Understand your obligations, prepare for conformity assessment, and build a defensible cybersecurity program.
The Network and Information Security Directive (NIS2) is the EU's updated cybersecurity regulation applying to essential and important entities across critical sectors. In Belgium, the Centre for Cybersecurity Belgium (CCB) is the supervisory authority.
Applies to: Energy, transport, banking, health, digital infrastructure, public administration, and more.
The Digital Operational Resilience Act (DORA) is an EU regulation specific to the financial sector, addressing ICT risk management, incident reporting, third-party risk, and resilience testing.
Applies to: Banks, insurance companies, investment firms, payment institutions, and their critical ICT providers.
NIS2 applies to essential entities (higher criticality) and important entities (moderate criticality) in 18 sectors. Size thresholds apply in some sectors:
DORA applies to all Belgian financial institutions regulated by the NBB (National Bank of Belgium) or FSMA, regardless of size:
Implement appropriate technical and organizational measures to manage cybersecurity risk, proportionate to your criticality.
Report significant incidents to the CCB (NIS2) or NBB/FSMA (DORA) within strict timelines (24 hours initial notification).
Maintain backup systems, disaster recovery plans, and crisis management procedures.
Assess and manage cybersecurity risks from suppliers and service providers.
Regular vulnerability scanning, patch management, and penetration testing.
NIS2 explicitly requires cybersecurity training for management bodies (Article 20).
In Belgium, the Centre for Cybersecurity Belgium (CCB) is the NIS2 supervisory authority. The CCB has developed the CyberFundamentals framework as a structured approach to NIS2 conformity.
Belgian NIS2 entities can demonstrate conformity through:
EU member states must transpose NIS2 into national law (Belgium in progress).
DORA became applicable to all in-scope financial entities.
Belgian entities must register with the CCB and begin conformity activities (exact timelines TBD in Belgian law).
Note: Even if Belgian national law is still being finalized, entities should begin preparation now. Supervisory audits and enforcement will follow soon after transposition.
Even if you're not directly in scope of NIS2 or DORA, you may still need to comply.
Many Belgian SMEs are discovering NIS2/DORA obligations not through direct regulatory scope, but because their customers (banks, insurers, telecom providers, energy companies) are requiring equivalent security standards from their suppliers.
You're a 30-person software company providing a customer portal to a Belgian bank. Under DORA, the bank must ensure you meet ICT risk management standards. You'll be contractually required to demonstrate security controls.
You provide IT support to a hospital (NIS2 essential entity). The hospital must assess your cybersecurity posture as part of their supply chain risk management. Expect security questionnaires and possible audits.
Safepoint's services map directly to NIS2 and DORA requirements:
We assess your current state against NIS2/DORA/CyberFundamentals requirements and build a prioritized compliance roadmap.
Learn more →Regular pentesting is a NIS2/DORA requirement. Our OSCP/OSCE certified team delivers audit-ready reports.
Learn more →ISO 27001 certification is a recognized conformity pathway. We help you implement and certify.
Learn more →NIS2 Article 20 requires cybersecurity training for management bodies. We deliver board-ready programs.
Learn more →