CCB looks back with satisfaction on the first year of NIS2. Belgian companies are on the right track with implementing the legislation, although there is still much work to be done.
October 17, 2024, went down in history as the day when the NIS2 legislation came into effect. Exactly one year later, the CCB doesn’t want to let this first anniversary pass unnoticed. “The implementation is proceeding quite smoothly in Belgium. Approximately 1,500 essential entities and 2,500 important entities have registered. The majority of these organizations have now also chosen and implemented a framework,” notes a satisfied Johan Klykens, Director Cybersecurity Certification Authority at CCB, during an online webinar.
Yet the work has only just begun. During the webinar, CCB takes stock of NIS2’s first year and introduces a new CyFun framework. Klykens: “We’re starting to see the first results. NIS2 won’t make cyber attacks disappear, but it reduces their impact. Though the reporting obligation hasn’t been fully accepted yet. We’re here to help, not to punish.”
A Bit of (Cy)Fun
From the start, Belgium proved to be a top student in the European class when it comes to NIS2 implementation. Our country was even one of the only member states to meet last year’s deadline. Central to CCB’s approach is CyFun, fully known as CyberFundamentals: a framework with requirements and tools for organizations subject to NIS2.
read also
New Threats, Same Kill Chain: NIS2 Protects Companies in the Long Term
CCB gave the original framework a refresh and introduces CyFun 2025 during the webinar. Dirk De Paepe, Senior Certification Expert, takes over. “The new version follows the latest developments in legislation and trends in cybersecurity. There’s also more focus on OT. The goal is to translate what we see in real attacks into concrete measures and make them as simple as possible for organizations.”
CyFun distinguishes four certification levels: Small, Basic, Important and Essential. The Basic level includes fundamental measures for all organizations, while organizations classified as ‘important’ or ‘essential’ under NIS2 legislation must meet additional and higher requirements. “The system of proportionality is maintained in the new version. But at each level, there are requirements that organizations must meet,” says De Paepe.
CCB’s work is also being noticed beyond national borders. Ireland and Romania have adopted CyFun in their own national framework, and other member states are showing interest. Additionally, the international ISO27001 standard for information security is also accepted as a general basis for NIS2 compliance.
279 Incidents
Companies experiencing an incident are required by NIS2 law to report it to the competent authorities within 24 hours. An extensive report is required after thirty days. “This is very important for us because it helps determine the root cause of the incident,” says Klykens.
If necessary, CCB sends an inspection team on-site for a post-incident analysis. This falls under the authority of the
Not every incident requires the same level of severity. The NIS2 framework distinguishes between ‘significant’ and non-significant incidents. An incident is considered significant if it meets at least one of these three conditions:
- The incident causes operational disruption to the organization’s network.
- The incident causes financial damage to the organization.
- The incident has direct impact on external natural or legal persons.
For so-called significant incidents, further inspection is possible, and you might receive a visit from Tanil and her colleagues. “When in doubt, we always ask to report. We can help determine the severity of an incident. Most significant incidents so far, by the way, have not been cyber-related.”
If further investigation reveals that the incident resulted from non-compliance with NIS2 requirements, sanctions are possible. In such cases, board members can even be held personally liable. “We haven’t had to initiate any sanction procedures yet. I hope that will never be necessary,” Klykens reassures. “Our inspection teams primarily want to help look at how incidents can be avoided. We often even receive thanks afterward.”
NIS2 is not meant to punish organizations.
Johan Klykens, Director Cybersecurity Certification Authority CCB
And the Rest of Europe?
One year after the European deadline, NIS2 implementation still remains difficult in Europe. Only six of the 27 member states have fully completed their homework. Besides the Benelux countries, these are Denmark, Sweden, and Finland. In many countries, the transposition of NIS2 into national legislation is still ‘in progress’, or even still in the planning phase.
CCB’s first assessment is therefore predominantly positive. “After the first year, we can give ourselves a modest pat on the back. This makes me optimistic about the future,” Klykens concludes. Though cybersecurity is work that’s never completely finished.
ITdaily recently organized a roundtable with five experts from the Belgian IT industry about NIS2. View the overview here.