Belgium is one of the only countries in Europe that managed to turn the NIS2 guidelines into national legislation before the deadline.
The deadline for member states to transform the European NIS2 directives into national legislation has passed. Belgium is at the forefront and one of the only European countries to meet the deadline. How was our country able to raise its profile this way and why are other countries failing to do so?
A major catalyst in successfully meeting that deadline has been the framework of the Center for Cybersecurity Belgium (CCB). This has helped to ensure that Belgium is the fastest compared to other member states, who are now increasingly looking toward our country. Moreover, the government has asserted itself and paved the way (financially) toward a worthwhile NIS2 regulation.
ITdaily brings five experts around the table to talk about the pioneering role Belgium is taking within NIS2. We sit down with Alex Ongena, CEO and founder of AXS Guard, Ron Nath Mukherjee, Cyber Security Consultant at Eset, Driek Desmet, System Engineer at Easi, Koen Pauwelyn, responsible for Industrial Cybersecurity Services at Siemens and Yoran Dons, ICS Security Consultant at SoterICS.
Deadline met
NIS2 is a European directive designed to strengthen cybersecurity measures for organizations. The guidelines for NIS2 were put out by the European Union at the end of 2022. To implement these measures at the national level, member states must transpose the European Union legal framework into national legislation.
read also
Belgium one of the only European countries to meet NIS2 deadline
The deadline for this transposition was Oct. 17, 2024, and has since passed. Belgium is one of two countries in Europe that met the deadline for the NIS2 regulations. Now it’s up to Belgian organizations to comply with these NIS2 regulations, or face the consequences. “Organizations have until March 2025 to be NIS2-compliant,” Desmet explained.
Plumes for CCB
That our little country of Belgium is excelling in the area of NIS2 regulations is a remarkable achievement. Everyone around the table agreed: The Center for Cybersecurity in Belgium (CCB) has done a great job. “The CCB has developed a nice framework,” Desmet says. “In our country, thanks to them, we have the most concrete NIS2 example in Europe,” agrees Dons.
In our country, thanks to the CCB, we have the most concrete NIS2 example in Europe.
Yoran Dons, ICS Security Consultant at SoterICS
There are many words of praise for the CCB throughout the conversation. Yet despite the good framework, there remain ambiguities for some companies. Pauwelyn points this out with an example. “Many companies do not know exactly which sector they belong to within the NIS2 framework, and what label they are assigned. As a company, do I belong to the essential disk, or not? Within NIS2, companies have to take the initiative to register themselves, so they are not (as with NIS1) notified by the CCB.”
National legislation
NIS2 is a European directive that must be translated into national legislation by all member states. “There are a lot of international companies in Belgium and that raises new questions.” Pauwelyn regrets that NIS2 has not become a European regulation. It is automatically and equally valid in all EU countries.
Ongena spoke about this recently with the CCB. The fact that NIS2 is not European legislation has to do with balancing directives and speed of implementation. “If you want to make a law in Europe that applies in 28 countries, that quickly becomes a 10-year project,” Ongena explained. “When you start by giving a directive to be implemented in each country, it goes much faster.”
All other countries will now look toward Belgium.
Alex Ongena, CEO and founder AXS Guard
Apparently, Belgium has been the fastest in converting NIS2 to national legislation. “All the other countries are now looking in Belgium’s direction. A lot of countries will start adopting that to avoid having to invent hot water,” Ongena expects. So at the end of the day, you still get more or less the same result across different countries.
Other countries
“We have a lot of customers who are international and have branches in countries like Germany or France,” Pauwelyn begins. If you then go to those countries with Belgian legislation, they often don’t know what to do with it. “For that reason, these international companies are more likely to opt for the ISO 27001 process because it is known internationally,” Pauwelyn continues. “Meanwhile, we are already a little further along,” adds Mukherjee. “It used to be every man for himself, but today a legal framework has already been created around it.”
Belgium as a pioneer
So in all the NIS2 story, we can be proud of our country. With this, Belgium has set an example. “Other countries will soon look in our direction to analyze how to do it,” Ongena said. This may ensure more uniformity among countries regarding NIS2 regulations.
Just as countries can look to each other in how they apply NIS2 regulations, this also happens at a lower level between sectors themselves. Collaboration is encouraged within NIS2 through peers. “Within NIS2 there is also talk of peers, namely that you can compare yourself to someone in the same sector. So the quick win that one company has can be quickly translated to another similar company,” Dons explains.
It is not yet clear what that will look like in practice, and whether every company will be open to it. One certainty we do already have is the progress of NIS2 in Belgium on a large scale in Europe. Everyone around the table agreed unanimously: we can be proud of our country.
This is the first editorial in a series of three on the theme of NIS2. Click on our theme page to see all the articles from the roundtable, the video and our partners.