Europe’s response to NIS2—reconciling shared objectives with individual differences

More than a year after transposing the NIS2 directive, Belgium is something of a trailblazer in Europe. With over 4,000 entities already registered and a national framework called CyberFundamentals adopted by the majority of businesses concerned, Belgium is demonstrating how to implement cybersecurity in a pragmatic and structured fashion. Other countries, still engrossed in drafting legislation, would do well to take note.

“We currently (October 2025) have 1,500 essential organizations and 2,500 important organizations registered on our portal, which is the first step towards NIS2 compliance,” reports the Centre for Cybersecurity Belgium (CCB), the country’s national cybersecurity agency. More than a year after its transposition into domestic law, Belgium’s legislation on the digital resilience of critical infrastructure is being widely implemented throughout the country. An entity is considered “important” if it employs at least 50 people or generates more than €10 million in annual revenue, and it operates in one of 18 sectors deemed critical, ranging from energy to transportation, healthcare, water, telecommunications, waste management, and food. Such entities are required to register on the Safeonweb@Work platform, conduct a comprehensive risk assessment, identify their vulnerabilities, and put appropriate protective measures in place (incident handling, data backups, business continuity, and disclosure of security failures). Any major incident must be reported to the CCB: basic notification within 24 hours, a preliminary report within 72 hours, and then a final report within one month. Entities classified as “essential”, meanwhile, are subject to enhanced supervision and regular audits. This category covers organizations with more than 250 employees or generating annual revenue in excess of €50 million, operating in one of 11 sectors deemed highly critical (energy, healthcare, transportation, financial services, digital infrastructure, public administration, space, etc.). These organizations must ensure not only their own compliance, but also verify the cybersecurity of their suppliers and partners, making the directive indirectly applicable to a broad swath of the overall economy. It should be noted that infringements are harshly penalized, incurring fines of up to €2 million or 2% of worldwide revenue, and directors potentially rendered personally liable.

To light the way forward for businesses, the CCB has set up the CyberFundamentals (CyFun®) framework. Belgium’s national standard is structured into three levels, from Basic to Essential, and sets the minimum cybersecurity measures that are to be implemented, depending on an organization’s size and risk level. “The CyberFundamentals framework is very well known by the businesses concerned, and 70% of them are using it.It was designed for businesses, with input from businesses.Various stakeholders were involved in creating it, and the CCB gives due consideration to all the feedback it receives about it.As it was designed in conjunction with the business community, it has been well received,” the CCB continues, adding that the latest incarnation, the 2025 version, was presented in early November.One important point for organizations was, and in some cases still is, understanding whether or not they fall within the scope of Belgium’s NIS2 legislation.The CCB has provided detailed information to help them understand the legal framework and its practical implications, and has built a testing tool so organizations can check their position in this regard.Another challenge was determining when an incident could be considered “significant” and therefore had to be reported without fail. The CCB therefore produced a specific guide to help organizations understand this notion too. Many questions have also been raised about registration, the practical use of CyFun®, and how it fits alongside the ISO 27001 standard. With over a year of experience to draw on, the Belgian center has drawn some useful conclusions for countries that have not yet transposed the NIS2 directive. As the CCB says, “We suggest that other member states provide as much information as possible as early as possible.Many of the questions we received could have been avoided if we had given clear explanations upfront.We also noticed that the “Connect & Share” online events were highly effective. We used them to present NIS2 and CyFun® to more than 1,000 attendees, before answering questions in the chat rooms.”

For most groups with subsidiaries in Europe, transposition poses a real headache. Does a business based in a country with no operational framework as yet, with a subsidiary in Belgium and falling within the scope of NIS2, need to pay heed to the Belgian legislation? And when NIS2 is transposed in their home country, which set of rules will take precedence? EDF, for example, which operates in France, Italy and Belgium, has opted to follow a policy applicable from next year.Jean-Marc Autret, the Group OT CISO at EDF, explains how “this policy is fully aligned with NIS2 [link in French only], the Cyber Resilience Act adopted by the EU Council in October 2024, domestic legislation governing the French parent company, and the requirements specific to the nuclear and energy sectors.In other words, an EDF site that complies with our policy is, by design, compliant with NIS2, regardless of the domestic version transposed.” Another issue is that of knowing which body to notify if an incident occurs. Rules vary, but GDPR typically requires incidents to be reported within 72 hours (albeit using a range of mechanisms). In the US, the deadline can be as much as 30 or even 90 days. In Belgium, various gravity and threshold criteria apply depending on the regulator concerned. The result for multinationals is a need for constant monitoring of local legislation, multi-standard audits, and sometimes a degree of redundancy in meeting relevant requirements, all of which complicates cyber governance and requires a high level of coordination between entities. Many stakeholders are of the view that measures and procedures need to be standardized across Europe. “When it comes to cybersecurity measures, we suggest avoiding reinventing the wheel.Many frameworks already exist and can be used by other Member States.CyFun®, for example, has already been adopted in Croatia, Ireland, and Romania.This makes life easier for multinationals operating in a number of countries,” the CCB points out, reiterating that Belgium is an active member of the NIS Cooperation Group (NISCG).

While transposition of NIS2 remains incomplete as yet, one discussion point concerns the lack of a firm direction on channeling investments towards European solutions. However, sovereign detection is a long-standing requirement, and is not about to be removed in any upcoming legislation. To do that would contradict long-term policy. This requirement will therefore remain, but the technical solutions and associated architectures do need to be reviewed. Historically, requirements (including legal) have typically imposed passive network detection and response (NDR) and a fixed architecture. Techniques have changed a great deal over time, including active EDR and NDR, and log analysis. Effective detection now requires a combination of a number of solutions, depending on the use case. Some countries, but not all, are fortunate enough to have “sovereign” solutions available in all necessary areas. These new possibilities need to be incorporated, and with simpler implementation. The debate is not one of “sovereign” versus “non-sovereign” solutions, but between different sovereign solutions, including some that have dominated from the outset, and others that could prove more suitable or be a useful supplement depending on the circumstances. The outcome, namely effective detection, has to be the focus, not necessarily how it is achieved. Observers such as Vincent Strubel, the head of France’s national cybersecurity agency, ANSSI, believe the debate is far from over, and is set to continue in the coming months with all stakeholders. TheGreenBow maintains that transposition of NIS2 is a tremendous opportunity to develop digital sovereignty [link in French only] and reduce our dependency, in line with the French and German cybersecurity agencies’ joint statement ahead of the Summit on European Digital Sovereignty last November 18. As Arnaud Dufournet, Chief Marketing Officer at TheGreenBow, points out, “The increase in cyber resilience that this will bring about is an opportunity to review previous solution choices, because alternatives do exist. We are calling for rapid implementation, as parliamentary debates have been ongoing for several months.Companies need visibility in order to plan effectively.For those with subsidiaries in Europe, including in Belgium, it is becoming difficult to juggle differing regulatory requirements.” Legislators in the laggards do appear to be listening to this plea (France, Spain and the Netherlands are the largest EU economies yet to transpose NIS2. Transposition is complete in 17 member states, including Italy, most East European member states except Poland, and most recently Germany).