Is your organisation ready for the new cybersecurity obligations of NIS2?

[Updated version of an article initially published on 19 December 2023]

Building on the previous NIS1 Directive (2016/1148/EU), the NIS2 Directive provides a European framework for cybersecurity risk management measures and introduces a high common level of cybersecurity in the Union (“NIS2 Directive” or “NIS2”). The Belgian act transposing the NIS2 Directive was adopted on 18 April 2024.

In two previous contributions, we informed you about the publication of the Act of 7 April 2019 establishing a framework for the security of network and information systems of general interest for public security (see here) and the Royal Decree of 12 July 2019 specifying the application of certain rules (see here). That act and that royal decree transposed the NIS1 Directive into Belgian law and introduced obligations to report incidents for providers of essential services, such as energy, healthcare or transport, and for digital service providers. 

The NIS2 Directive has a broader scope than the NIS1 Directive. Among other things, it (i) expands the categories of sectors and activities that will be covered by cybersecurity obligations, (ii) imposes new cybersecurity risk management measures and incident reporting obligations, (iii) strengthens cooperation between Member States, and (iv) establishes a more stringent monitoring and enforcement system.

Member States have until 17 October 2024 to transpose the NIS2 Directive into their national legislation. On 10 November 2023, the Belgian Council of Ministers approved a preliminary draft act and royal decree transposing the NIS2 Directive into Belgian law. The act was adopted in Parliament on 18 April 2024 and is scheduled to enter into force on 18 October 2024. The royal decree implementing the act has not yet been finally adopted.

Cyberincidents happen every day. Investing in good cybersecurity and follow-up pays off. Eubelius will be happy to assist you with advice, preparation of security policies, training your staff, audits, and your preparation for and handling of cyberincidents.

Would you like to read more about the NIS2 Directive and its transposition into Belgian law? A more in-depth article is available to our clients in our Client Zone.