NIS2: is your organisation in scope?

The European NIS2 directive was transposed into Belgian law by the Act of 26 April 2024, which entered into force on 18 October 2024. The Centre for Cybersecurity Belgium (CCB) is the national authority for it. Two combined criteria determine whether an organisation is in scope: its size and its sector of activity.

The size criterion

The law applies, in principle, to organisations that reach at least the size of a medium-sized enterprise — that is, at least 50 staff, or an annual turnover or balance-sheet total above 10 million euros. Below these thresholds, an organisation is in principle out of scope, save for exceptions (see below).

The sector criterion

It must also operate in one of the sectors listed by the directive, split across two annexes.

Annex I gathers the highly critical sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (business-to-business), public administration, space.

Annex II covers other critical sectors: postal and courier services, waste management, chemicals, production and distribution of food, manufacturing (medical devices, electronic products, electrical equipment, machinery, vehicles), digital providers, research.

Essential or important entity

The law distinguishes two statuses, which set the intensity of supervision. An essential entity is a large enterprise active in an Annex I sector — at least 250 staff, or a turnover above 50 million euros. An important entity is a medium-sized enterprise in an Annex I sector, or an enterprise (large or medium) in an Annex II sector.

Essential entities are supervised proactively; important entities reactively, triggered by an incident or a report.

The size exceptions

Some organisations fall under NIS2 regardless of their size, because of their role in the digital ecosystem: DNS service providers, top-level domain name registries, qualified trust service providers, and certain federal public-administration entities.

Once scope is established

Entities in scope had to register with the CCB — by 18 December 2024 for the digital sector, and by 18 March 2025 for the rest. The CCB offers the CyberFundamentals framework to implement the expected measures, graded across four levels (Small, Basic, Important, Essential). Essential entities must reach the Basic or Important level before 18 April 2026, then have the required level certified before 18 April 2027.

Determining your status means cross-checking these criteria against your actual situation; that is the starting point of any engagement.