Belgium is one of the few countries in Europe that managed to transpose the NIS2 guidelines into national law before the deadline.

The deadline for member states to convert the European NIS2 directives into national law has expired. Belgium is leading the way and is one of the few European countries to meet the deadline. How was our country able to distinguish itself in this way and why is this not possible in other countries?

An important catalyst for successfully meeting this deadline is the framework of the Center for Cybersecurity Belgium (CCB). This has partly ensured that Belgium is the fastest compared to other Member States, which are now increasingly looking towards our country. In addition, the government has prevailed and cleared the (financial) path to valuable NIS2 regulations.

ITdaily brings together five experts to talk about the pioneering role that Belgium is taking within NIS2. We sit down with Alex Ongena, CEO and founder of AXS Guard, Ron Nath Mukherjee, cyber security consultant at Eset, Driek Desmet, systems engineer at Easi, Koen Pauwelyn, responsible for Industrial Cybersecurity Services at Siemens, and Yoran Dons, ICS Security Consultant at SoterICS.

Deadline met

NIS2 is a European directive intended to strengthen cybersecurity measures for organizations. The guidelines for NIS2 were issued by the European Union at the end of 2022. In order to implement these measures at national level, Member States must convert the European Union legal framework into national law.

The deadline for this change was October 17, 2024 and has now expired. Belgium is one of the two countries in Europe that has met the deadline for the NIS2 regulations. It is now up to Belgian organizations to comply with these NIS2 regulations or face the consequences. “Organizations have until March 2025 to become NIS2 compliant,” explains Desmet.

Kudos to CCB

The fact that our small Belgian country is excelling in the area of ​​NIS2 regulations is a remarkable achievement. Everyone at the table agrees: the Center for Cybersecurity in Belgium (CCB) has done a good job. “The CCB has developed a nice framework,” says Desmet. “Thanks to them, we have in our country the most concrete example of NIS2 in Europe,” agrees Dons.

In our country, thanks to the CCB, we have the most concrete example of NIS2 in Europe.

Yoran Dons, ICS security consultant at SoterICS

During the course of the conversation there were many words of praise about the CCB. But despite the good framework conditions, there are still uncertainties for some companies. Pauwelyn explains this using an example. “Many companies don’t know exactly which industry they belong to within the NIS2 framework and which label they receive. Am I part of this as a company? essentialHard drive, or not? Within NIS2, companies must take the initiative to register themselves so that they are not contacted by the CCB (as with NIS1).

National legislation

NIS2 is a European directive that must be implemented into national law by all member states. “There are many international companies in Belgium and that raises new questions.” Pauwelyn thinks it is a shame that NIS2 has not become a European regulation. This applies automatically and equally in all EU countries.

Ongena recently spoke to the CCB about this. The fact that NIS2 is not European legislation depends on the balance between the guidelines and the speed of implementation. “If you want to make a law in Europe that applies in 28 countries, it quickly becomes a ten-year project,” explains Ongena. “If you start by issuing a directive that has to be implemented in every country, things go much faster.”

All other countries will now take their cues from Belgium.

Alex Ongena, CEO and Founder AXS Guard

Apparently Belgium was the quickest to transpose NIS2 into national law. “All other countries are now looking towards Belgium. Many countries will adopt this to avoid having to invent hot water,” Ongena expects. Ultimately, you get more or less the same result in different countries.

Other countries

“We have many customers who are international and have branches in countries like Germany or France,” begins Pauwelyn. When you go to countries with Belgian legislation, you often don’t know what to do with it. “For this reason, these international companies are more likely to choose the ISO 27001 process because it is internationally known,” Pauwelyn continues. “We have already made some progress,” Mukherjee added. “In the past it was everyone for themselves, but today a legal framework has already been created for this.”

Belgium as a pioneer

Therefore, we can be proud of our country throughout NIS2 history. Belgium has set an example in this regard. “Other countries will soon look our way to analyze how to do this,” Ongena said. This can ensure greater uniformity between countries regarding NIS2 regulations.

Just as countries can take each other into account when applying the NIS2 regulations, this also happens at a lower level between the sectors themselves. Collaboration within NIS2 is encouraged by Peers. “It is also being discussed as part of NIS2 Peersnamely, that you can compare yourself with someone in the same industry. The quick victory “What one company has can quickly be transferred to another similar company,” explains Dons.

It is not yet clear what this will look like in practice and whether every company is open to it. One certainty we have is the progress of NIS2 in Belgium on a large scale in Europe. Everyone at the table agrees: we can be proud of our country.

This is the first editorial article in a series of three articles on the topic of NIS2. Click on our topic page to see all roundtable articles, the video and our partners.