NIS2: inspections begin in 2026. Are you ready?
The NIS2 directive imposes new cyber obligations on Belgian companies. Penalties, deadlines, concrete requirements: everything you need to know.
Since April 2024, the NIS2 directive has been transposed into Belgian law. In 2026, the first CCB inspections are active. The penalties? Up to €10 million or 2% of your global turnover.
This is no longer a "someday" project. It's now.
Did you know?
NIS2 penalties can reach up to €10 million or 2% of global turnover, and management is personally liable for non-compliance.
Who is affected?
Two main criteria: your company has more than 50 employees or generates more than €10 million in revenue, and operates in a listed sector. Energy, healthcare, transport, digital, manufacturing, food, postal services, waste management, chemicals, research, banking and finance.
Watch out: even smaller SMEs can fall under NIS2 if they're part of the supply chain of an essential entity. An IT subcontractor of 30 people working for the Belgian energy sector? Covered.
The scope is broad. In Belgium, we're going from a few hundred companies covered under NIS1 to several thousand under NIS2. The difference is massive.
If you're not sure, our free mini-audit gives you the answer in 3 minutes.
The 5 key obligations
1. Risk management. Document a risk analysis and implement proportionate security measures: business continuity, encryption, access control, vulnerability management. No one-size-fits-all model, but an approach tailored to your size.
2. Incident notification within 24 hours. Significant incident? Alert the CCB within 24 hours, full report within 72 hours, final report within the month. No room for improvisation. Prepare a response plan now, not during the crisis.
3. Cyber governance. Management is personally liable. Executives must approve security policies, oversee their implementation, and undergo cyber training themselves. This is no longer "an IT thing".
4. Mandatory team training. This is no longer a recommendation — it's the law. NIS2 requires awareness training for all staff. Special attention for exposed roles: management, finance, IT, HR. Inspectors will verify that these trainings took place.
5. Supply chain security. Assess the security practices of your suppliers. Include cyber clauses in your contracts. Your security is only as strong as the weakest link in your chain.
To go further, our GDPR & NIS2 training covers these obligations in detail. Available as a lunch & learn, half-day or conference.
Take action
Companies that haven't started yet are behind. But it's not too late — as long as you act now.
- Check your situation with our free mini-audit
- Train your management and teams with our GDPR & NIS2 training
- Need full support? Contact us for a compliance roadmap
Sources
- CCB NIS2 Belgium — Belgian NIS2 transposition and inspection timeline
- EU Official NIS2 Directive — full text of the NIS2 directive and obligations
- ENISA Threat Landscape — supply chain security risks and trends
