The draft law establishing a framework for the cybersecurity of networks and information systems of general interest for public security was approved in the Parliament’s Commission on Interior Affairs on 27 March 2024 (House of Representatives)

The law transposes the European Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December on measures for a high common level of cybersecurity across the Union (hereinafter referred to as the “NIS2 Directive”) into Belgian law.

The NIS2 Directive replaces Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (hereinafter, the “NIS1 Directive”). The NIS2 directive must be transposed in Belgium by 17 October 2024 at the latest.

NIS2 in brief

The NIS2 Directive aims to strengthen cyber resilience at European level by focusing on the following key objectives:

1. Expansion of the number of critical activities and entities falling within the scope of the directive through the use of definitions and a size cap criterion (without the need for national identification - with certain exceptions);
2. Reinforce the cybersecurity risk management measures that entities must take and the reporting of incidents (with two categories of essential or important entities);
3. Encourage the sharing of information on cyber security incidents and risks between entities and the national CSIRT;
4. Strengthening compliance monitoring and sanctions ;
5. Ensure European and national cooperation.

In view of the many amendments required, the bill aims to fully replace the provisions of the Law of 7 April 2019 establishing a framework for the security of networks and information systems of general interest for public security, which transposed the NIS1 Directive in Belgium.

The NIS2 draft law is the result of many months of consultations with private (business associations and federations) and public stakeholders (federal and federated administrations), coordinated by the Prime Minister's Office and the Centre for Cybersecurity Belgium. It was also the subject of a public consultation in December 2023.

The draft is part of the Cybersecurity strategy 2.0 adopted by the National Security Council (NSC) in 2021. This strategy sets out the national approach in this area and the objectives for protecting vital organisations against all cyber threats. Its ambition is to make Belgium one of the least vulnerable countries in Europe.

Next steps

The next stage will be to vote on the law in plenary session around 18 April 2024 and publish it in the Belgian Official Journal.

Afterwards, an implementing Royal Decree will have to be adopted to formally designate certain authorities and specify certain practical procedures relating to the supervision of entities.