By 18 March 2025, Belgian entities covered by the Network and Information Security Directive 2 (NIS2) legislation had to be registered via atwork.safeonweb.be. So what comes next?
Here is a step-by-step guide to what happens after this deadline.
By 18 April 2026: Assess your cybersecurity readiness
First, you must conduct a strategic risk assessment to determine your organisation's CyberFundamentals (CyFun®) level. You can use the tool developed specifically by the Centre for Cybersecurity Belgium (CCB), which will automatically generate the appropriate CyberFundamentals Assurance Level at the end of the risk assessment process.
- For Cyfun Basic or Important Assurance Levels: entities must have their cybersecurity measures verified by an accredited Certified Assessment Body (CAB) approved for CyFun.
- For CyFun Essential Assurance Level: organisations must undergo verification as well for the Basic or Important levels first
- ISO 27001 certification: if you've opted for ISO27001 certification, you must submit your scope and statement of applicability to the CCB.
- CCB inspection: if you've chosen direct inspection by the CCB, you'll need to submit your CyFun self-assessment, information security policy or ISO27001 statement of applicability to the CCB.
By 18 April 2027: Certification and progress reporting
- For Cyfun Essential assurance level: in addition to the Basic or Important verification, entities must acquire a CyFun essential certification from an accredited CAB.
- ISO 27001 certification: those pursuing this certification must obtain it from an accredited CAB approved for ISO27001.
- CCB inspection: if you've opted for inspection by the CCB, you will need to submit a progress report on your compliance efforts.
How can Nexova can help you?
Navigating these deadlines and cybersecurity requirements under the NIS2 legislation can be complex. Nexova cybersecurity experts and regulatory specialists guide you through every step of the NIS2 compliance journey, from conducting risk assessments to obtain necessary certifications.
Board members and management teams need to be trained on cybersecurity to assume their responsibilities and liabilities as required by the NIS2 legislation. Nexova has developed a tailored NIS2 training to help executive management teams understand NIS2 requirements and reinforce their organisation’s security resilience. The training can be conducted on-site at our Cyber Centre of Excellence in Transinne, Belgium, directly at the client’s location, or in a hybrid format, combining the flexibility of remote learning with interactive engagement.