Cybersecurity · Belgium
Cybersecurity regulation in Belgium (2026)
Belgium shaded by its cybersecurity status
Belgium has a comprehensive horizontal cybersecurity regime through its NIS2 Law of 26 April 2024 and Royal Decree of 9 June 2024, both in force since 18 October 2024, which transpose EU Directive 2022/2555 (NIS2). The CCB is the national cybersecurity authority and national CSIRT, with sectoral authorities assisting in supervision, and essential/important entities face risk-management duties, registration, and tiered incident-reporting obligations. Sector-specific cybersecurity rules also apply on top, notably the EU DORA Regulation for financial entities (supervised by the NBB and FSMA) and GDPR data-breach notification overseen by the Belgian Data Protection Authority.
Key points
The NIS2 Law of 26 April 2024 and Royal Decree of 9 June 2024 entered into force on 18 October 2024, transposing Directive (EU) 2022/2555 and creating Belgium's general cybersecurity framework for entities of general interest.
The Royal Decree designates the Centre for Cybersecurity Belgium (CCB) as the national cybersecurity authority and national CSIRT, supported by designated sectoral authorities for supervision of in-scope sectors.
In-scope entities must notify the CCB of any 'significant' incident: an early warning within 24 hours, an incident notification/update within 72 hours, and a final report within 30 days.
Essential and important entities must register via the Safeonweb@Work portal (deadline 18 March 2025; digital-sector entities 18 December 2024); CyberFundamentals and ISO/IEC 27001 are recognized reference frameworks, with fines up to EUR 10M or 2% of worldwide turnover for essential entities.
Financial entities additionally fall under the EU DORA Regulation, reporting major ICT-related incidents to the National Bank of Belgium (NBB) or FSMA, with an initial notification, an intermediate report within 72 hours and a final report within one month.
Separately from NIS2, personal-data breaches must be reported to the Belgian Data Protection Authority (APD-GBA) within 72 hours; the authority launched a new breach-notification portal in 2025 with a two-part submission process.
Timeline - major decisions & events
The Data Protection Authority (APD/GBA) moved from individual complaint-handling toward 'systemic impact enforcement' with proactive audits targeting healthcare, finance, public sector, ad-tech and education — sharpening scrutiny of security and breach obligations in high-risk sectors.
Belgian Data Protection Authority ↗Belgium's NIS2 regime became effective: in-scope essential and important entities must apply risk-management measures and report significant incidents to the CCB (24h early warning, 72h update, 30-day final report), with registration required by 18 March 2025.
Centre for Cybersecurity Belgium (CCB) ↗The Royal Decree completed transposition of EU Directive 2022/2555, named the CCB the national cybersecurity authority and national CSIRT, set conformity-assessment procedures, and recognised the CyberFundamentals (CyFun) framework and ISO/IEC 27001 as compliance references.
Centre for Cybersecurity Belgium (CCB) ↗Attackers breached the systems of Antwerp's IT provider Digipolis, encrypting data and disrupting municipal services, libraries, museums and elderly-care medication systems — a landmark public-sector incident underscoring supply-chain cyber risk in Belgium.
VRT NWS ↗Belgium's renewed national strategy set six objectives to make the country one of the least cyber-vulnerable in Europe, prioritising critical-infrastructure protection, incident response and public-private-academic cooperation, with the CCB at the centre.
Centre for Cybersecurity Belgium (CCB) ↗A large distributed denial-of-service attack knocked out the Belnet network serving government bodies, affecting ~200 organisations and forcing the federal parliament to cancel committee sessions — Belgium's largest DDoS incident at the time.
The Record (Recorded Future News) ↗The Law of 7 April 2019 (published 3 May 2019) created Belgium's first horizontal framework for the security of networks and information systems of general interest, imposing security and incident-reporting duties on operators of essential services and digital service providers.
Fieldfisher ↗The Royal Decree of 14 October 2014 created the CCB as the national authority to monitor, coordinate and strengthen Belgian cybersecurity; it became operational in 2015 and is now the country's central cyber authority and CSIRT.
Centre for Cybersecurity Belgium (CCB) ↗Belgium - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →