Belgium got there early. While many EU member states only just scraped past the European deadline of October 2024, our country had already transposed the NIS2 Directive fully into national law by then — and made it operational. For large, critical organisations, that was big news. But the real surprise lies elsewhere: NIS2 reaches far beyond the handful of sectors that made the headlines. Run an accountancy firm, a law practice or a medical practice? There’s a real chance this law affects you too — not directly, but through your clients.
Here, in plain language, is what NIS2 is, whether your business is covered, and what you can concretely do about it.
What exactly is NIS2?
NIS2 is a European directive (officially Directive (EU) 2022/2555) designed to raise cybersecurity across the entire Union to a higher and more uniform level. It replaces the first NIS Directive from 2016, which proved too narrow and too non-committal for today’s threats.
In Belgium, NIS2 was transposed by the Law of 26 April 2024, supplemented by a Royal Decree of 9 June 2024. The rules have been in force since 18 October 2024. The Centre for Cybersecurity Belgium (CCB) has been designated as the national cybersecurity authority and also acts as the national CSIRT — the central point of contact for incidents.
In short: this is no longer a future concern. The law is live, and supervision has since hit its stride.
Is my business covered by NIS2?
The law distinguishes between essential and important entities. Whether you’re covered depends on two things: your sector and your size. The law lists a range of sectors — from energy, transport and digital infrastructure to healthcare, waste management and the manufacture of critical products. As a rule of thumb: if you operate in such a sector and have more than 50 employees or more than €10 million in turnover, you fall at minimum into the “important” category.
The banking and financial sector, incidentally, sits outside NIS2 — it’s governed separately by the European DORA regulation.
So for many small SMEs — the typical accountancy firm, the local law office, the GP practice — the answer is often: “no, not directly.” And that’s where most explainer articles stop. But that’s precisely where it gets interesting.
The supply chain changes everything
NIS2 obliges entities that are covered to manage the security of their entire supply chain. In other words: a hospital, a large manufacturer or a public service must not only get its own house in order, but also verify that its suppliers and service providers aren’t a weak link.
The CCB therefore explicitly advises that every organisation that might be part of the supply chain of a NIS2 entity should meet at least the “Basic” level of the CyberFundamentals framework. More than that: a NIS2 entity may contractually impose a particular CyFun level on its direct suppliers.
Translate that into practice. Your client is a hospital or a larger company that falls under NIS2. That client is told by the regulator to secure its chain. The result? It sends a questionnaire — or a contractual requirement — to its accountant, its IT supplier, its lawyer. The pressure flows downhill.
You don’t need to fall under NIS2 to feel its effects. You only need to have a client who does.
CyberFundamentals (CyFun): the practical route
Fortunately, the CCB didn’t just impose rules — it also provided a workable framework: CyberFundamentals, or CyFun for short. It translates the abstract obligations of NIS2 into concrete, measurable controls, and aligns with international standards such as ISO 27001 and the NIST Cybersecurity Framework.
CyFun has four levels: Small, Basic, Important and Essential. For most SMEs, Basic is the realistic target — a set of 34 controls covering the fundamentals of good cyber hygiene: know which systems you have, manage access, keep software up to date, take reliable backups and — crucially — be able to spot incidents.
That last point is no detail. It’s exactly where many SMEs stumble.
The role of monitoring
Read the CyFun controls carefully and you’ll notice something: a substantial share of them is about seeing what’s happening in your IT environment. An up-to-date inventory of your systems. Spotting anomalous behaviour. Logging events. Watching the availability of your services. Detecting incidents.
That is, word for word, the definition of monitoring.
And it gets more concrete still. NIS2 imposes a tight reporting timetable on entities for serious incidents: an initial warning within 24 hours, more information within 72 hours, and a final report within 30 days. But you cannot report within 24 hours an incident you never noticed. Without monitoring, you only find out something is wrong when a client calls — and by then the clock is already ticking.
Monitoring, then, is no longer a “nice to have”. It’s a demonstrable component of your compliance — the piece of evidence you can present when a client or an auditor asks: “How do you know your systems are running securely and remain available?”
What should you do now?
A few level-headed steps:
- Determine your position. Does your business fall directly under NIS2, or — more likely — are you in the supply chain of a client that does?
- Run an honest gap analysis against the CyFun Basic level. Where do you stand today, and where are the gaps?
- Get genuine visibility into your IT environment. Monitoring is often the fastest and most visible step toward compliance — and delivers practical peace of mind right away.
- Document everything. With compliance, what counts is not just what you do, but above all what you can demonstrate.
The penalties under NIS2 are steep for those directly covered — up to €10 million or 2% of global turnover for essential entities, and directors can be held personally liable. But for most SMEs, the more immediate driver is simpler: you don’t want to lose the client who asks whether you’re “compliant with NIS2”.
In closing
At first glance, NIS2 looks like heavy regulation reserved for the big players. In reality, it’s a shift that’s slowly seeping through the entire Belgian economy — via contracts, questionnaires and requirements moving from large to small. The SMEs that get their cyber hygiene and monitoring in order now won’t just avoid losing a client: they’ll turn it into a selling point.
At Althona, we help Belgian SMEs do exactly that — setting up monitoring that doesn’t just alert you when something goes wrong, but also contributes demonstrably to your CyFun and NIS2 obligations.