NIS2: What Belgian SMEs Need to Know in 2026
The NIS2 directive imposes new cybersecurity obligations on European businesses. Find out if your SME is affected, the key deadlines, and the concrete measures to implement.
The NIS2 Directive: A Turning Point for Cybersecurity in Europe
Since 18 October 2024, the European NIS2 directive (Network and Information Security 2) has been officially transposed into the national legislation of EU Member States. In Belgium, the law of 26 April 2024 adapted the national framework to incorporate these new requirements. For many Belgian SMEs, 2026 is the year when compliance becomes an unavoidable operational reality.
Unlike the original NIS directive, which only targeted large critical infrastructure operators, NIS2 significantly broadens its scope. Thousands of Belgian companies that previously felt untouched by cybersecurity regulation must now take action.
Is Your SME Affected?
NIS2 distinguishes two categories of entities:
- Essential entities: energy, transport, healthcare, drinking water, digital infrastructure, public administration, space.
- Important entities: postal services, waste management, manufacturing of critical products, food production, digital service providers, research.
The size criterion is decisive. Companies with 50 or more employees, or those with an annual turnover exceeding 10 million euros, fall within scope. However, some entities are covered regardless of their size, including DNS service providers, domain name registries, and trust service providers.
The Supply Chain: A Trap for Smaller Businesses
Even if your SME does not directly meet the size criteria, you could be affected indirectly. NIS2 requires covered entities to secure their supply chain. If you are a supplier to a company subject to NIS2, that company may demand cybersecurity guarantees from you. In practice, this means NIS2 compliance will trickle down across the entire Belgian business fabric.
The Concrete Obligations
1. Governance and Accountability
Management bodies must approve and oversee cybersecurity measures. Executives can be held personally liable in the event of a breach. Cybersecurity is no longer a technical matter delegated to the IT department — it is a board-level responsibility.
2. Risk Management Measures
NIS2 requires the implementation of proportionate technical and organisational measures, including:
- Risk analysis and treatment
- Security incident management
- Business continuity and crisis management
- Supply chain security
- Network and information system security
- Encryption and access control policies
- Multi-factor authentication (MFA)
3. Incident Notification
In the event of a significant incident, you must:
- Send an early warning within 24 hours of detection
- Provide a full notification within 72 hours
- Submit a final report within one month
In Belgium, the Centre for Cybersecurity Belgium (CCB) is the competent authority that receives these notifications.
4. Registration
Covered entities must register with the CCB. This process enables the authority to map the actors subject to the directive and organise supervision.
Sanctions: A Strong Signal
The sanctions under NIS2 are significant:
- Essential entities: fines up to 10 million euros or 2% of global annual turnover
- Important entities: fines up to 7 million euros or 1.4% of global annual turnover
Beyond fines, authorities can impose security audits, compliance orders, and in the most serious cases, temporarily suspend management functions.
Timeline: Where Do We Stand in 2026?
| Deadline | Milestone |
|---|---|
| October 2024 | Transposition into Belgian law |
| April 2025 | List of essential and important entities established by the CCB |
| 2025–2026 | Audit and enforcement campaigns |
| 2026 | Full application of sanctions |
In March 2026, we are in the active enforcement phase. Companies that have not yet begun their compliance journey are exposed to concrete risks.
Where to Start? 5 Priority Actions
-
Assess your status: Determine whether your company falls within the NIS2 scope, directly or through the supply chain.
-
Conduct a cybersecurity audit: Identify the gaps between your current practices and the directive’s requirements. A structured assessment will give you a clear roadmap.
-
Engage your leadership: Ensure that executives understand their responsibilities and formally approve the cybersecurity strategy.
-
Establish an incident management process: Document your detection, response, and notification procedures. Test them regularly.
-
Secure your supply chain: Assess the risks associated with your suppliers, particularly those hosting or processing your data outside the European Union.
The Link with Digital Sovereignty
NIS2 is part of a broader European drive to reclaim digital sovereignty. The directive implicitly encourages the use of European solutions and hosting providers. By choosing sovereign cloud providers and European-based infrastructure, you facilitate your NIS2 compliance while reducing your exposure to extraterritorial jurisdictions such as the US CLOUD Act.
This is precisely the approach we advocate at Hokhori Consulting: aligning regulatory compliance, data sovereignty, and operational performance.
Assess Your Sovereignty Level
Wondering where your company stands on digital sovereignty? Our Sovereign Score is a free diagnostic tool that evaluates your dependence on non-European providers and gives you concrete recommendations.