On April 2024, the federal Parliament adopted the law establishing a framework for the cybersecurity of networks and information systems of general interest for public security (the "NIS2 law"). It transposes EU directive 2022/2555of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union(the "NIS2 directive") into Belgian law and shall enter into force on October 18th this year.

The visual accompanying this news article is a simplified version of the two criteria that shall in principle be applied to understand if an organisation falls into the scope of the NIS2 law (there are some exceptions, more information about the exceptions).

To be covered by the NIS2 law, an organisation shall, in principle:

1. Provide in the European Union a service listed in Annexes I and II to the NIS2 Act; and
2. exceed the size thresholds set out in European Commission Recommendation 2003/361/EC, i.e. have at least 50 full-time employees (FTEs) or an annual turnover and/or annual balance sheet total exceeding €10 million (see European Commission guide).