities must implement the necessary technical measures to respond to significant incidents.
- Notification: any major incident must be reported to the relevant authorities within 24 hours.
- Governance: management bodies must be actively involved in cyber security policy.
Which companies are affected?
NIS2 precisely defines the entities concerned. These are critical entities in the following categories:
- Essential entities (energy, transport, health, digital infrastructure, water, public administrations, etc.).
- Major entities (critical manufacturing industries, digital services, postal services, food sector, etc.).
Essential and important entities must implement the required cybersecurity measures, even if they are companies with more than 50 employees or smaller but strategic companies. Belgium has specified that these entities must register with the Belgian Cyber Security Centre (CCB) within 2 months of being identified.
What are the risks of non-compliance?
Failure to comply with the obligations of the law will result in increased penalties. Fines can reach up to 10 million euros or 2 % of worldwide turnover. But the consequences are not just financial. They can include :
- Loss of customer confidence
- Breaking with strategic partners
- Exclusion from certain markets
NIS2 as a legal framework imposes direct liability on management. This means that management bodies can be held liable in the event of non-compliance. In Belgium, corporate cyber security is a national issue, and the CCB is ensuring compliance.
How do you prepare for NIS2?
It is difficult for essential and large entities to adapt on their own. Expert support is strongly recommended. Companies must :
- Assess the vulnerabilities of their systems
- Implement NIS2 requirements in their internal processes
- Reinforcing existing cyber security measures and reducing risks
- Define procedures in the event of an incident
- Training employees
Suppliers and critical entities must also ensure that their subcontractors adhere to the standards imposed by the directive.
Why get support?
Under the NIS2 law, the requirements are technical, organisational and legal. European companies must ensure that they are ready before 18 March 2025. This means :
- NIS2 compliance audit
- Certification or authorisation for information systems
- Ongoing monitoring
Large organisations can benefit from personalised assistance to help them comply with all the measures required by the directive. In Belgium, cybersecurity is taken very seriously and companies need to be part of a sustainable process.
What happens after 18 March 2025?
After 18 March 2025, all essential and significant entities must have fully implemented the requirements of the NIS2 Directive. This includes the ability to notify significant incidents within the required timeframes and to document their security processes. The directive also imposes a duty of continuous monitoring, with regular audits to ensure compliance with the framework of the law.
The directive specifies that companies must also take into account aspects relating to supply chains and suppliers. Service providers and postal services must demonstrate active compliance. Many companies will need to adapt their contracts and internal policies to align with the new requirements.
Lastly, Article 21 of the Directive stipulates that companies must register with the competent authorities within a reasonable time of being identified as an essential or significant entity. This requirement constitutes a crucial control mechanism in the implementation of European cybersecurity policies.
Conclusion
The NIS2 Directive is not simply an update of the NIS1 Directive. It represents a paradigm shift in cybersecurity for businesses. Find out more about the obligations, implement best practice, and commit to NIS2 compliance today.
Essential and significant entities must comply with the new rules by 18 March 2025. By acting now, they can ensure that they remain competitive and credible in the eyes of their customers, partners and investors. Ignoring the directive exposes them to penalties and loss of business continuity.
Cybersecurity in Belgium has changed dimension: all companies, as well as suppliers, must adapt. NIS2 also clarifies the responsibilities of management teams, putting an end to an era when cybersecurity could be delegated without control. Compliance is an opportunity for transformation, not a constraint.
👉 Would you like to assess your level of compliance or receive support in achieving NIS2 compliance? Contact Iterates now for tailor-made support.
