Cybersecurity - Belgium

The NIS2 Law of 26 April 2024 and Royal Decree of 9 June 2024 entered into force on 18 October 2024, transposing Directive (EU) 2022/2555 and creating Belgium's general cybersecurity framework for entities of general interest.

The Royal Decree designates the Centre for Cybersecurity Belgium (CCB) as the national cybersecurity authority and national CSIRT, supported by designated sectoral authorities for supervision of in-scope sectors.

In-scope entities must notify the CCB of any 'significant' incident: an early warning within 24 hours, an incident notification/update within 72 hours, and a final report within 30 days.

Essential and important entities must register via the Safeonweb@Work portal (deadline 18 March 2025; digital-sector entities 18 December 2024); CyberFundamentals and ISO/IEC 27001 are recognized reference frameworks, with fines up to EUR 10M or 2% of worldwide turnover for essential entities.

Financial entities additionally fall under the EU DORA Regulation, reporting major ICT-related incidents to the National Bank of Belgium (NBB) or FSMA, with an initial notification, an intermediate report within 72 hours and a final report within one month.

Separately from NIS2, personal-data breaches must be reported to the Belgian Data Protection Authority (APD-GBA) within 72 hours; the authority launched a new breach-notification portal in 2025 with a two-part submission process.