In today’s fast-digitising world, cyberattacks are not just a threat-they are a statistical certainty. A successful cyberattack costs a company on average €200,000, and even more alarming, 60% of SMEs go bankrupt within six months of a serious breach. Cybersecurity is no longer a luxury-it is a legal and operational imperative. The EU understood this well, with two major legislative pillars now active: the DORA Regulation, in force since 17 January 2025 for the financial sector, and the broader-reaching NIS2 Directive, which applies across critical and important sectors.
While the transposition deadline for NIS2 was 17 October 2024, businesses now face two immediate Belgian deadlines (i) 18 March 2025: mandatory registration with the Centre for Cybersecurity Belgium (CCB) for all in-scope entities and (ii) 18 April 2025: deadline to demonstrate compliance, including documentation of risk management, governance structures, and incident response capabilities.
Who Must Comply – And Who Should Still Care
The Directive applies to businesses in “essential” sectors (e.g., energy, healthcare, water, transport, digital infrastructure, public administration) and “important” sectors (e.g., post, food, chemicals, cloud providers, online platforms). Companies with more than 50 employees or €10 million in turnover are generally in scope-unless qualified as microenterprises. However, indirect exposure is widespread: vendors, SaaS providers, and IT integrators serving these entities are often contractually required to adhere to the same standards.
What Compliance Really Involves
The obligations go well beyond IT tweaks. NIS2 requires (i) 24-hour incident reporting procedures, (ii) supply chain risk assessments and contract audits, (iii) executive accountability and board-level awareness, (iv) security audits and regular training.
And it comes with teeth: fines up to €10 million or 2% of global turnover.
Even more critically, the EU has dropped plans for a dedicated cyber-liability regulation. That means if your supplier is hacked and you suffer losses, you are on your own unless your contracts say otherwise.
Where Belgium Stands Now
The CCB registration obligation went into effect (i) on 18 December 2024 for certain digital service providers (e.g., cloud, social networks, domain registrars), and (ii) on 18 March 2025 for most others.
By 18 April 2025, registered entities must be able to prove compliance-not just say they are working on it. This includes (i) documented cybersecurity policies, (ii) a tested incident response plan, (iii) internal and external reporting frameworks and (iv) training logs, audit trails, and risk analysis.
Failure to comply may result in sanctions, inspections, or liability claims.
The Belgian Awareness Gap
Despite these high stakes, awareness remains worryingly low, especially among SMEs. Many still believe NIS2 only affects public utilities or large tech firms. In reality, every business in a regulated supply chain – including small developers, integrators, and consultants – may carry contractual NIS2 obligations.
Cybercriminals don’t check compliance registers. They target the weakest link.
Allegiance Law’s Perspective – How to Get Your Compliance in Order
Here is what Belgian businesses should be doing now, regardless of size or direct NIS2 status (i) check if you’re in scope (based on sector + size), (ii) register with the CCB, if required, (iii) map your vendor ecosystem, including dependencies, (iv) conduct a risk analysis and gap assessment, (v) create a cybersecurity policy covering incident response and business continuity, (vi) train your staff, particularly around phishing and social engineering, (vii) update contracts to reflect cyber liability and NIS2 flow-downs, and (viii) run a table-top exercise to simulate a breach and test your legal and technical response.
Even businesses outside the scope of NIS2 should take inspiration from it. As the directive makes clear: cybersecurity is not just about regulation-it Is about resilience.
For a deep dive into your specific obligations under the Belgian NIS2 Act, or to conduct a contract audit for liability exposure, contact Allegiance Law . We provide sector-specific guidance tailored to the NIS2 operational and legal landscape-because when it comes to cybersecurity, ignorance is no defence.
Read the NIS2 Directive here and its Belgian implementing act here
Related posts
Legal Insights
Navigating GDPR Compliance After BDPA’s FATCA Ruling – 29 April 2025
On 24 April 2025, the Belgian Data Protection Authority’s Litigation Chamber issued Decision 79/2025, declaring that the automatic transfer of personal data by the Service Public Fédéral Finances to the United States Internal Revenue Service under the FATCA agreement violates the General Data Protection Regulation. This landmark ruling, following a Brussels Court of Appeal remand, underscores the primacy of data protection law over international agreements and offers critical lessons for businesses handling cross-border data transfers. This legal insight of Allegiance Law breaks down the decision’s implications and provides actionable strategies for ensuring General Data Protection Regulation compliance when concluding contracts.
Leer meer
Legal Insights
EDPB’s Draft Guidelines 01/2025 on Pseudonymisation – 17 January 2025
On 16 January 2025, the European Data Protection Board (EDPB) adopted the Draft Guidelines 01/2025 on Pseudonymisation, providing comprehensive insights into the application and benefits of pseudonymisation under the General Data Protection Regulation (GDPR).
Leer meer