For many organizations, NIS2 felt like “something legal” until it suddenly became real: scope determinations, board accountability, incident reporting readiness, and supplier controls that can’t be improvised during a crisis.
Belgium has been relatively early compared to many Member States. The result: in 2026, the work shifts from “law on paper” to operational implementation.
Note: This is implementation guidance, not legal advice. Confirm scope and obligations with your legal/compliance advisors and relevant authorities.
Why Belgium’s NIS2 position matters
Belgium adopted a national NIS2 Act (often cited as adopted 26 April 2024) and a Royal Decree (often cited as dated 25 June 2024) that clarifies roles and authorities.
The practical takeaway: governance and oversight are not theoretical—there are named bodies and expectations, and enforcement maturity tends to increase over time.
The “latest news” angle for 2026
Late 2025 marked a shift toward practical enablement: the Centre for Cybersecurity Belgium (CCB) emphasized implementation progress and promoted updated baseline materials (often referenced as a 2025 update to CyberFundamentals / CyFun).
Whether you use CyFun specifically or another framework, the message is the same: you need a defensible security program with evidence.
What “implementation” actually looks like in 2026
Organizations that succeed treat NIS2 as an operating model:
- Governance: clear ownership and decision-making at leadership/board level
- Risk management: repeatable controls and risk treatment, not ad-hoc projects
- Incident readiness: reporting thresholds and procedures that work at 2 a.m.
- Supplier controls: third-party requirements that reflect your risk reality
- Evidence: policies, logs, tests, training records—produced by normal operations
Your 2026 NIS2 execution checklist
Use this as a practical internal plan.
1) Scope check (and document it)
- Determine whether you are in scope (essential/important entity) and why
- Document boundary decisions (entities, services, locations, “grey areas”)
- Identify key services that would drive reporting obligations if disrupted
2) Governance and accountability
- Name an accountable executive owner
- Define security decision rights (who can accept risk, who can approve exceptions)
- Establish a cadence: monthly risk review, quarterly board reporting
3) Risk management baseline
- Choose a baseline framework (CyFun, ISO 27001, NIST CSF, etc.)
- Perform a gap assessment against your baseline
- Build a prioritized risk treatment roadmap (owners + due dates)
4) Incident readiness (make it executable)
- Define incident categories and thresholds (what triggers notification/reporting)
- Create an incident playbook with roles (IC, technical lead, comms)
- Run tabletop exercises (include at least one supplier incident scenario)
- Ensure you can produce evidence: timelines, comms logs, and decision records
5) Supplier and supply-chain controls
- Inventory critical suppliers (who supports critical services)
- Update contract requirements (security measures, reporting, audit rights)
- Validate escalation paths (who to contact at the supplier during an incident)
- Assess and track supplier risk (not just annually—on meaningful events)
6) Evidence by design
If your evidence is created only during audit season, you’re taking avoidable risk.
- Store policies and standards in a controlled repository
- Log key security activities (patching, vulnerability mgmt, access reviews)
- Keep training records and completion rates
- Keep incident exercise artifacts and follow-ups
Key dates (as commonly referenced)
- 26 April 2024: Belgium adopted its NIS2 Act.
- 25 June 2024: Royal Decree clarifying authorities/roles.
- 28 November 2025: commonly referenced as a milestone update on implementation + baseline materials.
Final thought
NIS2 readiness is not a policy pack. It’s a capability: governance that can make decisions, controls that reduce risk in practice, and incident readiness that works under pressure. If you operationalize the basics in 2026, you’ll be in a far stronger position—regardless of how enforcement evolves.