NIS2 Compliancy with the help of Kappa Data

At Kappa Data we collect and inform our IT-partners regarding the NIS2 Law, where  at  the 26th of April 2024 the Belgian Government decided to transform the law proposal, of the EU for the cybersecurity of the network and information systems, into a law that will be communicated from the 18th of October on. 

With the knowledge of the NIS2 law to be released our mission is to inform and assist our partners with this cybersecurity framework and help them with them with technology solutions to unburden the IT staff at the end-customer. 

Download NIS2 Ebook
NIS2 Compliance
On this page Kappa Data informs you how the NIS2 directives will look like, with links to other sources of the Cybersecurity Center Belgium (CCB), so that you can prepare your organization with these requirements.

What is NIS2?

NIS2 is a set of minimal measures to protect essential services against significant disruptions. NIS2 is a successor of NIS1 directives, setup in 2016 for Essential sectors like Energy, Banking, Transport, Healthcare and Drinking water. With the current threats in cyberspace the EU decided to expand these measures, as well the number of sectors.

The EU (re-)used the NIST framework and launched the Cyberfundamentals frame like shown below.
Cyberfundamentals Framework NIS2
Identify
Identify your assest and do risk assesments
Protect
Protection assets against cyber risks
Detect
Detect cyber breaches and incidents
Response
Respond to cyber incidents with an incident response team
Recover
Ensure your business continuity with a recovery of disasters

Who is NIS2 for? 

Scope of sectors

Below you can find an overview of the essential sectors that were already covered by NIS1 in black and the new added sections shown in green. Both colours cover the sections that are defined by the EU for NIS2. 
Sectors NIS2 Belgium

What is Essential Business?

Essential business has been considered when the organization offers vital services towards the economy or our community and are considered as high critical. For example the Energy sector: image yourself we have no energy, no power for light, warm water or electicity. We could no longer work and our way of living would be critical. This impact has been considered as an essential service.

What is important business?

Important business offer critical services to our economy or society, but are less critical then essential services. For example Social Media; when we don't have access to Instagram or other social media it's unpleasant, but we will survive the outage.

The EU has implemented an extra classification based on the sizing of the entities, like shown below.

Sizing entities for NIS2

Important Entities NIS2
Essential Entity NIS2

When you must comply to the NIS2-law, the size of the entity is a criteria to consider. Only from middle-size entities on and higher, with sizing figures like shown above, are considered to comply with NIS2. BUT, there are some exceptions:

  • Difference between turnover and balance sheet total: when an organization of 35 employees has 1 million euro (small) turnover but a balance sheet of 50 million euro’s (large), the selection of the lowest amount is important, in this case the turnover. 
  • An enterprise with 80 employees (medium) has an annual turnover of 1 million euro (small) and an annual balance sheet of 70 million euro’s (large). For the financial amounts, it choses to only look at the lowest: its turnover. Because the turnover is small but the staff headcount is medium; it’s a medium-sized enterprise. 
  • Entities that are part of a group: the calculation of the size of an organisation that is part of a group (so-called “partner enterprises” or “linked enterprises”) implies a consolidation of the data of the different components of this group. 
  • Supplier in the supply chain : as an entity that delivers services towards and essential or important business can also be held as important or essential when the service of this entity is being considered critical for the services of the essential and important entities. The government can decide that this entity is essential or important. 

Exceptions NIS2 regardless size

There are a list of exceptions to the size-cap. Certain types of entities fall into the scope of application of the NIS2 law, regardless of their size :  

  • Qualified trust service providers (essential)
  • Non-qualified trust service providers (important if micro, small or medium enterprise and essential if large enterprise)
  • DNS Service providers (essential)
  • TLD name registries (essential)
  • Domaine name registration services (only for the registration obligation) 
  • Providers of publicly available electronic communications networks (essential)
  • Public administration entities depending on the federal State (essential)
Source CCB Belgium

Critical and high critical sectors and sub-sectors

Services are grouped together by sectors. Here is the list of the different sectors and sub-sectors :

High Critical sectors (Annex I)

  1. Energy
    1. Electricity
    2. District heating and cooling
    3. Oil
    4. Gaz
    5. Hydrogen
  2. Transport
    1. Air
    2. Rail
    3. Water
    4. Road
  3. Banking
  4. Financial market infrastructure
  5. Health
  6. Drinking water
  7. Waster water
  8. Digital ICT infrastructure
  9. ICT service management (B2B)
  10. Public administration 
  11. Space

Critical sectors (Annex II)

  1. Postal and courier services
  2. Waste management
  3. Manufacture, production and distribution of chemicals
  4. Production, processing and distribution of food
  5. Manufacturing
    1. Manufacture of medical devices and in vitro diagnostic medical devices
    2. Manufacture of computer, electronic and optical products
    3. Manufacture of electrical equipment
    4. Manufacture of machinery and equipment n.e.c.
    5. Manufacture of motor vehicles, trailers and semi-trailers
      1. Manufacture of other transport equipment
  6. Digital providers
  7. Research
Most services are defined in reference to definitions found in EU legislative instruments. It is of very high importance to consult these definitions to verify if they correspond to the actual service provided by an organisation.

An organisation analysing whether it falls into the scope of the NIS2 law thus has to make the link between a service it provides and a service mentioned in the annexes of the law. It should be noted that it is possible that an organisation covers multiple services and falls into multiple sectors.

For a better overview of the scope of the law, we invite you to consult our visual summary of the scope:
Source CCB Belgium

Entities with link in Belgium

The Belgian NIS2 law only applies to entities established in Belgium that provide their services or carry out their activities within the EU. Two concepts are important to consider :

  1. The concept of “establishment” simply implies the actual pursuit of an activity by means of a permanent installation, irrespective of the legal form adopted, whether this is the registered office, a simple branch office or a subsidiary with legal personality. 
  2. The concept of “entity” is defined in article 8, 37° of the NIS2 law as a natural or legal person created and recognized as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations. 

 

However, there are 3 exceptions to the rule of establishments in Belgium: 

  1. The Belgian NIS2 law applies to providers of public electronic communications networks or providers of publicly available electronic communications services, which provide their services in Belgium
  2. The Belgian NIS2 law applies to DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, of online search engines or of social networking services platforms, if they have their main establishment in Belgium or their legal representative for the EU in Belgium*;
  3. The Belgian NIS2 law applies to public administration entities, which have been established by Belgium.

 

The concept of “main establishment” refers to the establishment where the decisions related to the cybersecurity risk-management measures are predominantly taken. If this cannot be determined or if such decisions are not taken in the Union, the main establishment shall be the establishment where the entity carries out cybersecurity operations. If this place can again not be determined, then the main establishment is where the entity has the highest number of employees in the Union.

* If an entity referred to in point 2) is not established in the EU but provides its services there, it must appoint a legal representative who is established in a Member State where it provides its services. If this representative is located in Belgium, the entity will be considered as having its main establishment in Belgium.

If an entity has several establishments in different EU Member States, it will be subject to the transposition laws in each of the Member States concerned. The various competent national authorities will work together regarding inspections and the notification of significant incidents.

 

Source CCB Belgium

Not in scope? Check supply chain!

It is possible that after a throughout analysis of the scope of application of the NIS2 law, certain organisations realise that they do, in fact, not fall under said law. All non-NIS2 organisations should be aware that the NIS2 law can still affect them in two ways.

First, the national cybersecurity authority (the CCB) can identify certain organisations, regardless of their size, as essential or important entities under the NIS2 law in four different circumstances:

  1. the entity is the sole provider, in Belgium, of a service which is essential for the maintenance of critical societal or economic activities;
  2. disruption of the service provided by the entity could have a significant impact on public safety, public security or public health;
  3. disruption of the service provided by the entity could induce a significant systemic risk, in particular for sectors where such disruption could have a cross-border impact;
  4. the entity is critical because of its specific importance at national or regional level for the particular sector or type of service, or for other interdependent sectors in Belgium.

This process unfolds in concertation with the concerned entity and other related actors, such as the sectoral authority (if it exists) and the relevant federated entities.

Second, an organisation may fall into the supply chain of a NIS2 entity and be faced with the obligation to implement cybersecurity risk-management measures because of a contractual requirement. NIS2 entities indeed have the obligation to insure the security of their supply chain, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.

In this context, the Centre for Cybersecurity Belgium advises all organisations that may find themselves in the supply chain of a NIS2 entity, to at least comply with the measures set out in the CyberFundamentals (CyFun®) Framework level Basic. A NIS2 entity could theoretically impose the compliance with a certain CyFun® level onto its direct suppliers or service providers.

 
Source CCB Belgium

NIS2 Obligations

Registration on Safeonweb@work

The NIS2 law imposes a number of obligations on essential and important entities. These include registration on Safeonweb@Work, implementation of cybersecurity risk-management measures, notification of significant incidents to the national CSIRT (the CCB), obligations for management and cooperation with the authorities.

NIS2 entities falling into the scope of the Belgian NIS2 law have to register their organisation at the CCB. In practice, this registration will take the shape of an online from, to be completed on Safeonweb@Work. The current registration platform will be updated to include a form specifically related to NIS2.
Registration platform

How to start with NIS2?

Below you can find the different steps how to register your organisation on this platform.
Step 1 : Register on atwork.safeonweb.be
Registration company at CCB Belgium
https://atwork.safeonweb.be/register-my-organisation

Step 2: Access the portal for first registration

Access portal for Registration at CCB

Step 3: Connect to the portal

Access to government portal for NIS2 registration

Step 4: Register your organisation

The deadline for registration depends on the type of entity. In principle, essential and important entities, as well as domain name registration service providers, have 5 months from the entry into force of the law to register. With the entry into force scheduled for 18th October 2024, registration must be completed by 18th March 2025 at the latest.

When registering, companies must provide the following information:

  • Their name and Crossroads Bank for Enterprises (CBE) registration number or equivalent registration in the European Union;
  • Their current address and contact details, including email address, IP address and telephone number;
  • Where applicable, the relevant sector and subsector referred to in annex I or II of the law;
  • Where applicable, a list of the Member States in which they provide services falling within the scope of the Law.

For entities that have already provided this information to a NIS2 sectoral authority, the information only needs to be updated where necessary. If the information changes, all entities must inform the CCB immediately.

 

There is a slightly adapted regime for the following types of entities from the digital sectors:

  • DNS service providers;
  • TLD name registries;
  • Entities providing domain name registration services;
  • Cloud computing service providers;
  • Data centre service providers;
  • Content delivery network providers;
  • Managed service providers;
  • Managed security service providers;
  • Online marketplace providers;
  • Online search engine providers; and
  • Social networking service platform providers.

 

They must register within 2 months of the law entering into force, i.e. by 18th December 2024 at the latest, and provide the following information:

  • Their name;
  • Their sector, sub-sector and type of entity, as listed in Annex I or II, as applicable;
  • The address of their principal place of business and of their other legal establishments in the Union or, if they are not established in the Union, of their representative;
  • Their current contact details, including e-mail addresses and telephone numbers, and, where applicable, those of their representative;
  • The Member States in which they provide their services falling within the scope of the Law;
  • Their IP ranges.

Here again, every entity is required to inform the CCB immediately of any changes to their information.

In practice, some of this information is obtained directly from the Crossroads Bank for Enterprises (CBE) during the registration process.

Source CCB Belgium

Cybersecurity risk-management measures

Essential and important entities must take appropriate and proportionate technical, operational and organisational measures to manage the risks to the security of the networks and information systems which they use in the course of their activities or in the provision of their services. These measures must eliminate or reduce the impact of incidents on the recipients of their services and on other services.

In addition, the measures implemented have to ensure a level of security for networks and information systems that is appropriate to the existing risk, taking into account the state of the art and, where relevant, applicable European and international standards, as well as the cost of implementation. In assessing the proportionality of these measures, due account should be taken of the degree of exposure of the entity to risk, the size of the concerned entity, as well as the likelihood of incidents occurring and their severity, including societal and economic consequences.

Thus, the measures should be as well adapted as possible to the concrete situation of the concerned entity.

The NIS2 law also states that these measures are based on an “all-hazards” approach and aim to protect network and information systems and their physical environment against incidents. The law lists 11 minimum measures that every NIS2 entity must implement:

  1. Policies on risk analysis and information system security;
  2. Incident handling;
  3. Business continuity, such as backup management and disaster recovery, and crisis management;
  4. Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
  5. Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
  6. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
  7. Basic cyber hygiene practices and cybersecurity training;
  8. Policies and procedures regarding the use of cryptography and, where appropriate, encryption;
  9. Human resources security, access control policies and asset management;
  10. The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate;
  11. A coordinated vulnerability disclosure policy.

 

To facilitate the practical implementation of these measures, the Centre for Cybersecurity Belgium advises all NIS2 entities to make use of the CyberFundamentals (CyFun®) Framework, which covers all these points. A validated implementation of the CyFun Framework allows NIS2 entities to benefit from a presumption of conformity. 

Source CCB Belgium

Incident reporting

NIS2 incident reporting of significant cyber incidents

The NIS2 law stipulates that essential and important entities must notify the national CSIRT (the CCB) of any significant incident affecting the provision of their services in the (sub-)sectors listed in the annexes of the law, including, where appropriate, information that makes it possible to determine whether the incident in question has a cross-border impact.

In order to fulfil this obligation, one must understand what is meant by “incident” and by “significant”. 

The NIS2 law defines “incident” as an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems.

A “significant” incident is any incident which has a significant impact on the provision of services in the sectors or subsectors listed in the annexes of the NIS2 law, and which

  • has caused or is likely to cause serious disruption to the operation of any of the services in the sectors or subsectors listed in Annexes I and II or financial loss to the concerned entity; or
  • has caused, or is likely to cause, significant material, personal or non-material damage to other natural or legal persons.

If the incident in question fits this definition, then the notification shall be made to the national CSIRT (the CCB) in several stages:

  1. Without undue delay and in any event within 24 hours of becoming aware of the significant incident, the entity shall submit an early warning;
  2. Without undue delay and in any event within 72 hours (24 hours for trust service providers) of becoming aware of the significant incident, the entity shall submit an incident notification;
  3. Submit an interim report if requested to do so by the CSIRT or, where applicable, the competent authority;
  4. Submit a final report no later than one month after the submission of the incident notification referred to in point 2;
  5. If the incident is ongoing at the time of the final report, the entity shall submit a progress report and then, within one month after the handling of the incident, a final report.

 

In practice, notification will be made through the procedure set out on the CCB website.

Source CCB Belgium

The management bodies of NIS2 entities must approve cybersecurity risk management measures and oversee their implementation. If the entity breaches its obligations with regard to risk management measures, the management body is liable. 

Members of the management bodies are obliged to follow training to ensure that their knowledge and skills are sufficient to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity concerned. 

The explanatory memorandum of the NIS2 law defines “member of a management body” as:

Any natural or legal person who :

 

  1. exercises a function within or in relation to an entity which authorises him or her (a) to administer and represent the entity in question or (b) to take decisions in the name and on behalf of the entity which are legally binding on it or to participate, within a body of that entity, in the taking of such decisions, or
  2. has control over the entity, meaning the power, in law or in fact, to exercise decisive influence over the appointment of the majority of the entity’s directors or managers or over the direction of the entity’s management.

 

Where the entity in question is a company governed by Belgian law, this control is determined in accordance with articles 1:14 to 1:18 of the Companies and Associations Code.

Where the person whose role is being examined is a legal person, the concept of “member of a management body” is examined recursively and covers both the legal person in question and any member of a management body of that legal person.

The responsible persons and/or legal representatives of an entity must have the power to ensure that the entity complies with the law. They are liable for their failure to do so.

The liability of management bodies, responsible persons and legal representatives is without prejudice to the rules on liability applicable to public institutions, as well as the liability of civil servants and elected or appointed officials.

Source CCB Belgium

Management Obligations and reponsabilities

Coorporation with the authorities

The NIS2 law requires entities falling within its scope to cooperate with the national authorities responsible for its implementation, in particular the CCB and the sectoral authorities.

This cooperation generally takes the form of an exchange of information on the security of networks and information systems, but also includes cooperation between the entity and the CCB's or the sectoral inspection service.

NIS2 non-compliancy

Essential entities must undergo a mandatory regular conformity assessment. This assessment is carried out on the basis of a choice made by the entity from three options:

  • A CyberFundamentals (CyFun®) certification (Essential level) or verification (Important or Basic level) with the relevant scope, awarded by a conformity assessment body (CAB) approved by the CCB after accreditation by BELAC;
  • An ISO/IEC 27001 certification with the relevant scope awarded by a CAB accredited by an accreditation body that has signed the Mutual Recognition Agreement (MLA) for the ISO 27001 standard under the European co-operation for Accreditation (EA) or the International Accreditation Forum (IAF);
  • An inspection by the CCB inspection service (or by a sectoral inspection service).

 

During the inspection of the inspection service of the CCB (or a sectoral inspection service, or both together) may conduct on-site inspections, on-site monitoring, ad hoc audits, as well as security scans and general requests for information and evidence. All NIS2 entities must always comply with the requests of the inspectorate(s). If they fail to do so, they face administrative fines. More information regarding these fines can be found below this chapter. 

Management responsability over incidents

Inspectors can go on site, take minutes and write reports. Based on these findings, proceedings can be initiated to order an entity to put an end to a violation and, if necessary, take appropriate administrative measures, ranging from warnings to administrative fines.

Possible administrative measures and fines are determined by the directive. If a measure or fine is deemed necessary, de facto account is always taken of the situation and any repeated violations so that the measure or fine is proportionate.

Fines non-compliancy

The following administrative fines may be imposed (doubled for repeated behaviour within a 3-year period):

  • 500 to €125,000 for failure to comply with Article 12 reporting requirements (identification process);
  • 500 to 200,000 euros for an entity that sanctioned one of its employees or subcontractors for performing the obligations of the law in good faith and within the scope of their duties;
  • 500 to 200,000 euros for failing to meet supervisory obligations;
  • 500 to €7,000,000 or 1.4% of the total annual worldwide turnover in the previous financial year of the company to which the entity belongs [important entities], whichever is higher;
  • 500 to 10,000,000 euros or 2% of the total annual worldwide turnover in the previous financial year of the company to which the entity belongs, whichever is higher [essential entities].
Source CCB Belgium

NIS2 Deadlines

New deadlines are communicated for Essential and important businesses in Belgium. Here below you can find these deadlines :
Implementation NIS2 deadlines for important entities
Source CCB Belgium
NIS2 deadline for Essential entities
Source CCB Belgium

Belgian Law

Since the 18th of April this year, the lawproposal has been approved by the Belgian Parlaiment. This proposal will be replaced by a NIS2 law that needs to be communicated from the 18th October 2024 on. Most likely, our Belgian government will achieve this deadline.

Basic implementation

For Important as Essential entities, the need to achieve the deadline of 18th of April 2026 of implementing the Basic implementation of the Cyber Fundamentals framework. Below you can find an overview of the different items as the document.

Final compliancy NIS2

The final NIS2 compliancy deadline has been set to 18th of April 2027, where the Essential as the important entities need to be compliant with the NIS2 directives. Not only on a technological level, but as well the awareness of the employees, roles & reponsibilities, policies, risk assessments, incident reponse plan, recovery plan, etc., which need to be documented and written out as policies.

Frequently asked questions

Check our FAQ section where you can find the first questions that have been asked to us during the last months.

Contact us
  • How can a SOC help organizations comply with the NIS2 directives?

    A SOC can help organizations comply with the NIS 2 directives by:

    • Monitoring and detection: Providing continuous monitoring to detect and respond to security incidents in real-time.
    • Incident response: Implementing effective incident response procedures to mitigate the impact of security breaches.
    • Reporting: Ensuring timely and accurate reporting of significant incidents to the relevant authorities.
    • Threat intelligence: Keeping the organization informed about emerging threats and vulnerabilities.
    • Security audits: Conducting regular security audits and assessments to ensure compliance with NIS 2 requirements.
  • What are the NIS2 directives?

    The NIS2 (Network and Information Security) directives are a set of regulations introduced by the European Union to enhance the cybersecurity of critical infrastructure and essential services across member states. The directives aim to ensure a high common level of cybersecurity across the EU by requiring organizations to implement robust security measures and report significant incidents.

  • What future developments can be expected in relation to the NIS2 Directive?

    Future developments include the refinement of national laws to fully comply with the directive, the establishment of more robust cybersecurity frameworks, continuous updates to address emerging threats, and enhanced collaboration at the EU level to ensure a unified and effective cybersecurity posture.

  • How does the NIS2 Directive impact Small and Medium-sized Enterprises (SMEs)?

    While the NIS2 Directive focuses on operators of essential services and digital service providers, SMEs in critical sectors must also comply with the directive’s requirements. However, the directive includes proportionality measures to ensure that obligations are appropriate to the size and resources of the entities.

  • What cooperation mechanisms does the NIS2 Directive establish?

    The NIS2 Directive establishes cooperation groups to facilitate strategic cooperation and exchange of information among member states. It also creates a network of national CSIRTs to ensure effective operational cooperation.

  • How is Belgium implementing the NIS2 Directive within its national legal framework?

    Belgium is transposing the NIS2 Directive through national legislation, enhancing the existing cybersecurity framework. This includes updating the roles of its national cybersecurity authorities and aligning its national cybersecurity strategy with the directive’s requirements.

  • What role do Computer Security Incident Response Teams (CSIRTs) play under the NIS2 Directive?

    CSIRTs are responsible for monitoring, detecting, and responding to incidents. They provide early warning, risk assessment, and incident response capabilities to assist operators of essential services and digital service providers.

  • How does the NIS2 Directive enforce compliance, and what penalties can be imposed?

    National authorities are empowered to conduct audits and inspections. Penalties for non-compliance can include fines, administrative sanctions, and reputational damage. The exact penalties are determined by each member state.

  • What are the incident reporting requirements under the NIS2 Directive?

    Entities must report incidents having a significant impact on the provision of their services without undue delay to the relevant national authority. The initial notification should be followed by a final report once the root cause and impact are fully understood.

  • Obligations for Operators

    The NIS2 Directive covers a broad range of sectors including energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, digital infrastructure, public