Itdaily - NIS2 in the public sector: more than just a checklist

NIS2 in the public sector: more than just a checklist

niche2

What does NIS2 mean for the public sector? The legislation requires organizations to address information security on a continuous basis.

It has been about a year and a half since NIS2 came into force. Belgium was quick to transpose the European directive into national law, but what impact has NIS2 really had? April 18 marked the first major test for so-called ‘essential’ organizations: they will have their compliance assessed for the first time.

As head of information security at IT service provider Smals and DPO at the Crossroads Bank for Social Security, Kurt Maekelberghe encounters the NIS2 law from multiple roles. “All federal government institutions are recognized as ‘essential entities’, and the obligations are no different than for the private sector: every organization covered by the legislation must take measures to limit security risks.”

Risks first

NIS2 forces companies to thoroughly examine their security, although this does not necessarily lead to drastic changes for public institutions. Maekelberghe: “I think the law has certainly helped to bring information security to the fore where it might not have existed before. Because we work with personal data within social security, we have long been aware of the utility and necessity of information security. So the culture didn’t suddenly appear with NIS2.”

“New supervision models have been introduced with the NIS2 directive,” he continues. “For example, every significant incident must now be reported to the Center for Cybersecurity Belgium. This reporting obligation and the monitoring of NIS2 compliance ensure that the focus on security is sharpened just a bit more. As a result, basic measures receive more explicit attention. The Center for Cybersecurity Belgium oversees the precise impact on the market, but I believe that NIS2 can bring about a decrease in avoidable incidents.”

Not a punishment, but an opportunity

As of March 18, 2025, all companies covered by the NIS2 directive must have registered. The homework has only just begun. April 18, 2026, 18 months after NIS2 came into force, was the next crucial deadline: organizations had to submit an initial evaluation to demonstrate that they comply with the guidelines. “The feedback from the CCB can serve as a basis for highlighting points for improvement and providing organizations with targeted assistance in managing cyber risks. We are therefore looking forward to working with the CCB,” says Maekelberghe.

Organizations had better take the deadlines seriously. Failure to comply with NIS2 legislation can result in sanctions. Maekelberghe: “We must avoid NIS2 being seen as a ‘punishment’, but rather as an opportunity to improve the security of organizations on a continuous basis.”

We must avoid NIS2 being seen as a punishment, but rather as an opportunity to improve security.

Kurt Maekelberghe, Head of Information Security Smals

Two paths to compliance

To comply with NIS2 legislation, organizations can rely on two frameworks: the CyberFundamentals Framework (CyFun) and the ISO27001 standard. These frameworks cannot simply be compared to one another, Maekelberghe points out. “CyFun offers a pragmatic approach to cybersecurity, while ISO/IEC 27001 is an international standard that prescribes a formal and certifiable management system for information security.”

As an IT partner for various government institutions, Smals has an important role to play on the road to compliance. Maekelberghe: “The institutions that use our services are obliged to check their service providers on the application of information security. That supply chain management creates an additional need for reporting and transparency, so that institutions can assess their own compliance.”

“Ultimately, organizations must take measures themselves based on an assessment of their own risks. An IT partner cannot guarantee compliance, but as a supplier, we do feel that need for transparency from our customers. Dependence on suppliers has become a risk, because threats in the supply chain are difficult to control,” he adds.

More than just a checklist

Since the introduction of NIS2, the cybersecurity landscape has already changed significantly. The rapid adoption of AI brings new risks. Maekelberghe sees this too. “You have to look at AI as a production tool with its vulnerabilities and as a means to carry out cyberattacks. It’s no secret that AI is used to create better phishing emails and set up attacks faster. But if the technology is not implemented thoughtfully, you increase the attack surface and therefore your own vulnerability.”

Maekelberghe is convinced that NIS2 as a regulation will stand the test of time, provided that organizations apply it correctly. “Legislation evolves at a different pace than technology and threat landscapes. On the other hand, a well-executed risk analysis and a well-drafted risk management plan—both at regular intervals for existing processes and platforms, and at the moment you start using a new technology—will help the organization to set up security correctly.”

“If this happens consistently, then NIS2 works well. We must absolutely not fall into a ‘checklist culture’ where a list of measures is checked off once. Because then you lose sight of the risks,” Maekelberghe concludes.

NIS2 must not become a checklist that is ticked off once.

Kurt Maekelberghe, Head of Information Security Smals

This editorial contribution was created in collaboration with our partner Smals.