The NIS2, implemented into Belgian law on 18 October 2024, aims to strengthen cyber security across essential sectors. Its scope extends far beyond the NIS1, encompassing industries including energy, healthcare and transport as well as public administrations and smaller organisations critical to maintain societal functions.
“Businesses fall into two compliance categories: important or essential. Each tier mandates specific rules,” Noëmie Honoré, Global Cybersecurity Lead Belgium and Luxembourg at Wavestone, explains. “To achieve NIS2 compliance, Belgian organisations can align their cyber security practices with the globally recognised ISO27001 standard, or adopt the CyFun framework designed by the Centre for Cybersecurity Belgium, which offers a tiered security maturity system.”
The CRA, on the other hand, addresses a critical gap in the cyber security ecosystem: the security of digital products. “Covering hardware, software and their supporting components, CRA ensures that products meet stringent cyber security standards throughout their lifecycle. The regulation introduces distinct responsibilities for manufacturers, importers and distributors, emphasising product security, vulnerability management and the provision of clear user documentation,” Honoré adds. The regulation was approved in 2024 by the European Parliament, and is directly applicable in all member states. Businesses have until 2026 to achieve compliance.
Navigating compliance challenges
For Belgian businesses, these regulations come with significant challenges. The overlapping demands of the NIS2, CRA and other frameworks, such as the Digital Operational Resilience Act (DORA) and the AI Act, create a complex compliance landscape.
“Determining whether an organisation qualifies as ‘important’ or ‘essential’ under the NIS2, or differentiating between ‘critical’ and ‘non-critical’ products under the CRA, requires careful analysis. Additionally, the evolving cyber threat landscape, marked by ransomware, supply chain vulnerabilities and advanced and persistent threats, complicates compliance efforts. Limited expertise and resources, particularly for small and medium-sized enterprises, further exacerbate these difficulties.”
Despite these challenges, the potential benefits of compliance are substantial. Honoré explains, “It’s an opportunity for businesses to embed cyber security into their DNA. By aligning with these standards, organisations enhance their resilience but also build trust with stakeholders and gain a competitive edge in a market increasingly aware of digital security issues.” The CRA’s focus on product security offers manufacturers a chance to address vulnerabilities proactively, boosting market credibility. Meanwhile, the NIS2’s emphasis on broader organisational security is reducing the likelihood and impact of attacks in Belgium.
Approach and collaboration
To navigate this regulatory shift, Belgian businesses should take a structured approach. “Conducting comprehensive assessments of current cyber security practices, identifying gaps, and developing targeted action plans are crucial first steps. Enhancing cyber security maturity, strengthening supply chain security, and embedding incident response protocols into organisational processes will ensure readiness. Equally important is fostering a culture of cyber security awareness through continuous training and communication,” Honoré explains.
Collaboration will play a pivotal role in this transition. “By engaging with industry associations, government bodies such as the CCB and cyber security experts, the Cyber Security Coalition can access valuable insights and guide the Belgian organisations in their cyber compliance journeys. Progress is the main goal. These regulations should not be seen as mere checklists, but as tools to build a stronger, more secure digital ecosystem for everyone,” Noëmie Honoré concludes.
The NIS2 and CRA regulations mark a turning point for Belgian businesses, urging them to re-evaluate their cyber security strategies and adapt to a rapidly evolving landscape. Though the road to compliance may be demanding, the rewards - from enhanced operational resilience to increased stakeholder trust - promise a safer and more prosperous digital future.