NIS2 is here: what it actually means for Belgian businesses

If you run a business in Belgium and you have not yet worked out whether NIS2 applies to you, this is the post to read. The directive is no longer a future problem. It has been transposed into Belgian law, the Centre for Cybersecurity Belgium (CCB) is the supervisory authority, and the obligations are live.

Here is the plain-language version, without the legal fog.

Who is actually in scope

NIS2 widened the net dramatically compared to the original NIS directive. It now covers two tiers, "essential" and "important" entities, across far more sectors: energy, transport, banking, health, water, digital infrastructure, public administration, postal services, manufacturing, food, chemicals, and more.

The rule of thumb most businesses can start with: if you operate in one of the covered sectors and you are a medium or large company (roughly 50+ staff or over €10M turnover), assume you are in scope until you have confirmed otherwise. Plenty of mid-sized Belgian companies that never thought of themselves as "critical infrastructure" now fall under it, often through their supply chain.

If you are not sure, that uncertainty is itself the first thing to fix.

What you are expected to do

NIS2 is built around risk management, not paperwork for its own sake. The core obligations come down to a handful of things:

• Take appropriate technical and organisational measures to manage the risks to your systems. This explicitly includes things like testing, vulnerability handling, secure configuration, and access control.
• Report significant incidents to the CCB, fast. There is an early-warning obligation within 24 hours and a fuller report within 72.
• Make management accountable. Boards and directors are now on the hook for cyber risk, and can be held personally responsible for failing to oversee it.
• Manage supply-chain risk. You are expected to account for the security of your suppliers and service providers, not just your own walls.

The phrase that matters most in the text is "appropriate measures." Regulators will judge you on whether your security is proportionate to your risk, and on whether you can show it.

Where penetration testing fits

NIS2 does not say "you must run a penetration test" in those exact words. What it says is that you must take measures appropriate to the risk and be able to demonstrate they work. That is exactly what offensive testing gives you.

A penetration test is how you prove, with evidence, that your measures hold up against a real attacker rather than just existing on paper. It produces the documented findings, the remediation trail, and the retest results that show a regulator, an insurer, or a board you took the risk seriously. Vulnerability assessment gives you the ongoing visibility between tests.

In practice, the companies handling NIS2 well are doing three things: mapping their attack surface, testing it honestly, and keeping a paper trail of what they found and fixed.

A sensible first move

You do not need to solve all of NIS2 in a week. A realistic starting point looks like this:

• Confirm whether you are in scope, and which tier.
• Map what you actually expose to the internet. Most organisations are surprised.
• Get an independent test of the assets that matter most.
• Use the findings to build a prioritised plan you can show your board.

If you want help with that first step, run a free website scan to see your external exposure in 30 seconds, or talk to an operator and we will help you scope it properly.

NIS2 is not the end of the world. It is mostly a push to do the things good security teams were already doing. The companies that treat it as a forcing function, rather than a box to tick, come out genuinely harder to breach.