The law of 26 April 2024 establishing a framework for the cybersecurity of network and information systems of general interest for public security (the "NIS2 law") transposes EU directive 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (the "NIS2 directive") into Belgian law and shall enter into force on October 18th this year.

The NIS2 law is an important step towards making Belgium one of the least cyber-vulnerable countries in the world. To do so, it creates several obligations for entities falling under its scope, of which the obligation to adopt cybersecurity risk-management measures is one.

These are technical, operational or organisational measures that allow the concerned entity to manage the risks relating to the security of their network and information systems, and to prevent or minimise the impact of cyberincidents. The measure shall be adopted by taking into account the state-of-the-art, existing norms, and their costs.

For each entity, the to-be-taken cybersecurity risk-management measures must be appropriate and proportionate to the risks faced, the degree of the entity’s exposure to risks, its size, the likelihood of incidents and their severity. 

The NIS2 law lists 11 points that the measures shall at least include. Those elements can be seen in the image attached to this article.

The Centre for Cybersecurity Belgium created a framework called the “CyberFundamentals” (CyFun^®), which covers each of these points. The framework is notably meant for organisation falling under the scope of NIS2. Using it, they can conform themselves to the obligation of taking appropriate and proportionate cybersecurity risk-management measures. The CyFun^® framework is a set of concrete measures to protect data, significantly reduce the risk of the most common cyber-attacks, and increase an organisation's cyber-resilience. To know more about the CyberFundamentals framework, please visit the corresponding page on our website.

To find out what NIS2 is, whether it applies to you and what your obligations are under this new legal framework, please have a look at our explanatory web page. For even more detailed information on the law, please visit our page dedicated to NIS2 on Safeonweb@Work.

This article is part of a series of articles published on the transposition of the NIS2 Directive in Belgium. The other articles can be accessed here.