Belgian cybersecurity environment is shaped by a mix of national laws and European Union regulations. The country hosts critical infrastructure sectors, financial institutions, and digital service providers that must meet rigorous security standards. Local laws like the NIS2 Law and CyberFundamentals complement EU-wide rules to address specific national challenges.

Compliance with Belgian and EU cyber security laws is essential for protecting sensitive data, maintaining trust, and meeting legal obligations. This article covers the key frameworks relevant to Belgian companies, including local laws like the NIS2 Law and CyberFundamentals, EU regulations such as CRA and GDPR, and widely adopted global standards like ISO/IEC 27001.

Related conent: Cybersecurity in Belgium – Frameworks, regulations, advisors

What is NIS2 Law (Belgium)?

The Belgian NIS2 Law enforces the EU NIS2 Directive locally, with some national adaptations. Aimed at improving cybersecurity across critical infrastructure and essential services, it focuses on enhancing risk management, incident reporting, and assigning clear governance roles within organizations.

It aligns closely with the EU NIS2 Directive but includes specific provisions reflecting Belgium’s national cybersecurity strategy. Compared to GDPR, which protects personal data, NIS2 targets operational security of networks and systems. ISO 27001 provides a voluntary framework for managing information security, while NIS2 Law is mandatory for defined sectors.

Read the full description of NIS2 Law here:
‍Read the article

Who must comply with NIS2 Law (Belgium)? 

The law applies to two main groups:

• Essential entities: operators in sectors like energy, transport, health, banking, and drinking water.
• Important entities: digital infrastructure, postal services, chemicals, and other sectors critical to society and the economy.

SMEs may also fall under the law if they are considered systemically important in their sector. Compliance is based on business size, sectoral importance, and cross-border impact.

The Belgian Federal Cybersecurity Center (CCB) enforces the law, with penalties including fines and operational restrictions. For example, a critical infrastructure provider failing to report a cyber incident on time may face substantial fines.

What are the main requirements of NIS2 Law (Belgium)?

The law is structured into several obligations, including:

• Governance: appointment of a responsible board member for cybersecurity.
• Risk management: implementation of appropriate technical and organizational measures (e.g. access control, network segmentation).
• Incident reporting: notify the CCB within 24 hours of a significant incident.
• Business continuity: policies for backup, crisis response, and disaster recovery.
• Supply chain security: assess risks in your vendor network.
• Regular compliance monitoring: audits and corrective actions.

These requirements are mandatory and do not allow opting out based on risk level. Belgium may also require sector-specific reporting portals and additional checks.

NIS2 Law (Belgium) best practices and common challenges

Organizations implement documented cybersecurity policies, regular risk assessments, and incident response plans.

Common challenges Belgian companies face include:

• Interpreting the overlap between NIS2 and GDPR obligations (especially around breach reporting).
• Adapting internal processes for tight reporting deadlines (e.g., 24 hours).
• Lack of in-house expertise to implement security governance and documentation from scratch.

What is CyberFundamentals?

CyberFundamentals is a Belgian government-backed framework targeting small and medium-sized enterprises (SMEs) to build basic cybersecurity hygiene. It emphasizes practical security measures such as strong passwords, software updates, and employee awareness.

It complements the stricter NIS2 Law by covering companies with lower risk profiles. Unlike GDPR’s focus on data privacy, CyberFundamentals centers on operational security fundamentals. ISO 27001 is more comprehensive and formal, while CyberFundamentals is designed as an accessible entry point.

Who must comply with CyberFundamentals?

The framework primarily targets Belgian SMEs, especially those operating in critical value chains or serving public sector clients. In some sectors (like healthcare, public procurement, or utilities), compliance may be mandated through industry regulation or customer contracts. In others, it's recommended as a best practice.

The Belgian Cybersecurity Coalition supports implementation, with local authorities monitoring compliance. Penalties are generally lighter, focusing on guidance and improvement rather than fines.

What are the main requirements of CyberFundamentals?

CyberFundamentals uses a checklist-style structure broken down into three levels: basic, intermediate, and advanced. Each level builds on the previous one, with practical tasks like:

• Basic: strong passwords, antivirus, software updates, limited admin access.
• Important: firewall configuration, employee training, backup verification.
• Essential: secure remote access, incident response plan, log monitoring.

This modular structure makes it easy for SMEs to start small and expand. The controls are mandatory within each level, but organizations choose how far up the ladder they want to go.

Test your compliance with our free assessment here.

CyberFundamentals best practices and common challenges

SMEs often implement password policies, regular backups, and phishing awareness training. Challenges include limited resources and understanding cybersecurity basics. Belgian SMEs sometimes confuse overlapping obligations with GDPR or NIS2.

Read more: What is CyberFundamentals? 🇧🇪 Belgium's cybersecurity framework

What is GDPR?

The General Data Protection Regulation (GDPR) is an EU regulation protecting personal data privacy and security. It applies to all organizations processing personal data of EU residents, even if the company is not located in the EU.

Unlike frameworks like NIS2 or ISO 27001, GDPR focuses on privacy rights, lawful processing, and transparency rather than technical security controls alone. However, the regulation requires organizations to implement appropriate technical and organizational measures to protect personal data—which creates overlap with cybersecurity practices.

Who must comply with GDPR? 

All organizations processing personal data of EU residents, regardless of location, must comply. Belgian Data Protection Authority (DPA) enforces GDPR in Belgium.

Penalties can reach up to 4% of global annual turnover or €20 million.

What are the main requirements of GDPR?

GDPR lays out obligations across several key areas:

• Lawful basis: all data processing must have a clear legal justification (e.g. consent, contract, legal obligation).
• Transparency: companies must clearly inform individuals about how their data is used (via privacy notices).
• Data subject rights: individuals have rights to access, correct, delete, and object to processing.
• Security measures: appropriate technical and organizational protections are required (but not prescriptive).
• Data Protection Officer (DPO): required for public authorities or organizations processing sensitive data at scale.
• Breach notification: personal data breaches must be reported within 72 hours of awareness to the DPA.

GDPR is structured across 99 articles and 173 recitals, but practical compliance typically focuses on key obligations above.

GDPR best practices and common challenges 

Belgian companies often maintain a Record of Processing Activities (ROPA), conduct DPIAs for high-risk processing, and train staff on data handling. Many use templates to manage data subject requests.

Common challenges include unclear legal bases, delayed breach reporting, and limited oversight of third-party processors. There's also confusion between GDPR privacy rules and NIS2 cybersecurity duties. Some adopt ISO 27701 to support structured privacy management.

What is CRA (Cyber Resilience Act)?

The Cyber Resilience Act is an EU regulation setting security requirements for digital products and connected devices sold in the EU market. It aims to close the current gap where many products are shipped with little or no built-in security, leaving users exposed to exploitation.

CRA applies across the full product lifecycle, from development and design to maintenance and updates. It’s one of the first EU regulations to impose security obligations directly on product manufacturers, importers, and distributors. Unlike GDPR or NIS2, which target organizational or service-level cybersecurity, CRA is focused specifically on product-level resilience.

Who must comply with CRA?

CRA applies to any entity that manufactures, imports, or distributes digital products in the EU – regardless of where they are based. This includes:

• Belgian tech companies developing connected devices or SaaS tools
• Global software vendors offering downloadable apps in the EU
• Retailers and distributors selling smart products in Belgium

National market surveillance authorities enforce the regulation, with penalties for non-compliance. Non-compliance may lead to fines up to €15 million or 2.5% of global turnover, product recalls, or sales bans.

What are the main requirements of CRA?

CRA sets out baseline cybersecurity requirements, including:

• Secure development: products must be designed to minimize exploitable vulnerabilities.
• Default security settings: strong configuration by default, without user tweaks.
• Vulnerability management: manufacturers must handle reports and fix issues quickly.
• Update support: security updates must be provided for the product’s expected lifecycle.
• Compliance documentation: including a risk assessment and conformity statement.

These requirements apply before the product is sold (pre-market) and after it’s deployed (post-market), ensuring long-term resilience.

CRA best practices and common challenges

Belgian manufacturers are starting to integrate secure coding practices into their software development lifecycle (SDLC), automate vulnerability scans, and document compliance evidence early. Many are also establishing product security incident response teams (PSIRTs) to handle post-market issues efficiently.

Challenges include retrofitting older products that weren’t built with security in mind, budgeting for lifecycle update support, and understanding how CRA overlaps with other laws like the Radio Equipment Directive or existing CE marking rules.

What is DORA?

The Digital Operational Resilience Act (DORA) is an EU regulation focusing on information and communication technology (ICT) risk management in the financial sector.

DORA was introduced to close gaps between existing financial supervision and cybersecurity, unifying rules across banks, insurers, investment firms, and third-party ICT providers. It complements sector-specific regulations (like EBA and ECB guidelines) by introducing one horizontal cybersecurity framework for financial services. Unlike ISO 27001, which is voluntary, DORA is legally binding across the EU—including Belgium.

Who must comply with DORA?

DORA applies to a wide range of financial sector entities, including:

• Banks, credit institutions, and payment firms
• Insurance and reinsurance companies
• Investment firms, crypto-asset service providers
• Critical ICT third-party service providers (CTPPs)

If a company is regulated under EU financial laws, it’s most likely covered by DORA. This includes Belgian firms supervised by FSMA (Financial Services and Markets Authority) or the National Bank of Belgium (NBB).

Enforcement starts in January 2025, and supervisory authorities will have the power to impose corrective actions, administrative fines, or even suspend critical third-party services.

What are the main requirements of DORA?

DORA sets mandatory rules in five key areas:

1. ICT risk management: maintain policies, controls, and governance to manage cyber risk end-to-end.
2. Incident reporting: classify ICT incidents and report major ones to regulators within tight timelines.
3. Digital operational resilience testing: run periodic penetration tests and scenario-based tests.
4. Third-party risk management: assess, monitor, and contractually control ICT service providers.
5. Information sharing: encourage trusted threat intelligence sharing among regulated entities.

These rules are detailed in the regulation’s 58 articles and related technical standards from EU supervisory bodies (EBA, ESMA, EIOPA).

DORA best practices and common challenges

Financial organizations in Belgium are preparing for DORA by expanding their ICT governance frameworks, updating contracts with cloud and SaaS providers, and setting up incident classification systems aligned with DORA’s thresholds. Many are aligning their internal policies with existing ISO 27001 or NIST standards, but DORA requires a more granular focus on operational testing and third-party oversight.

Common challenges include mapping out all ICT dependencies (especially in complex supplier chains), aligning DORA with multiple overlapping EU and national regulations, and preparing for mandatory resilience testing, which many firms have never done before.

What is ISO 27001?

ISO/IEC 27001 is the leading international standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive data and security risks.

While it’s not legally required in Belgium or the EU, it’s widely adopted across sectors as a recognized best practice for protecting data, reducing risk, and building trust.

Who should adopt ISO 27001?

ISO 27001 is suitable for any organization, regardless of size or sector, that wants to manage information security systematically.

Adoption is voluntary, but clients (especially in B2B) often require certification as a contractual or due diligence condition. Certification is issued by accredited bodies and typically valid for three years, with annual surveillance audits.

There are no legal penalties for not being certified, but lack of structured security practices can increase breach risk, regulatory scrutiny, or missed business opportunities.

What are the main requirements of ISO 27001? 

The standard requires organizations to:

• Establish an ISMS scope and leadership commitment
• Identify and treat risks via a formal risk assessment
• Define security objectives and roles
• Implement and maintain controls from Annex A (updated to 93 controls in 4 themes)
• Conduct internal audits, management reviews, and drive continuous improvement

Controls cover everything from access management and encryption to physical security and supplier evaluation. ISO 27001 doesn’t dictate which controls to implement—but expects organizations to justify their choices based on risk.

ISO 27001 best practices and common challenges 

Organizations pursuing ISO 27001 in Belgium typically start by assigning an internal or external ISMS lead, conducting a gap analysis, and defining a simple risk methodology. They build a documentation set covering policies, procedures, asset inventories, and risk logs. Many use tools to track compliance, automate reviews, and support audits.

Common challenges include resource constraints, especially in SMEs; difficulty in assigning ownership for controls; and failing to embed the ISMS into everyday processes, which can make certification a one-time project rather than an ongoing practice..

FAQ: Belgium cybersecurity compliance

What regulations apply to foreign companies operating in Belgium? 

Foreign companies processing personal data or offering digital services in Belgium must comply with GDPR and NIS2 Law. Local presence or targeting Belgian customers triggers obligations.

Can ISO 27001 certification cover local compliance needs?

ISO 27001 aligns well with Belgian and EU cybersecurity requirements but does not replace mandatory laws. Gaps exist in specific incident reporting and data protection rules.

What’s the best starting point for compliance in Belgium?

Begin by mapping applicable laws based on sector and data processed, then conduct a risk assessment to prioritize controls.

What tools or services are useful locally?

Belgian national resources like the Federal Cybersecurity Center (CCB), cybersecurity consultancies, and EU support platforms help with compliance. Cyberday offers assistance with EU and local NIS2 implementations.

How do these frameworks interact?

They complement each other: GDPR handles data privacy, NIS2 and national laws focus on operational security, while ISO 27001 provides a management system foundation. Prioritize based on legal mandates and business impact.

Are there any upcoming changes to be aware of?

Belgium is updating its NIS2 Law to align with the latest EU Directive. CRA provisions will soon apply to manufacturers of digital products. Staying informed on these evolving rules is crucial.