While many companies are still assessing whether NIS2 applies to them, one reality is universal: the timelines are set, and authorities expect structured, evidence-based progress. The Centre for Cybersecurity Belgium (CCB) has made this crystal clear in its national guidance, strongly encouraging organisations to move from awareness to measurable action.
And even if your organisation isn’t directly concerned, be aware that it may fall into the supply chain of a NIS2 entity and thus be faced with the obligation to implement cyber security risk-management measures because of a contractual requirement!
Why NIS2 matters today more than ever
Cyberattacks continue to grow in frequency and impact. NIS2 aims to establish a high and common level of cyber security in the EU by setting requirements regarding cyber security risk management measures and reporting obligation. Good cyber security is not just about compliance; it is a lifesaving necessity as well as a key competitive advantage!
Key deadlines you must anticipate
Belgium is one of the EU Member States that fully transposed the directive on schedule. As a result, compliance deadlines are now active, with no expected delays.
Here are the milestones all inscope organisations must prepare for:
Already passed: 18th October 2024
Organisation’s must take minimum cybersecurity risk-management measures and notify all significant incidents.
Already passed: 18th March 2025 – Identification & registration
Organisations required to comply with NIS2 are expected to have already registered via the official CCB platform (Register my organisation | CCB Safeonweb) and identified their category (important or essential). This step forms the basis of all subsequent obligations.
Upcoming soon: 18th April 2026 – First assessment & evidence of implementation
Essential entities must demonstrate they started managed implementation of cybersecurity. To do so, 3 choices are available:
- Transmit to the CCB their scope, statement of applicability and most recent internal audit if they chose to be ISO/IEC 27001 certified;
- Acquire a verification by a Conformity Assessment Body (CAB) if they chose to use the CyberFundamentals (CyFun®) Framework developed by the CCB, complying with the basic or important assurance level based on their risk-assessment;
- Transmit to the CCB their self-assessment of CyFun® Basic or Important, or their ISO 27001 information security policy, scope and statement of applicability, if they chose to be directly inspected by the CCB.
Upcoming next: 18th April 2027 – Certification or advanced verification
This milestone marks the full application of NIS2 regulation. Essential entities must prove their strong implementation of cybersecurity measures by:
- Acquire certification by a CAB if they chose to be ISO/IEC 27001 certified;
- Acquire a verification by a CAB for the Important assurance level, or certification for the Essential assurance level, if they chose to use the CyFun® Framework;
- Report on progress towards compliance if they chose to be directly inspected by the CCB.
The Belgian Framework: CyFun® as the natural route forward
The CCB strongly promotes the CyberFundamentals (CyFun®) framework (CyberFundamentals Framework | CyFun). It has become Belgium’s reference model for NIS2 compliance, and is gaining traction in other member states as it has been officially adopted by Ireland and Romania as well and is being reviewed by others. Unlike general international standards, CyFun® has been designed specifically to align with legal obligations under NIS2:
- Tailored controls
- Belgian‑specific reporting expectations
- Clear maturity path
- Direct compatibility with CCB assurance and certification programs
- Whether you use CyFun® alone or in combination with ISO 27001/27035/22301, early alignment greatly facilitates the 2026 and 2027 milestones.
What should you do now?
To avoid being overwhelmed by the milestones of 2026 & 2027, organisations should already be:
- Completing their risk analysis
- Building or refining their ISMS
- Defining roles and governance structures
- Performing a gap assessment against NIS2 requirements
- Drafting or updating security policies and procedures
- Setting up incident reporting workflows aligned with Belgian obligations
- Reviewing supplier dependencies and critical service chains
The earlier these foundations are in place, the smoother the transition to verification or certification will be.
Approach Cyber can support you through a structured, end-to-end methodology covering assessment, implementation, governance, and continuous improvement.
Whether you are just starting or already deep into implementation, Approach Cyber can be your trusted partner transforming NIS2 from an obligation into a resilient operational advantage.
» Also read the article: ‘NIS2 Directive: strengthening cyber security in Europe‘