Cybersecurity·Jul 08, 2026·9 min read
In short
If you run an SME in Belgium or work for a municipality, your inbox has probably filled up over the past year with NIS2 webinars, NIS2 checklists and vendors who suddenly discovered "NIS2-proof" as a sales pitch. The tone is usually the same: the deadline is coming, the fines are enormous, buy now.
Here is a calmer answer. The law is real, it has been in force in Belgium since 18 October 2024, and for some organisations it changes a great deal. But for most Belgian SMEs it changes less than the mailings suggest, and municipalities sit in a separate situation that is rarely explained correctly. Below are the facts, without the sales talk.
One caveat first: we are an IT and security company, not a law firm. For a formal legal analysis of your situation, the Centre for Cybersecurity Belgium (CCB) is the authority, and when in doubt, legal advice is worth it. What follows is the state of play as of mid-2026, based on the law and the CCB's own publications.
NIS2 is a European directive (2022/2555) that imposes a minimum level of cybersecurity on organisations that matter to society or the economy. Belgium transposed it through the law of 26 April 2024, which entered into force on 18 October 2024. That made Belgium one of the first countries in Europe to do so; many neighbours were still drafting at the time.
The supervisor is the CCB, which is also the national CSIRT (the team you report cyber incidents to). The law revolves around three things: managing your risks with appropriate measures, reporting serious incidents quickly, and making management personally responsible for both.
This is where most of the scaremongering falls apart. NIS2 does not apply to "all businesses". There are two filters, and you have to pass both:
A brasserie with twelve staff? Out of scope. An accounting office with thirty people? Out of scope. A food producer with eighty employees? Probably in scope. There are exceptions where smaller organisations are still covered (certain digital services, for instance, or entities the government explicitly designates), so checking beats assuming. The CCB has a scope test on its website for exactly this.
The law knows two categories. Essential entities (the largest organisations in the most critical sectors) get proactive supervision and risk fines of up to 10 million euros or 2% of worldwide annual turnover. Important entities are checked after the fact, with fines up to 7 million euros or 1.4%. Those figures are maximums for organisations that refuse to cooperate, not a standard rate for anyone acting in good faith.
This is the point that gets explained wrong most often, so let's be precise: Belgian municipalities do not automatically fall under NIS2. The legislator included federal and regional government services as a sector, but not local authorities as a category.
A municipality is only covered in two cases: either it performs one of the critical activities from the annexes itself (think drinking water or wastewater management run in-house) and meets the size threshold, or it is explicitly designated as an entity. For most municipalities, neither is the case today.
Does that mean sighing with relief and doing nothing? No, and that is policy rather than a sales pitch. The CCB published a guideline (guideline 1/2024) stating that all Belgian public administrations outside NIS2 are expected to reach at least the Basic level of the CyberFundamentals framework by 1 January 2030. Basic digital hygiene is becoming the norm for every local authority, NIS2 label or not. The rules around local government are still evolving, so check the current state with the CCB or your association of cities and municipalities for your specific situation.
Four duties form the core of the law:
Even organisations outside the law do not fully escape it in practice, for one simple reason: the supply chain. Organisations that do fall under NIS2 must assess the security of their suppliers. If your SME delivers services to a hospital, an energy company or a large food producer, expect questionnaires and contractual security requirements. Being able to answer those without improvising puts you ahead of competitors who cannot.
And regardless of any law: phishing emails do not read legislation. The attacks hitting Belgian SMEs and municipal services (fake invoices, hijacked mailboxes, CEO fraud) make no distinction between in scope and out of scope. The basic hygiene NIS2 imposes is simply what every organisation needs today.
Notice what sits in that list of duties: training is not a nice-to-have but a legal obligation for anyone in scope, for management and for staff. The CyberFundamentals Basic level, which public administrations are heading towards anyway, includes awareness as a building block too.
That is where we help concretely. Our cyber awareness service is built on what demonstrably works: phishing simulations that turn a near-miss into a lasting lesson, live hacking demos that make abstract risks tangible, and short training sessions tailored to your sector. Why that works better than a mandatory annual course is something we cover in our piece on the tired employee as your biggest risk.
For a municipality or SME working on NIS2 or CyberFundamentals, such a programme is a piece of the homework you can tick off, with results you can show in black and white.
So: no panic, and certainly no rushed purchases. Start with three questions: is my activity listed in Annex I or II? Do I meet the size threshold? And do I supply customers who are in scope? The answers determine whether you have a legal obligation, a commercial reality, or simply a good reason to get the basics in order.
Want to work through that exercise together, or see straight away how training and simulations fit into your NIS2 or CyFun homework? Book a no-obligation chat; we will tell you honestly what you need, and also what you do not.
Get a free, no-obligation call and a custom quote from Fluxive.
Monthly IT & marketing tips for Belgian businesses — Wi-Fi, SEO, security. No spam, just value.
Unsubscribe at any time.