The NIS2 law
Supervision and Sanctions
When we talk about supervision under the law, we need to distinguish between two categories of entities: essential entities and important entities.
Essential entities must undergo a regular compliance assessment. This assessment is carried out on the basis of a choice made by the entity between three options:
- either CyberFundamentals (CyFun®) certification, granted by a conformity assessment body approved by the CCB (after accreditation by BELAC);
- either an ISO/IEC 27001 certification, granted by an accredited conformity assessment body (CAB). This accreditation can be delivered by an accreditation body that has signed the MLA to which ISO27001 falls under the European co-operation for Accreditation (EA) or IAF (International Accreditation Forum);
- or an inspection by the CCB inspection service (or by a sector inspection service).
The inspection service can also inspect important entities at any time (in the absence of an incident - ex ante - and after an incident - ex post).
Important entities are inspected ex post, i.e. after an incident or on the basis of evidence, indications or information that an essential entity is not fulfilling its obligations (Article 48 of the NIS2 Act). However, these entities may also voluntarily submit to the same regime as significant entities.
Inspectors will be able to go on site, take minutes and write reports. On the basis of these findings, a procedure may be initiated to order the entity to put an end to the violation and, if necessary, to take the appropriate administrative measures, ranging from warnings to administrative fines.
The lists of fines and administrative measures are contained in Articles 58, 59 and 60 of the Law.
In principle, supervision is carried out by the inspection department of the national cybersecurity authority. However, the sectoral authorities will be able to inspect the entities in their sector with regard to the additional cybersecurity measures they impose. The law also provides for joint inspections, or even the delegation of inspections to a sectoral authority, in order to simplify supervision and rationalise government resources.