Cybersecurity ยท Belgium
Cybersecurity law in Belgium: NIS2 compliance (2026)
Belgium shaded by its cybersecurity status
Cybersecurity in Belgium: comprehensive law, anchored by Law of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security (the 'NIS2 Law'), with implementing Royal Decree of 9 June 2024; supervised by the Centre for Cybersecurity Belgium (CCB)..
Belgium has a comprehensive horizontal cybersecurity regime through its NIS2 Law of 26 April 2024 and Royal Decree of 9 June 2024, both in force since 18 October 2024, which transpose EU Directive 2022/2555 (NIS2). The CCB is the national cybersecurity authority and national CSIRT, with sectoral authorities assisting in supervision, and essential/important entities face risk-management duties, registration, and tiered incident-reporting obligations. Sector-specific cybersecurity rules also apply on top, notably the EU DORA Regulation for financial entities (supervised by the NBB and FSMA) and GDPR data-breach notification overseen by the Belgian Data Protection Authority.
NIS2 & cybersecurity law in Belgium
In Belgium, baseline cybersecurity obligations come from the EU NIS2 Directive, transposed into national law, which sets risk-management and incident-reporting duties for essential and important entities.
- Framework
- the NIS2 Directive (EU) 2022/2555, transposed into national law
- Approach
- cybersecurity risk-management measures plus mandatory incident reporting for in-scope entities
- Applies to
- medium and large entities in critical sectors: energy, transport, banking, health, water, digital infrastructure, ICT and public administration
- Incident reporting
- an early warning within 24 hours and a full notification within 72 hours to the national CSIRT
- Maximum fine
- up to โฌ10 million or 2% of global annual turnover for essential entities
- Oversight
- the national competent authority and CSIRT designated under NIS2
NIS2 is a directive, so Belgium implements it through national law; exact scope and deadlines can vary slightly by transposition.
NIS2 in Belgium: FAQ
Yes. As an EU member, Belgium has transposed the NIS2 Directive (EU) 2022/2555 into national law, covering essential and important entities in critical sectors.
Medium and large organisations in sectors such as energy, transport, banking, health, water, digital infrastructure and public administration.
An early warning within 24 hours of becoming aware and a fuller incident notification within 72 hours to the national CSIRT.
Up to โฌ10 million or 2% of global annual turnover for essential entities, with lower ceilings for important entities.
Key points
The NIS2 Law of 26 April 2024 and Royal Decree of 9 June 2024 entered into force on 18 October 2024, transposing Directive (EU) 2022/2555 and creating Belgium's general cybersecurity framework for entities of general interest.
The Royal Decree designates the Centre for Cybersecurity Belgium (CCB) as the national cybersecurity authority and national CSIRT, supported by designated sectoral authorities for supervision of in-scope sectors.
In-scope entities must notify the CCB of any 'significant' incident: an early warning within 24 hours, an incident notification/update within 72 hours, and a final report within 30 days.
Essential and important entities must register via the Safeonweb@Work portal (deadline 18 March 2025; digital-sector entities 18 December 2024); CyberFundamentals and ISO/IEC 27001 are recognized reference frameworks, with fines up to EUR 10M or 2% of worldwide turnover for essential entities.
Financial entities additionally fall under the EU DORA Regulation, reporting major ICT-related incidents to the National Bank of Belgium (NBB) or FSMA, with an initial notification, an intermediate report within 72 hours and a final report within one month.
Separately from NIS2, personal-data breaches must be reported to the Belgian Data Protection Authority (APD-GBA) within 72 hours; the authority launched a new breach-notification portal in 2025 with a two-part submission process.
Timeline - major decisions & events
The Data Protection Authority (APD/GBA) moved from individual complaint-handling toward 'systemic impact enforcement' with proactive audits targeting healthcare, finance, public sector, ad-tech and education, sharpening scrutiny of security and breach obligations in high-risk sectors.
Belgian Data Protection Authority โBelgium's NIS2 regime became effective: in-scope essential and important entities must apply risk-management measures and report significant incidents to the CCB (24h early warning, 72h update, 30-day final report), with registration required by 18 March 2025.
Centre for Cybersecurity Belgium (CCB) โThe Royal Decree completed transposition of EU Directive 2022/2555, named the CCB the national cybersecurity authority and national CSIRT, set conformity-assessment procedures, and recognised the CyberFundamentals (CyFun) framework and ISO/IEC 27001 as compliance references.
Centre for Cybersecurity Belgium (CCB) โAttackers breached the systems of Antwerp's IT provider Digipolis, encrypting data and disrupting municipal services, libraries, museums and elderly-care medication systems, a landmark public-sector incident underscoring supply-chain cyber risk in Belgium.
VRT NWS โBelgium's renewed national strategy set six objectives to make the country one of the least cyber-vulnerable in Europe, prioritising critical-infrastructure protection, incident response and public-private-academic cooperation, with the CCB at the centre.
Centre for Cybersecurity Belgium (CCB) โA large distributed denial-of-service attack knocked out the Belnet network serving government bodies, affecting ~200 organisations and forcing the federal parliament to cancel committee sessions, Belgium's largest DDoS incident at the time.
The Record (Recorded Future News) โThe Law of 7 April 2019 (published 3 May 2019) created Belgium's first horizontal framework for the security of networks and information systems of general interest, imposing security and incident-reporting duties on operators of essential services and digital service providers.
Fieldfisher โThe Royal Decree of 14 October 2014 created the CCB as the national authority to monitor, coordinate and strengthen Belgian cybersecurity; it became operational in 2015 and is now the country's central cyber authority and CSIRT.
Centre for Cybersecurity Belgium (CCB) โBelgium - other topics
Cybersecurity in other countries
Last verified 5/23/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ