Get in touch with our experts for a no-obligation advisory conversation.
Toreon Office | Grotehondstraat 44 1/1 - 2018 Antwerpen | +32 3 369 33 96
2026: The Year Cyber Compliance Becomes Mandatory
2026: The Year Cyber Compliance Becomes Mandatory
For many Belgian organizations, 2026 is the year where cybersecurity compliance moves from “important topic” to “non‑negotiable business requirement.” NIS2 and the Cyber Resilience Act (CRA) sit at the center of this shift, with other EU regulations tightening the pressure around them.
This article zooms in on NIS2 and CRA—their deadlines, scope, and impact on Belgian companies—while briefly highlighting DORA, the AI Act and GDPR where they intersect. Where we see unclear or conflicting information in public sources, we call it out explicitly so you can plan with eyes wide open.
Get in touch with our experts for a no-obligation advisory conversation.
Table of Contents
1. NIS2 in Belgium: 2026 is the first big test
Belgium is one of the few EU countries that fully transposed NIS2 on time. The Belgian NIS2 law (Law of 26 April 2024) entered into force on 18 October 2024 and replaces the former NIS1 Act. From that date, in‑scope entities must implement minimum security measures and report significant incidents to the Centre for Cybersecurity Belgium (CCB).
1.1 Key NIS2 dates in Belgium
| Milestone | Date | What it means for you |
|---|---|---|
| Law in force | 18 Oct 2024 | NIS2 obligations apply; incident reporting to CCB becomes mandatory. |
| Registration (most entities) | 18 Mar 2025 | Essential and important entities registered via Safeonweb@Work. |
| Registration (digital providers) | 18 Dec 2024 | Cloud, data centres, MSP/MSSP, online platforms register earlier. |
| First verification deadline | 18 Apr 2026 | Basic/Important CyFun verification or equivalent ISO 27001 progress. |
| Certification for essential entities | 18 Apr 2027 | Essential entities must hold full certification (in case of CyFun Essential assurance level or ISO 27001). |
1.2 Who falls under NIS2 in Belgium?
NIS2 applies to companies active in “highly critical” and “critical” sectors. Whether you are an “important” or “essential” entity depends on a combination of the sector you’re in and the size of the company, from a headcount or financial perspective.
Sector & size logic (Belgium)
Large company: Staff headcount of at least 250 FTEs OR (> € 50 m annual turnover AND > €43 m annual balance sheet total).
Medium-sized company: Staff headcount of at least 50 FTEs OR (> € 10 m annual turnover AND > € 10 m annual balance sheet total).
| Sector | Size | Category |
|---|---|---|
| Highly Critical Energy, healthcare, drinking/waste water, digital infrastructure, public admin, transport infrastructure, banking & FMIs, space. | Large company | ESSENTIAL |
| Medium-sized company | IMPORTANT | |
| Critical Postal/courier, waste management, chemicals, food production, manufacturing (incl. medical devices & electronics), digital providers, research. | Large company | IMPORTANT |
| Medium-sized company | IMPORTANT |
Directly named sectors in the Belgian law include energy, banking, healthcare, water treatment, digital infrastructure, public administrations and operators of transport infrastructure such as ports, airports and rail infrastructure—not every individual transporter.
Remark: Micro and small entities can still be scoped in if they are the sole provider of an essential service in each Member State or play a key role in critical supply chains.
1.3 What NIS2 actually expects by April 2026
By 18 April 2026, Belgian NIS2 Essential entities must be able to prove that they have implemented a baseline of security controls and governance. The CCB recognizes several routes: whether you choose the ISO- or CyFun route, companies need to demonstrate they have taken the CyFun Controls into account.
The CyFun controls you must implement are based on the CyFun assurance level you need to reach and this is determined based on a risk assessment. The CCB has prepared a risk assessment tool which contains the initial risk analysis per sector, based on relevant incident and threat information. This spreadsheet can be downloaded from the Safeonweb at work portal. In case you alter the default values and receive a lower CyFun assurance level, you must provide substantial evidence validated by management to support your case. It is the assurance level based on this risk assessment that determines the next steps.
The CyberFundamentals levels referred to in the table below reference the target CyFun, not the NIS2 entity level. As an example: you may be a NIS2 Essential entity, but have a CyFun assurance level of important. As an essential entity, you must submit evidence by April 18th 2026 and 2027, but the assurance level is considered to determine whether you need a CyFun “verification” or “certification”. NIS2 important entities do not need to provide evidence by these two dates, but do need to comply with the law, of course. Verification or certification is voluntary for these entities.
| Route | 2026 requirement | 2027 requirement |
|---|---|---|
| CyberFundamentals – Basic | Basic verification by 18 Apr 2026. | Maintain verification; may need to step up to Important/Essential later. |
| CyberFundamentals – Important | Basic or Important verification by 18 Apr 2026. | Important verification by 18 Apr 2027 if not already obtained. |
| CyberFundamentals – Essential | At least Basic/Important verification by 18 Apr 2026. | Essential certification by 18 Apr 2027. |
| ISO 27001 | Submit scope (must be entire company) + Statement of Applicability (SoA) of future certification + internal audit report to show compliance with at least CyFun Basic to CCB by 18 Apr 2026. | Achieve full ISO 27001 certification by 18 Apr 2027. |
| CCB / sector inspection | Demonstrate compliance during inspection (more bespoke approach). | Follow inspection findings and possible follow‑up audits. |
All verifications and certifications need to be executed by a CAB (Conformity Assessment Body) accredited by the CCB. The list of accredited CABs can also be found on the Safeonweb at work portal.
Core obligations behind the badges (simplified):
- Governance: board accountability, risk management, security policy, cyber KPIs.
- Protection: access control, network segmentation, secure configuration, awareness.
- Detection & response: incident detection, playbooks, crisis management, reporting within 24h/72h/30 days using CCB templates.
- Supply chain security: demonstrable security expectations for suppliers and MSPs.
The CyFun® framework is now explicitly embedded in Belgian law as a way to “assume, until proven otherwise,” NIS2 compliance when the required level is achieved. Directors are personally liable in case of serious failures and can face significant fines.[4][6][5]
1.4 Penalties and management liability
The Belgian NIS2 regime foresees serious sanctions for persistent non‑compliance:[6][28]
- Essential entities: up to €10 million or 2% of global annual turnover, whichever is higher.
- Important entities: up to €7 million or 1.4% of global annual turnover.
- Management can be temporarily banned from exercising managerial functions in serious cases.[28][4][6]
For many boards, NIS2 is the first time cyber risk has been translated directly into personal legal exposure.
2. The Cyber Resilience Act: product security becomes a legal obligation
Where NIS2 focuses on organizational resilience, the Cyber Resilience Act (CRA) targets the security of products with digital elements—from software and IoT to connected industrial systems.
2.1 CRA timeline: 2026 is about reporting
The CRA entered into force in December 2024 but applies in phases.
| CRA milestone | Date | What changes |
|---|---|---|
| Entry into force | 10–11 Dec 2024 | CRA is on the books; transitional period starts. |
| Reporting obligations (Article 14) apply | 11 Sep 2026 | Mandatory vulnerability & incident reporting for manufacturers. |
| Full CRA applicability | 11 Dec 2027 | All CRA obligations enforceable; non‑compliant products cannot be placed on EU market. |
2.2 Who must care about CRA?
The CRA applies to manufacturers, importers and distributors that place “products with digital elements” on the EU market. This includes:
- Software vendors that create mobile or desktop applications .
- Manufacturers or vendors of embedded devices, such as consumer IoT, toys with bluetooth connectivity, industrial control systems or sensors or network appliances. ).
- Unlike NIS2, CRA does not use size thresholds—small vendors are still in scope if their products fall under the definition.
2.3 CRA reporting from September 2026: new operational pressure
From 11 September 2026, CRA introduces strict, non‑negotiable reporting timelines once a manufacturer becomes aware of an actively exploited vulnerability or serious incident affecting their product.
| CRA reporting obligation | Timeline after awareness | Scope |
|---|---|---|
| Early warning to ENISA & national CSIRT | Within 24 hours | Actively exploited vulnerability or severe incident affecting product security. |
| Detailed notification | Within 72 hours | Technical details, affected products, mitigation measures, impact assessment. |
| Final report – vulnerabilities | Within 14 days after fix/mitigation | Root cause, remediation, deployed updates, lessons learned. |
| Final report – severe incidents | Within 1 month after resolution | Broader impact analysis and improvements. |
Importantly, this obligation covers all in‑market products, including legacy solutions. There is no “grandfathering” of older software or devices.
2.4 CRA: security by design, SBOMs and documentation
Beyond reporting, CRA pushes three major long‑term shifts in how products are built and maintained:
- Security by design & by default across the full product lifecycle (from design through updates and end‑of‑life).
- Vulnerability handling process: proactive discovery, timely fixes, secure updates, and clear communication to users.
- Technical documentation: including risk assessments, update policies, and often a Software Bill of Materials (SBOM) to support transparency and vulnerability management.
For many Belgian software and hardware vendors, CRA is the first regulation that explicitly connects engineering practices, product management, and legal compliance.
3. NIS2 vs CRA: complementary, not competing
NIS2 and CRA are often mentioned in the same breath. They are indeed part of the same EU strategy but solve different problems.
| Aspect | NIS2 (Belgium) | Cyber Resilience Act (CRA) |
|---|---|---|
| Primary focus | Organizational cybersecurity & service continuity. | Security of products with digital elements. |
| Main addressees | Operators of essential and important services (entities). | Manufacturers, importers, distributors of digital products. |
| Scope logic | Sector + size thresholds; some exceptions for critical players. | Product classification (criticality, use, connectivity). |
| Key 2026 trigger | 18 Apr 2026: CyFun/ISO verification deadline. | 11 Jun 2026 + 11 Sep 2026: CAB notification & reporting duties. |
| Reporting destination | National CCB (Safeonweb@Work). | ENISA + national CSIRTs. |
| Typical Belgian examples | Hospitals, utilities, banks, public administrations, large logistics hubs, cloud-providers. | Software vendors, IoT manufacturers, industrial equipment makers, connected consumer products. |
For many mid‑sized Belgian tech companies, both will apply. Example:
- A SaaS vendor operating a cloud platform that processes data from products with digital elements may be in scope under NIS2 (digital provider + supply chain) and CRA (product with digital elements).
In that case, NIS2 shapes how you secure your organization, while CRA shapes how you design, maintain and support your product.
4. Other 2026 regulations in the background
While NIS2 and CRA take center stage for most Belgian organizations, three other regulations deserve a place on your 2026 radar.
4.1 DORA – for financial services and their ICT suppliers
The Digital Operational Resilience Act (DORA) has applied since 17 January 2025 and sets uniform rules for ICT risk management, incident reporting, resilience testing and third‑party risk in financial services.
- Scope includes banks, insurers, payment institutions, investment firms, funds and critical ICT third‑party providers.
- Belgian entities are supervised mainly by the NBB and FSMA.
- DORA penalties in several EU countries go up to the higher of €5–10 million or a percentage of turnover; Belgium sits mid‑pack with significant, but proportionate, fines.
For Belgian FinTech’s and ICT providers with financial clients, DORA and NIS2 will increasingly be discussed in the same RFPs and audits.
4.2 AI Act – 2026 is go‑live for high‑risk AI
The AI Act entered into force in 2024; most obligations for high‑risk AI systems (e.g. credit scoring, certain HR tools, remote biometric identification) will apply from August 2026.
- High‑risk systems must meet requirements on risk management, data governance, transparency, human oversight, and robustness.
- Fines can reach up to €35 million or 7% of global turnover for prohibited practices.
- For Belgian organizations, the DPA and sector regulators are expected to share enforcement, but the exact institutional set‑up is still emerging.
4.3 GDPR – faster procedures, focused actions
GDPR itself doesn’t change in 2026, but enforcement dynamics do:
- A new GDPR Procedural Regulation streamlines cross‑border enforcement with indicative 15‑month resolution timelines (extendable for complex cases).
- The 2026 coordinated enforcement action at EU level focuses on transparency obligations (Articles 12–14), which will impact how Belgian organizations draft notices and communicate with data subjects.
In practice, this means GDPR investigations should become faster and more predictable—while still potentially costly.
4.4 CER-Law
On 18 December 2025, Belgium adopted the CER Law, implementing the European CER Directive to strengthen the resilience of critical entities and essential services. The law establishes a harmonized framework to protect against natural, accidental, and intentional threats. It requires
- risk assessments at both sectoral and entity level;
- identification of critical entities and infrastructure;
- resilience planning;
- and information-sharing procedures.
The National Crisis Center coordinates its implementation. The NIS2 Directive stipulates that all critical entities falling under the CER Directive are automatically designated as essential entities under NIS2. This means that if you are currently classified as an important entity under NIS2, you could still become an essential entity if you meet the criteria of the CER framework.
However, CER excludes obligations that are already covered under NIS2 and does not apply to the digital infrastructure or the financial sector.
It is expected that the list of companies which need to comply with the CER law will be drawn up by July 2026.
5. How Belgian organizations can move from “reaction” to “strategy”
Given the overlapping timelines, the key is to avoid treating each regulation as a separate project. The most effective Belgian organizations are doing three things:
- Scope once, use many times
Map your business against NIS2, CRA, DORA, AI Act and GDPR in a single exercise. Identify which entities, products and processes sit at the intersection (e.g. a SaaS product used by a bank and classified as high‑risk AI). - Build on a strong backbone (CyFun & ISO 27001)
Use CyberFundamentals and/or ISO 27001 as your common governance backbone. Both align closely with NIS2, support DORA and CRA preparation, and give you a consistent way to show your board and regulators that you’re in control. But if you are working in an international context, the ISO-route is certainly preferrable. - Integrate product security early
For CRA‑relevant companies, assess your development practices using OWASP SAMM and build a roadmap towards a secure development lifecycle. This will allow you to gradually bring threat modeling, SBOMs and secure development practices into the SDLC now, not in late 2026, making CRA compliance a natural outcome of your engineering processes rather than a bolt‑on. - Use available support
In Flanders, VLAIO subsidies—and specific programs developed with partners like Toreon—can cover a significant portion of the cost of your NIS2‑driven security improvement trajectory. Sectoral initiatives like the CYSSDE EU pentesting program further help critical entities strengthen their posture at reduced cost.
If you’re unsure whether NIS2, CRA—or both—apply to your organization, the worst option in 2026 is to wait. Determining your scope, mapping your gaps and building a realistic roadmap now will cost far less than rushing to catch up under regulatory pressure later. Toreon is a selected partner of VLAIO to support these trajectories and has already accumulated over 100 projects subsidized by VLAIO.
Learn more about the VLAIO-subidies
Get in touch with our experts for a no-obligation advisory conversation.
Upcoming Events/Webinars
Connect-IT
You can find us at Connect-IT in May. Our HR team will help you explore new career opportunities and show you what working at Toreon is like.
