Hokhori Consulting
Back to blog
NIS2 cybersecurity compliance technical measures Belgium

NIS2: The 10 Minimum Technical Measures Before End of 2026

The NIS2 directive requires concrete technical measures before the end of 2026. Discover the 10 priority actions to bring your organisation into compliance quickly and effectively.

By Hokho

The Time for Technical Decisions

Since the NIS2 directive was transposed into Belgian law (law of 26 April 2024), strategic discussions have largely occupied boardrooms. Governance, executive liability, registration with the Centre for Cybersecurity Belgium (CCB): these topics have legitimately consumed leadership teams.

But 2026 is also the year when technical teams must deliver. CCB enforcement checks now focus on concrete realities: are your systems patched? Are your backups encrypted? Are your administrators using MFA?

Here are the 10 technical measures you must have in place before year end. For each, we clarify what NIS2 requires, why it matters, and how to implement it without delay.

1. Multi-Factor Authentication (MFA) for All Remote Access

What NIS2 requires: Article 21 of the directive mandates access control policies including multi-factor authentication for access to information systems, particularly for remote access.

Why it matters: 80% of breaches involve stolen or weak credentials. MFA blocks the majority of credential stuffing and phishing attacks.

How to implement quickly:

  • Enable MFA on your Microsoft 365, Google Workspace, or collaborative suite through native security settings (included in standard licences at no extra cost)
  • Deploy a TOTP solution (Google Authenticator, Authy) or a physical FIDO2 key for VPN access and SSH connections
  • Absolute priority: administration accounts, access to HR and financial data, access to backups

Realistic timeline: 1 to 2 weeks for SaaS tools, 2 to 4 weeks for VPN access.

2. Hardened MFA for Administration Accounts

What NIS2 requires: Privileged accounts (system administrators, network administrators, root access) must be subject to even stricter authentication measures.

Why it matters: A compromised administrator account can wipe out your entire infrastructure within minutes. It is the primary target of ransomware operators.

How to implement quickly:

  • Apply the principle of least privilege: each administrator has a standard account for daily work and a separate admin account for administrative tasks
  • Require physical FIDO2 keys (YubiKey or equivalent) for all admin accounts — do not rely solely on a TOTP app
  • Enable full audit logging of all actions performed with administration accounts
  • Review the list of active admin accounts quarterly

Realistic timeline: 2 to 3 weeks.

3. Patch Management and Updates

What NIS2 requires: The directive mandates rigorous vulnerability management, including the application of patches within controlled timeframes.

Why it matters: The majority of cyberattacks exploit known vulnerabilities for which a patch already exists. Failing to patch means leaving a door open whose location attackers know exactly.

How to implement quickly:

  • Establish a documented patch management policy with clear timeframes: critical (CVSS ≥ 9) → 24 to 48 hours, high (CVSS 7–9) → 7 days, medium → 30 days
  • Deploy a patch management tool (Windows Server Update Services, Ansible, Intune, ManageEngine) if you do not already have one
  • Include network equipment (routers, switches, firewalls) in your patch scope — they are frequently overlooked
  • Document each patch cycle and retain logs for at least one year

Realistic timeline: The policy: 1 week. The tooling: 2 to 6 weeks depending on your infrastructure complexity.

4. Network Segmentation

What NIS2 requires: Network and information system security, including measures to limit the propagation of an attack.

Why it matters: Without segmentation, a compromised endpoint can freely communicate with your entire network. Ransomware exploits this absence of barriers to spread across all your systems within minutes.

How to implement quickly:

  • Separate at minimum into three zones: user network, server/production network, guest/IoT network
  • Configure strict firewall rules between these zones (deny by default, explicit allow)
  • Isolate your backup systems on a separate network segment, inaccessible from the user network
  • For more complex environments: consider micro-segmentation or a Zero Trust Network Access (ZTNA) approach

Realistic timeline: Basic segmentation with existing hardware: 2 to 4 weeks.

5. Encrypted and Tested Backups

What NIS2 requires: Business continuity, backup management, and incident recovery.

Why it matters: An untested backup is a non-existent backup. In 2025, several Belgian organisations discovered that their backups were corrupted or insufficient at precisely the moment they needed them most.

How to implement quickly:

  • Apply the 3-2-1-1 rule: 3 copies, on 2 different media types, with 1 offsite, and 1 offline (air-gapped)
  • Encrypt all backups with a modern algorithm (AES-256) — if your backup solution does not offer this natively, change solutions
  • Test the restoration of at least one critical dataset every month — document the result
  • Store encryption keys separately from the backups themselves

Realistic timeline: 2 to 4 weeks to reconfigure an existing solution, 4 to 8 weeks to deploy a new one.

6. Regular Vulnerability Scanning

What NIS2 requires: Vulnerability management and technical risk treatment.

Why it matters: You cannot fix what you cannot see. Regular scanning gives you a real-time view of your attack surface.

How to implement quickly:

  • Deploy an open-source vulnerability scanner (OpenVAS/Greenbone) or a commercial solution (Tenable Nessus Essentials is free for smaller organisations; Qualys for larger ones)
  • Schedule an automatic weekly scan on all internet-facing systems and a monthly scan across the entire internal network
  • Create a vulnerability treatment process: each critical vulnerability must be assigned to an owner with a resolution date
  • Retain scan history to demonstrate your diligence to auditors

Realistic timeline: 1 to 2 weeks.

7. Security Event Logging

What NIS2 requires: Incident detection and response capabilities, including logging mechanisms.

Why it matters: Without logs, you cannot detect an ongoing intrusion or reconstruct what happened after an incident. The CCB can request these logs during an inspection.

How to implement quickly:

  • Centralise your logs in a SIEM (Security Information and Event Management) solution — Elastic SIEM (free, open source), Wazuh (free), or a managed solution such as Microsoft Sentinel
  • Log at a minimum: successful and failed logins, administration account changes, access to sensitive data, network configuration modifications
  • Configure a minimum retention period of 12 months for security logs (CCB recommendation)
  • Set up automatic alerts on critical events (repeated login attempts, changes to privileged accounts)

Realistic timeline: 2 to 4 weeks for a basic deployment, longer for alert tuning.

8. Security Contracts with IT Suppliers

What NIS2 requires: Supply chain security — covered entities must contractualise security requirements with their IT suppliers and service providers.

Why it matters: A significant proportion of cyberattacks today pass through third-party suppliers (the SolarWinds attack is the most notable example). Your security level is that of your weakest link.

How to implement quickly:

  • Inventory all your IT suppliers and service providers who have access to your systems or data
  • Add security clauses to contracts or addenda: obligation to notify incidents within 24 hours, right of audit, certification requirements (ISO 27001 or equivalent), subcontracting conditions
  • Send an annual security questionnaire to your critical suppliers
  • For existing suppliers without security clauses: prioritise the most critical ones and negotiate an addendum

Realistic timeline: 4 to 8 weeks for new contracts, longer for addenda to existing contracts.

9. Cybersecurity Awareness Training for All Staff

What NIS2 requires: Covered entities must implement cybersecurity awareness training for all personnel.

Why it matters: 95% of cybersecurity incidents involve human error. A trained employee who recognises a phishing email is your best defence against even the most sophisticated attacks.

How to implement quickly:

  • Deploy an online awareness platform (KnowBe4, Proofpoint Security Awareness, or open-source tools like Gophish to simulate phishing campaigns)
  • Minimum programme: onboarding training module, annual refresher, quarterly phishing simulations
  • Priority content: phishing recognition, password management, incident reporting, safe use of mobile devices
  • Document participation records — this is what auditors will verify

Realistic timeline: 2 to 4 weeks to launch a first programme.

10. Documented and Tested Incident Response Plan

What NIS2 requires: A formalised security incident management process, with procedures for notifying authorities (CCB) within the prescribed timeframes: early warning within 24 hours, full notification within 72 hours, final report within 1 month.

Why it matters: In a crisis, no one should be searching their memory for what to do. A documented plan reduces response time and prevents costly mistakes. It is also essential for meeting the strict notification deadlines imposed by NIS2.

How to implement quickly:

  • Draft an incident response plan covering 5 phases: preparation, detection, containment, eradication, recovery
  • Designate an incident owner (CISO, IT manager, or external provider) with a contact number available 24/7
  • Include CCB contact details: cert.be for incident notifications
  • Test the plan through a tabletop exercise at least once a year — simulate a ransomware or data breach scenario
  • Store the plan in a location accessible offline (it must be available even if your network is compromised)

Realistic timeline: 2 to 3 weeks to draft a basic plan, longer for testing.

Where to Start if Everything Remains to Be Done

If you are starting from scratch, do not try to tackle everything simultaneously. Here is a pragmatic sequence:

Weeks 1 to 2 — Quick wins with high impact:

  • MFA on all accounts (measures 1 and 2)
  • Launch the vulnerability scanner (measure 6)
  • Emergency phishing awareness training (measure 9)

Weeks 3 to 6 — Infrastructure:

  • Patch management policy and first cycle (measure 3)
  • Basic network segmentation (measure 4)
  • Log centralisation (measure 7)

Weeks 7 to 12 — Processes and governance:

  • Backup audit and remediation (measure 5)
  • Supplier contract review (measure 8)
  • Incident response plan (measure 10)

Assess Your NIS2 Compliance Level

Would you like to know where your organisation truly stands against these 10 measures? Our Sovereign Score diagnostic includes an assessment of your NIS2 posture and provides a prioritised roadmap tailored to your context.

Assess your Sovereign Score | Contact us for a NIS2 audit