On 18 October 2024, the NIS2-Directive (Directive 2022/2555) came into force, marking the EU’s most ambitious effort yet to strengthen cybersecurity across strategic sectors.

One year later, many organizations are still navigating its practical implications as compliance challenges and interpretive uncertainties persist.

1. Fragmented implementation across the EU

Unlike a regulation, NIS2 is a directive that each EU Member State needs to transpose into national law.

Belgium took the lead, adopting  its NIS2-Act on 26 April 2024, well ahead of the 17 October 2024 deadline. Elsewhere, progress has been uneven: as of October 2025, only around half of the EU Member States have completed the transposition process.

This fragmented transposition and associated regulatory patchwork creates real challenges for organizations operating across borders, including diverging:

• cybersecurity standards and practices;
• reporting thresholds and timelines; and
• enforcement approaches and sanction regimes.

Such fragmentation makes it very difficult for international organizations to implement a coherent, group-wide compliance program, especially where the same systems or supply chains span multiple jurisdictions.

2. Who falls under NIS2? Scoping is still a headache

Determining whether an organization is in scope – and whether it qualifies as an essential or important entity – remains one of the most complex steps.

Under NIS2, scope is determined based on three cumulative criteria: (1) sector, (2) establishment, and (3) size. In practice, the sector and size tests generate most uncertainty.

The scope has expanded significantly, now covering 18 sectors - ranging from energy, transport, and health to manufacturing, chemicals, food production, ICT services, and public administration. Some categories are clearly defined through NACE codes, while others refer to sector-specific EU legislation, making the scoping analysis a legally and factually technical exercise.

The Centre for Cybersecurity Belgium (CCB), acting as national authority, has published extensive guidance and FAQs. For instance, it clarified that:

• organizations operating solar or wind installations connected to the electricity grid, even primarily for self-consumption, fall under NIS2 (though with lighter supervision); and
• certain actors in the chemicals sector not covered by REACH registration obligations are still in scope.

For the size criterion, only entities that qualify as at least medium-sized enterprises (per Commission Recommendation 2003/361/EC) are generally included. However, for group structures, calculating size can be challenging , as linked or partner enterprises must aggregate their personnel and financial data, often requiring a full group-level mapping exercise (a step which is often misunderstood by organizations).

3. Supply chain security – A tough nut to crack

One of NIS2’s most impactful and demanding obligations concerns supply chain and supplier risk management. In-scope entities must assess and mitigate cybersecurity risks in their relationships with direct suppliers and service providers.

Many organizations are now reviewing and updating contracts to address these new requirements by including:

• cybersecurity risk assessment and assurance clauses;
• incident notification obligations;
• audit and due diligence rights;
• subcontracting arrangements; and
• insurance or liability provisions tied to cyber incidents.

However, practical implementation remains uneven, and suppliers often push back against broad rights and obligations. Balancing risk management expectations with commercial feasibility will remain a key challenge for years to come.

4. Conformity assessments - CyberFundamentals 2025

Belgium’s NIS2 regime requires essential entities to undergo regular conformity assessments, while important entities may do so voluntarily. Entities can choose between:

• certification under the CyberFundamentals Framework (CyFun®);
• ISO/IEC 27001 certification; or
• a direct inspection by the CCB.

The CCB recently introduced CyberFundamentals version 2025, a significant update that aligns more closely with NIS2 and current cybersecurity practices. Key updates include:

• a stronger focus on supply chain security;
• clearer governance and accountability controls; and
• more practical implementation guidance for conformity assessments.

5. Cybersecurity as a board level issue

NIS2 firmly places cybersecurity on the boardroom agenda.

Management bodies must approve, oversee, and periodically review cybersecurity risk management measures and must undergo training to ensure adequate knowledge and awareness.

The term ‘management body’ however is not defined in the NIS2-Directive nor in the Belgian NIS2-Act. Only the explanatory memorandum to the Belgian NIS2-Act (as referenced by the CCB in its FAQ) provides guidance in this respect.

Uncertainty remains as to how this concept of management body (and the interpretation provided in the explanatory memorandum) interacts with corresponding concepts known in Belgian corporate law, as well as with the director’s liability regime set out in articles 2:56-2:58 of the Belgian Companies and Associations Code, which limits liability for management errors to behavior clearly outside the margin of a normal and careful director placed in the same circumstances and caps damage (with some exceptions).

Boards are advised to:

• integrate cybersecurity into governance frameworks;
• review D&O insurance for coverage of cyber-related liabilities; and
• schedule board-level cyber training in line with Article 31 of the Belgian NIS2 Act.

6. Looking ahead

One year in, Belgium may be ahead of the curve, but most organizations are only now confronting the real work of NIS2: operationalizing cybersecurity governance, supply chain controls, and board-level accountability.

The next 12 months will bring:

• increased scrutiny from the CCB and sectoral authorities;
• more internal and external pressure to level up cybersecurity risk-management measures;
• stronger expectations around supply chain security and monitoring; and
• cross-border implementation challenges as more EU Member States will have adopted (possibly diverging) national NIS2-laws.

For many, the next year will be the year of turning frameworks into habits - where cybersecurity risk management becomes an integral part of how organizations operate and make decisions.