{ "metadata": { "title": "NIS2 Belgium Scope Assessment — Master Decision Tree", "version": "1.0.0", "date": "2026-03-05", "sources": [ "Belgian NIS2 Law (26 April 2024)", "CCB FAQ v2.1.2", "CCB Scope Assessment Tool v1.0.4", "Entity Definition Matrix v1.0.2", "NIS2 Ultimate Scope Reference (95 slides)", "EU Implementing Regulation 2024/2690", "EU NIS2 Amendment Proposal COM(2026) 13 (PROPOSED — not in force)" ], "flow_stages": [ "S1: Jurisdiction", "S2: Exclusions", "S3: Sector & Entity Type", "S4: Special Scope Rules", "S5: Size Assessment", "S6: Classification", "S7: DORA / Lex Specialis", "S8: Result" ] }, "start_node": "j_010", "nodes": { "j_010": { "id": "j_010", "stage": "S1_JURISDICTION", "type": "question", "text": "Does your entity have a connection to Belgium?", "help": "NIS2 applies based on establishment or service provision in Belgium. Select the option that best describes your entity's relationship to Belgium.", "legal_ref": "Art. 4", "options": [ { "id": "j_010_a", "label": "Established in Belgium and provides services/activities within the EU", "description": "The entity has a legal establishment (registered office, branch, etc.) in Belgium.", "legal_ref": "Art. 4 §1", "next": "x_010" }, { "id": "j_010_b", "label": "Telecom provider providing services IN Belgium (regardless of establishment)", "description": "Provider of public electronic communications networks or publicly available electronic communications services, providing these services in Belgium.", "legal_ref": "Art. 4 §2, 1°", "next": "x_010" }, { "id": "j_010_c", "label": "Digital infrastructure/platform provider with principal establishment in Belgium", "description": "DNS, TLD registry, domain name registration, cloud, data centre, CDN, managed services, managed security services, online marketplace, search engine, or social networking platform — with principal establishment in Belgium (cybersecurity decisions taken in BE, or cyber operations in BE, or largest number of employees in BE).", "legal_ref": "Art. 4 §2, 2° and §4", "next": "x_010" }, { "id": "j_010_d", "label": "Non-EU entity with EU representative established in Belgium", "description": "Entity not established in the EU but providing digital infrastructure/platform services in the EU, with a designated representative in Belgium.", "legal_ref": "Art. 4 §3 and §5", "next": "x_010" }, { "id": "j_010_e", "label": "None of the above", "next": "r_out_jurisdiction" } ] }, "r_out_jurisdiction": { "id": "r_out_jurisdiction", "stage": "RESULT", "type": "result", "scope_status": "OUT_OF_SCOPE", "title": "Not under Belgian NIS2 jurisdiction", "summary": "Your entity does not fall under Belgian NIS2 jurisdiction. It may still be subject to NIS2 in another EU Member State if it is established there or provides services there.", "classification": null, "cyfun_level": null, "obligations": [], "deadlines": [], "legal_ref": "Art. 4", "notes": [ "Check if your entity falls under NIS2 in another EU Member State based on its establishment or principal establishment." ], "proposed_2026_changes": null, "next_steps": [ { "step": "Check other EU Member States", "description": "If your entity operates in the EU, check NIS2 obligations in the Member State(s) where you are established" }, { "step": "Review CCB guidance", "url": "https://ccb.belgium.be/en/nis-2", "description": "Stay updated with the latest CCB publications" } ] }, "x_010": { "id": "x_010", "stage": "S2_EXCLUSIONS", "type": "question", "text": "Is your entity one of the following excluded types?", "help": "Certain entities are fully or partially excluded from NIS2 by Article 5. Select if applicable.", "legal_ref": "Art. 5 §4", "options": [ { "id": "x_010_a", "label": "Intelligence and security services", "legal_ref": "Art. 5 §4, 1°", "next": "x_020_tsp_override" }, { "id": "x_010_b", "label": "OCAM (Coordination Body for Threat Analysis)", "legal_ref": "Art. 5 §4, 2°", "next": "x_020_tsp_override" }, { "id": "x_010_c", "label": "Ministry of Defence", "legal_ref": "Art. 5 §4, 3°", "next": "x_020_tsp_override" }, { "id": "x_010_d", "label": "Police services or general inspectorate", "legal_ref": "Art. 5 §4, 4°", "next": "x_020_tsp_override" }, { "id": "x_010_e", "label": "Judicial authorities (including public ministry)", "legal_ref": "Art. 5 §4, 5°", "next": "x_020_tsp_override" }, { "id": "x_010_f", "label": "SPF Justice (only when managing databases for judicial authorities)", "legal_ref": "Art. 5 §4, 6°", "next": "x_020_tsp_override" }, { "id": "x_010_g", "label": "Belgian diplomatic/consular missions in non-EU countries", "legal_ref": "Art. 5 §4, 7°", "next": "x_020_tsp_override" }, { "id": "x_010_h", "label": "Class I nuclear establishment", "legal_ref": "Art. 5 §4, 8°", "next": "x_030_nuclear" }, { "id": "x_010_i", "label": "NCCN (National Crisis Centre)", "legal_ref": "Art. 5 §5, 1°", "next": "x_020_nccn_tsp" }, { "id": "x_010_j", "label": "National cybersecurity authority (CCB, Art. 16)", "legal_ref": "Art. 5 §5, 2°", "next": "x_020_ccb_tsp" }, { "id": "x_010_k", "label": "Classified information systems (approved under law of 11 December 1998)", "legal_ref": "Art. 5 §2", "next": "r_out_classified" }, { "id": "x_010_z", "label": "None of the above — my entity is not excluded", "next": "s_010" } ] }, "x_020_tsp_override": { "id": "x_020_tsp_override", "stage": "S2_EXCLUSIONS", "type": "question", "text": "Does this excluded entity also act as a trust service provider?", "help": "Art. 5 §6: The exclusions in §4 and §5 do NOT apply when the excluded entity acts as a trust service provider. Trust services include electronic signatures, seals, timestamps, registered delivery, website authentication certificates.", "legal_ref": "Art. 5 §6", "options": [ { "id": "x_020_a", "label": "Yes — the entity acts as a trust service provider", "next": "s_010", "note": "Exclusion overridden. The entity is treated as in scope for its trust service provider activities." }, { "id": "x_020_b", "label": "No", "next": "r_out_excluded" } ] }, "x_030_nuclear": { "id": "x_030_nuclear", "stage": "S2_EXCLUSIONS", "type": "question", "text": "Does the nuclear installation include elements intended for industrial electricity production that serve the transport of electricity?", "help": "Class I nuclear establishments are excluded, BUT elements serving electricity transport remain in scope. Also, if the entity acts as a trust service provider, the exclusion is overridden entirely.", "legal_ref": "Art. 5 §4, al. 2", "options": [ { "id": "x_030_a", "label": "Yes — the installation has electricity transport elements", "next": "s_010", "note": "Only the electricity transport elements are in NIS2 scope. The rest of the nuclear installation remains excluded." }, { "id": "x_030_b", "label": "No, AND the entity does NOT act as a trust service provider", "next": "r_out_excluded" }, { "id": "x_030_c", "label": "No, BUT the entity acts as a trust service provider", "next": "s_010", "note": "Nuclear exclusion overridden for trust service activities (Art. 5 §6)." } ] }, "r_out_excluded": { "id": "r_out_excluded", "stage": "RESULT", "type": "result", "scope_status": "OUT_OF_SCOPE", "title": "Excluded from NIS2", "summary": "Your entity is excluded from the Belgian NIS2 law under Art. 5 §4. However, Art. 8 (definitions), Art. 38 (voluntary notifications), and Title 2 (governance framework) may still apply.", "classification": null, "cyfun_level": null, "obligations": [ "Art. 8, 38, and Title 2 remain applicable", "Voluntary incident/threat notifications are possible via Art. 38" ], "deadlines": [], "legal_ref": "Art. 5 §4", "notes": [], "proposed_2026_changes": null }, "r_out_classified": { "id": "r_out_classified", "stage": "RESULT", "type": "result", "scope_status": "OUT_OF_SCOPE", "title": "Classified information systems excluded", "summary": "Communication and information systems approved for using classified information in electronic form under the law of 11 December 1998 are excluded from NIS2. Note: this applies only to those specific systems, not to the entire entity.", "classification": null, "cyfun_level": null, "obligations": [], "deadlines": [], "legal_ref": "Art. 5 §2", "notes": [ "The entity itself may still be in scope for its non-classified systems. Re-run the assessment for the entity's other systems if applicable." ], "proposed_2026_changes": null }, "r_partial_nccn": { "id": "r_partial_nccn", "stage": "RESULT", "type": "result", "scope_status": "PARTIAL_EXCLUSION", "title": "NCCN — Partial exclusion", "summary": "The NCCN is subject to Titles 1 and 2 of the NIS2 law, but Titles 3 (risk management + incident notification), 4 (supervision), and 5 (sanctions) do NOT apply.", "classification": null, "cyfun_level": null, "obligations": [ "Titles 1 and 2 apply (definitions, governance framework)" ], "deadlines": [], "legal_ref": "Art. 5 §5, 1°", "notes": [ "If the NCCN acts as a trust service provider, the partial exclusion is overridden (Art. 5 §6) and full NIS2 obligations apply." ], "proposed_2026_changes": null, "conformity_paths": [ { "id": "not_applicable", "name": "Conformity assessment not applicable", "description": "This entity is partially excluded from NIS2 (Titles 3-5 do not apply). No NIS2 conformity assessment obligation.", "note": "Only Titles 1 and 2 (definitions and governance framework) apply." } ], "compliance_timeline": [ { "date": "2024-04-26", "label": "NIS2 law enacted", "status": "past" }, { "date": "2024-10-18", "label": "Law in force — Titles 1 and 2 applicable", "status": "past" } ], "conformity_mandatory": false }, "r_partial_ccb": { "id": "r_partial_ccb", "stage": "RESULT", "type": "result", "scope_status": "PARTIAL_EXCLUSION", "title": "National cybersecurity authority — Partial exclusion", "summary": "The national cybersecurity authority (CCB) is subject to Titles 1 and 2, but Titles 3, 4, and 5 do NOT apply.", "classification": null, "cyfun_level": null, "obligations": [ "Titles 1 and 2 apply (definitions, governance framework)" ], "deadlines": [], "legal_ref": "Art. 5 §5, 2°", "notes": [ "If the CCB acts as a trust service provider, the partial exclusion is overridden (Art. 5 §6)." ], "proposed_2026_changes": null, "conformity_paths": [ { "id": "not_applicable", "name": "Conformity assessment not applicable", "description": "This entity is partially excluded from NIS2 (Titles 3-5 do not apply). No NIS2 conformity assessment obligation.", "note": "Only Titles 1 and 2 (definitions and governance framework) apply." } ], "compliance_timeline": [ { "date": "2024-04-26", "label": "NIS2 law enacted", "status": "past" }, { "date": "2024-10-18", "label": "Law in force — Titles 1 and 2 applicable", "status": "past" } ], "conformity_mandatory": false }, "s_010": { "id": "s_010", "stage": "S3_SECTOR", "type": "question", "text": "In which sector(s) does your entity provide services?", "help": "Select the sector(s) that best match your entity's activities. If your entity operates in multiple sectors, select all that apply — the strictest classification will prevail (Art. 10; FAQ 1.10). If unsure, consult the sector definitions below.", "legal_ref": "Annexes I & II", "options": [ { "id": "s_I_01", "label": "Energy", "annex": "I", "number": 1, "next": "s_020_energy" }, { "id": "s_I_02", "label": "Transport", "annex": "I", "number": 2, "next": "s_020_transport" }, { "id": "s_I_03", "label": "Banking", "annex": "I", "number": 3, "next": "s_020_banking" }, { "id": "s_I_04", "label": "Financial market infrastructure", "annex": "I", "number": 4, "next": "s_020_fmi" }, { "id": "s_I_05", "label": "Health", "annex": "I", "number": 5, "next": "s_020_health" }, { "id": "s_I_06", "label": "Drinking water", "annex": "I", "number": 6, "next": "s_020_drinkwater" }, { "id": "s_I_07", "label": "Waste water", "annex": "I", "number": 7, "next": "s_020_wastewater" }, { "id": "s_I_08", "label": "Digital infrastructure", "annex": "I", "number": 8, "next": "s_020_digital_infra" }, { "id": "s_I_09", "label": "ICT service management (B2B)", "annex": "I", "number": 9, "next": "s_020_ict" }, { "id": "s_I_10", "label": "Public administration", "annex": "I", "number": 10, "next": "s_020_pubadmin" }, { "id": "s_I_11", "label": "Space", "annex": "I", "number": 11, "next": "s_020_space" }, { "id": "s_II_01", "label": "Postal and courier services", "annex": "II", "number": 1, "next": "e_010" }, { "id": "s_II_02", "label": "Waste management", "annex": "II", "number": 2, "next": "e_010", "description": "Waste management must be the main economic activity of the entity. Entities that generate waste as a by-product of other activities are NOT waste management entities." }, { "id": "s_II_03", "label": "Chemicals (manufacture, production, distribution)", "annex": "II", "number": 3, "next": "e_010" }, { "id": "s_II_04", "label": "Food (production, processing, distribution)", "annex": "II", "number": 4, "next": "e_010", "description": "Covers wholesale distribution and industrial production/processing only. Retail food businesses (restaurants, shops) are generally NOT in scope." }, { "id": "s_II_05", "label": "Manufacturing", "annex": "II", "number": 5, "next": "s_020_manufacturing" }, { "id": "s_II_06", "label": "Digital providers (marketplace, search engine, social network)", "annex": "II", "number": 6, "next": "s_020_digiproviders" }, { "id": "s_II_07", "label": "Research organisations", "annex": "II", "number": 7, "next": "e_010", "description": "Only research organisations whose primary purpose includes commercial exploitation of research results. Purely academic institutions without commercial activity are generally out of scope." }, { "id": "s_none", "label": "None of the above — my entity's activities are not listed", "annex": null, "next": "s_030_none" } ] }, "s_030_none": { "id": "s_030_none", "stage": "S3_SECTOR", "type": "question", "text": "Has your entity been specifically identified or designated?", "help": "Even if your entity is not in an Annex sector, it may still be in scope if identified by the CCB or designated by Royal Decree.", "legal_ref": "Art. 11 §1, §5", "options": [ { "id": "s_030_a", "label": "Yes — identified as essential or important by the CCB (Art. 11)", "next": "r_identified_by_ccb" }, { "id": "s_030_b", "label": "Yes — designated by Royal Decree (Art. 11 §5)", "next": "r_designated_royal_decree" }, { "id": "s_030_c", "label": "No", "next": "r_out_no_sector" } ] }, "r_out_no_sector": { "id": "r_out_no_sector", "stage": "RESULT", "type": "result", "scope_status": "OUT_OF_SCOPE", "title": "Not in an NIS2 sector", "summary": "Your entity's activities do not fall within any sector listed in Annex I or II, and you have not been specifically identified or designated. You are currently out of NIS2 scope.", "classification": null, "cyfun_level": null, "obligations": [], "deadlines": [], "legal_ref": "Art. 3 §1", "notes": [ "The King may add new sectors/sub-sectors by Royal Decree (Art. 3 §6). Monitor regulatory developments.", "You may still be subject to NIS2 supply chain requirements as a supplier to an in-scope entity.", "Voluntary registration and CyFun adoption are possible." ], "proposed_2026_changes": null, "next_steps": [ { "step": "Consider voluntary CyFun Basic", "url": "https://ccb.belgium.be/en/cyberfundamentals-framework", "description": "Adopt CyFun Basic level voluntarily to strengthen your cybersecurity posture" }, { "step": "Monitor regulatory developments", "url": "https://ccb.belgium.be/en/nis-2", "description": "The King may add new sectors by Royal Decree (Art. 3 §6)" } ] }, "r_identified_by_ccb": { "id": "r_identified_by_ccb", "stage": "RESULT", "type": "result", "scope_status": "IN_SCOPE", "title": "Identified by CCB", "summary": "Your entity has been identified as essential or important by the national cybersecurity authority under Art. 11. Your classification (essential or important) is as stated in the CCB's identification decision.", "classification": "AS_PER_CCB_DECISION", "cyfun_level": "AS_PER_CLASSIFICATION", "obligations": [ "Registration on Safeonweb@Work", "11 risk management measures (Art. 30)", "Incident notification (Art. 34-37)", "Management body training and accountability (Art. 31)", "Conformity assessment per classification level" ], "deadlines": [ "Registration: within applicable deadline from identification", "Conformity: per standard milestones (18 Apr 2026, 18 Apr 2027)" ], "legal_ref": "Art. 11 §1; Art. 9, 6° or Art. 10, 2°", "notes": [ "CCB reviews identification every 2 years (Art. 11 §4).", "Identification is regardless of size." ], "proposed_2026_changes": null, "next_steps": [ { "step": "Register on Safeonweb@Work", "url": "https://atwork.safeonweb.be/fr/register-my-organisation", "description": "Mandatory registration for all NIS2 entities" }, { "step": "Complete CyFun self-assessment", "url": "https://atwork.safeonweb.be", "description": "Evaluate your current maturity against CyberFundamentals controls" }, { "step": "Engage management body", "description": "Board/management must formally approve cybersecurity measures and undergo training (Art. 31)" }, { "step": "Prepare incident notification process", "url": "https://notif.safeonweb.be", "description": "Set up internal procedures for 24h/72h/1month notification timelines" }, { "step": "Plan conformity assessment", "description": "Contact an authorised CAB for audit scheduling (essential entities must be certified by April 2027)" }, { "step": "Review CCB guidance", "url": "https://ccb.belgium.be/en/nis-2", "description": "Stay updated with latest CCB publications and guidance" } ], "conformity_paths": [ { "id": "cyfun", "name": "CyberFundamentals (CyFun)", "description": "CCB's own framework mapped to NIST CSF 2.0, ISO 27001, CIS Controls v8, and IEC 62443", "level": "Depends on classification (ESSENTIAL: 140 controls, IMPORTANT: 117 controls, BASIC: 34 controls)", "assessment_type": "Essential: Certification (ISO 17021-1) / Important: Verification (ISO 17029)", "cycle": "3-year cycle with annual surveillance", "authorized_cabs": 2, "self_assessment_url": "https://atwork.safeonweb.be", "pros": [ "Specifically designed for Belgian NIS2 compliance", "Free framework and self-assessment tools from CCB", "Controls pre-mapped to NIS2 Art. 30 measures", "Lower CyFun level possible if justified by entity's risk analysis" ], "cons": [ "Only 2 authorized CABs currently (Brand Compliance, What a Work)", "Belgian-specific framework — not recognized outside Belgium" ] }, { "id": "iso27001", "name": "ISO/IEC 27001:2022", "description": "International Information Security Management System standard", "assessment_type": "Certification (ISO 17021-1)", "cycle": "3-year certification cycle with annual surveillance", "authorized_cabs": 17, "pros": [ "Internationally recognized standard", "17 authorized CABs available in Belgium", "Entity may already hold ISO 27001 certification", "Recognized across EU member states" ], "cons": [ "Scope must cover the ENTIRE entity (not just IT or NIS2 services)", "Statement of Applicability must cover all 11 NIS2 Art. 30 risk management measures", "ISO 27001 standard must be purchased from NBN (not freely available)", "No free self-assessment tool provided by CCB" ] }, { "id": "inspection", "name": "CCB Inspection", "description": "Direct inspection by CCB's inspection service or sectoral inspection service", "note": "Inspection fees are charged to the entity. No presumption of conformity is granted.", "essential_only": false } ], "compliance_timeline": [ { "date": "2024-04-26", "label": "NIS2 law enacted", "status": "past" }, { "date": "2024-10-18", "label": "Law in force — All obligations active", "status": "past" }, { "date": "2025-03-18", "label": "Registration deadline (all other NIS2 entities)", "status": "past" }, { "date": "2026-04-18", "label": "18-month milestone — Conformity path depends on classification (Essential: mandatory, Important: voluntary)", "status": "upcoming" }, { "date": "2027-04-18", "label": "30-month milestone — Essential entities must hold certification", "status": "future" } ], "conformity_mandatory": null }, "r_designated_royal_decree": { "id": "r_designated_royal_decree", "stage": "RESULT", "type": "result", "scope_status": "IN_SCOPE", "title": "Designated by Royal Decree", "summary": "Your entity has been designated as essential or important by Royal Decree under Art. 11 §5, even though it is not part of the sectors listed in Annexes I/II.", "classification": "AS_PER_ROYAL_DECREE", "cyfun_level": "AS_PER_CLASSIFICATION", "obligations": [ "Registration on Safeonweb@Work", "11 risk management measures (Art. 30)", "Incident notification (Art. 34-37)", "Management body training and accountability (Art. 31)", "Conformity assessment per classification level" ], "deadlines": [ "Per Royal Decree specifications" ], "legal_ref": "Art. 11 §5", "notes": [], "proposed_2026_changes": null, "next_steps": [ { "step": "Register on Safeonweb@Work", "url": "https://atwork.safeonweb.be/fr/register-my-organisation", "description": "Mandatory registration for all NIS2 entities" }, { "step": "Complete CyFun self-assessment", "url": "https://atwork.safeonweb.be", "description": "Evaluate your current maturity against CyberFundamentals controls" }, { "step": "Engage management body", "description": "Board/management must formally approve cybersecurity measures and undergo training (Art. 31)" }, { "step": "Prepare incident notification process", "url": "https://notif.safeonweb.be", "description": "Set up internal procedures for 24h/72h/1month notification timelines" }, { "step": "Plan conformity assessment", "description": "Contact an authorised CAB for audit scheduling (essential entities must be certified by April 2027)" }, { "step": "Review CCB guidance", "url": "https://ccb.belgium.be/en/nis-2", "description": "Stay updated with latest CCB publications and guidance" } ], "conformity_paths": [ { "id": "cyfun", "name": "CyberFundamentals (CyFun)", "description": "CCB's own framework mapped to NIST CSF 2.0, ISO 27001, CIS Controls v8, and IEC 62443", "level": "Depends on classification (ESSENTIAL: 140 controls, IMPORTANT: 117 controls, BASIC: 34 controls)", "assessment_type": "Essential: Certification (ISO 17021-1) / Important: Verification (ISO 17029)", "cycle": "3-year cycle with annual surveillance", "authorized_cabs": 2, "self_assessment_url": "https://atwork.safeonweb.be", "pros": [ "Specifically designed for Belgian NIS2 compliance", "Free framework and self-assessment tools from CCB", "Controls pre-mapped to NIS2 Art. 30 measures", "Lower CyFun level possible if justified by entity's risk analysis" ], "cons": [ "Only 2 authorized CABs currently (Brand Compliance, What a Work)", "Belgian-specific framework — not recognized outside Belgium" ] }, { "id": "iso27001", "name": "ISO/IEC 27001:2022", "description": "International Information Security Management System standard", "assessment_type": "Certification (ISO 17021-1)", "cycle": "3-year certification cycle with annual surveillance", "authorized_cabs": 17, "pros": [ "Internationally recognized standard", "17 authorized CABs available in Belgium", "Entity may already hold ISO 27001 certification", "Recognized across EU member states" ], "cons": [ "Scope must cover the ENTIRE entity (not just IT or NIS2 services)", "Statement of Applicability must cover all 11 NIS2 Art. 30 risk management measures", "ISO 27001 standard must be purchased from NBN (not freely available)", "No free self-assessment tool provided by CCB" ] }, { "id": "inspection", "name": "CCB Inspection", "description": "Direct inspection by CCB's inspection service or sectoral inspection service", "note": "Inspection fees are charged to the entity. No presumption of conformity is granted.", "essential_only": false } ], "compliance_timeline": [ { "date": "2024-04-26", "label": "NIS2 law enacted", "status": "past" }, { "date": "2024-10-18", "label": "Law in force — All obligations active", "status": "past" }, { "date": "2025-03-18", "label": "Registration deadline (all other NIS2 entities)", "status": "past" }, { "date": "2026-04-18", "label": "18-month milestone — Conformity path depends on classification (Essential: mandatory, Important: voluntary)", "status": "upcoming" }, { "date": "2027-04-18", "label": "30-month milestone — Essential entities must hold certification", "status": "future" } ], "conformity_mandatory": null }, "s_020_energy": { "id": "s_020_energy", "stage": "S3_SECTOR", "type": "question", "text": "Which energy sub-sector?", "legal_ref": "Annex I, sector 1", "options": [ { "id": "s_e_elec", "label": "Electricity", "next": "s_020_electricity" }, { "id": "s_e_heat", "label": "District heating and cooling", "next": "e_010" }, { "id": "s_e_oil", "label": "Oil (petroleum)", "next": "e_010" }, { "id": "s_e_gas", "label": "Gas", "next": "e_010" }, { "id": "s_e_hydro", "label": "Hydrogen", "next": "e_010" } ] }, "s_020_electricity": { "id": "s_020_electricity", "stage": "S3_SECTOR", "type": "question", "text": "Which electricity entity type?", "legal_ref": "Annex I, sector 1(a)", "options": [ { "id": "et_elec_supply", "label": "Electricity undertaking (supply function)", "entity_type": "electricity_supply", "next": "e_010" }, { "id": "et_elec_dso", "label": "Distribution system operator", "entity_type": "electricity_dso", "next": "e_010" }, { "id": "et_elec_tso", "label": "Transmission system operator", "entity_type": "electricity_tso", "next": "e_010" }, { "id": "et_elec_prod", "label": "Producer / generator (including solar, wind)", "entity_type": "electricity_producer", "next": "e_010_producer" }, { "id": "et_elec_nemo", "label": "Nominated electricity market operator (NEMO)", "entity_type": "electricity_nemo", "next": "e_010" }, { "id": "et_elec_aggreg", "label": "Market participant (aggregation, demand response, energy storage)", "entity_type": "electricity_aggregation", "next": "e_010" }, { "id": "et_elec_charge", "label": "Operator of a recharging point", "entity_type": "electricity_charging", "next": "e_010" } ] }, "e_010_producer": { "id": "e_010_producer", "stage": "S3_SECTOR", "type": "question", "text": "Is the electricity production facility connected to the electrical grid?", "help": "Solar panels, wind turbines, and other generation facilities are in scope only if connected to the grid, even if no electricity is actually injected. Off-grid installations are not in scope.", "legal_ref": "FAQ 1.22.1.1, 1.22.1.2", "options": [ { "id": "e_010_prod_a", "label": "Yes — connected to the grid (even if all electricity is self-consumed)", "next": "e_010", "note": "In scope if at least medium-sized. Note: less strict supervision (CyFun Basic) may be appropriate for self-consumption producers." }, { "id": "e_010_prod_b", "label": "No — completely off-grid", "next": "r_out_offgrid" } ], "proposed_2026_changes": "PROPOSED 2026: COM(2026) 13 would exclude electricity producers with total generation capacity <= 1 MW.", "edge_case": "Only the entity that owns/operates the production installation is considered an electricity producer. If you lease a building with solar panels you don't operate, you are NOT the electricity producer." }, "r_out_offgrid": { "id": "r_out_offgrid", "stage": "RESULT", "type": "result", "scope_status": "OUT_OF_SCOPE", "title": "Off-grid electricity producer — out of scope", "summary": "Electricity generation facilities that are not connected to the grid are not in scope of NIS2, as the risk addressed is impact on the electricity grid.", "classification": null, "cyfun_level": null, "obligations": [], "deadlines": [], "legal_ref": "FAQ 1.22.1.2 B", "notes": [], "proposed_2026_changes": null }, "s_020_transport": { "id": "s_020_transport", "stage": "S3_SECTOR", "type": "question", "text": "Which transport sub-sector?", "legal_ref": "Annex I, sector 2", "options": [ { "id": "s_t_air", "label": "Air transport", "next": "e_010" }, { "id": "s_t_rail", "label": "Rail transport", "next": "e_010" }, { "id": "s_t_water", "label": "Water transport", "next": "e_010" }, { "id": "s_t_road", "label": "Road transport", "next": "e_010" } ] }, "s_020_banking": { "id": "s_020_banking", "stage": "S3_SECTOR", "type": "info", "text": "Banking sector — Credit institutions", "help": "Credit institutions as defined in Regulation (EU) No 575/2013. Note: if subject to DORA, Titles 3-5 of NIS2 are excluded.", "legal_ref": "Annex I, sector 3", "entity_type_flags": { "annex": "I", "dora_eligible": true }, "next": "e_010" }, "s_020_fmi": { "id": "s_020_fmi", "stage": "S3_SECTOR", "type": "info", "text": "Financial market infrastructure — Trading venues and/or central counterparties", "help": "Operators of trading venues and/or central counterparties. Note: if subject to DORA, Titles 3-5 of NIS2 are excluded.", "legal_ref": "Annex I, sector 4", "entity_type_flags": { "annex": "I", "dora_eligible": true }, "next": "e_010" }, "s_020_health": { "id": "s_020_health", "stage": "S3_SECTOR", "type": "question", "text": "Which health entity type?", "legal_ref": "Annex I, sector 5", "options": [ { "id": "et_health_hcp", "label": "Healthcare provider (hospitals, clinics, nursing homes, psychiatric care, etc.)", "next": "e_010" }, { "id": "et_health_lab", "label": "EU reference laboratory", "next": "e_010" }, { "id": "et_health_pharma", "label": "R&D or manufacturing of pharmaceutical products (NACE C21)", "next": "e_010" }, { "id": "et_health_device", "label": "Manufacturing of medical devices considered critical during a public health emergency", "next": "e_010" } ] }, "s_020_drinkwater": { "id": "s_020_drinkwater", "stage": "S3_SECTOR", "type": "info", "text": "Drinking water — Suppliers and distributors of water for human consumption", "help": "Excludes distributors for whom distribution is a non-essential part of their general activity of distributing other commodities and goods.", "legal_ref": "Annex I, sector 6; Directive (EU) 2020/2184", "edge_case": "If water distribution is only a non-essential part of your general activity, you may be out of scope for this sector. This is a case-by-case assessment — consult an expert if in doubt.", "next": "e_010" }, "s_020_wastewater": { "id": "s_020_wastewater", "stage": "S3_SECTOR", "type": "info", "text": "Waste water — Entities collecting, disposing of, or treating urban/domestic/industrial waste water", "help": "Excludes entities for whom wastewater management is a non-essential part of their general activity.", "legal_ref": "Annex I, sector 7; Directive 91/271/EEC", "edge_case": "If wastewater management is only a non-essential part of your general activity, you may be out of scope for this sector. Consult an expert if in doubt.", "next": "e_010" }, "s_020_digital_infra": { "id": "s_020_digital_infra", "stage": "S3_SECTOR", "type": "question", "text": "Which digital infrastructure entity type?", "help": "Several entity types in this sector have special rules (in scope regardless of size, and/or automatically essential).", "legal_ref": "Annex I, sector 8", "options": [ { "id": "et_di_ixp", "label": "Internet Exchange Point (IXP)", "next": "e_010" }, { "id": "et_di_dns", "label": "DNS service provider", "next": "sp_dns" }, { "id": "et_di_tld", "label": "TLD name registry", "next": "sp_tld" }, { "id": "et_di_cloud", "label": "Cloud computing service provider", "next": "e_010" }, { "id": "et_di_dc", "label": "Data centre service provider", "next": "e_010_dc" }, { "id": "et_di_cdn", "label": "Content delivery network (CDN) provider", "next": "e_010" }, { "id": "et_di_qtsp", "label": "Qualified trust service provider", "next": "sp_qtsp" }, { "id": "et_di_nqtsp", "label": "Non-qualified trust service provider", "next": "sp_nqtsp" }, { "id": "et_di_telecom_net", "label": "Provider of public electronic communications networks", "next": "sp_telecom" }, { "id": "et_di_telecom_svc", "label": "Provider of publicly available electronic communications services", "next": "sp_telecom" }, { "id": "et_di_domreg", "label": "Domain name registration service provider", "next": "sp_domreg" } ] }, "e_010_dc": { "id": "e_010_dc", "stage": "S3_SECTOR", "type": "info", "text": "Data centre service provider", "help": "A data centre service is a service that encompasses structures, or groups of structures, dedicated to the centralised accommodation, interconnection and operation of IT and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for power distribution and environmental control. This does NOT include internal corporate data centres operated for the entity's own purposes.", "legal_ref": "Annex I, sector 8; NIS2 Directive Art. 6(31)", "edge_case": "Internal/corporate data centres (not providing third-party services) are NOT in scope as data centre service providers.", "next": "e_010" }, "s_020_ict": { "id": "s_020_ict", "stage": "S3_SECTOR", "type": "question", "text": "Which ICT service management entity type?", "help": "This covers B2B managed services. If your entity provides IT services only within its own corporate group, it may still qualify as a managed service provider if the recipients are separate legal entities.", "legal_ref": "Annex I, sector 9", "options": [ { "id": "et_ict_msp", "label": "Managed service provider (MSP)", "next": "e_010" }, { "id": "et_ict_mssp", "label": "Managed security service provider (MSSP)", "next": "e_010" } ], "edge_case": "Intra-group IT service providers: if providing managed IT/cloud services to other legal entities within the same group, you may qualify as an MSP even if serving only group entities (FAQ 1.16.7)." }, "s_020_pubadmin": { "id": "s_020_pubadmin", "stage": "S3_SECTOR", "type": "question", "text": "What type of public administration entity?", "help": "Public entities whose principal activity is a service in another NIS2 sector (e.g., public hospital → Health) should select that sector instead.", "legal_ref": "Annex I, sector 10; Art. 3 §3, 3°; Art. 9, 4°", "options": [ { "id": "et_pa_federal", "label": "Federal public administration entity (dependent on the Federal State)", "next": "sp_federal_admin" }, { "id": "et_pa_federated", "label": "Public administration of a Region or Community (federated entity)", "next": "sp_federated_admin" }, { "id": "et_pa_rescue", "label": "Rescue zone (zone de secours) or Brussels Fire & Emergency Medical Service", "next": "sp_rescue" }, { "id": "et_pa_local", "label": "Local public entity (municipality, province, CPAS, etc.)", "next": "sp_local_admin" } ] }, "s_020_space": { "id": "s_020_space", "stage": "S3_SECTOR", "type": "info", "text": "Space — Operators of ground-based infrastructure supporting space-based services", "help": "Covers operators of ground-based infrastructure owned, managed and operated by Member States or by private parties, that support the provision of space-based services. Does NOT include providers of public electronic communications networks.", "legal_ref": "Annex I, sector 11", "next": "e_010" }, "s_020_manufacturing": { "id": "s_020_manufacturing", "stage": "S3_SECTOR", "type": "question", "text": "Which manufacturing sub-sector?", "help": "Manufacturing means physical/chemical transformation of materials into new products. Uses NACE codes as guidance. If unsure whether your activity constitutes 'manufacturing' in the autonomous EU law sense, consult an expert.", "legal_ref": "Annex II, sector 5", "options": [ { "id": "et_mfg_med", "label": "Medical devices and in vitro diagnostic medical devices (NACE C26.60)", "next": "e_010" }, { "id": "et_mfg_comp", "label": "Computer, electronic and optical products (NACE C26)", "next": "e_010" }, { "id": "et_mfg_elec", "label": "Electrical equipment (NACE C27)", "next": "e_010" }, { "id": "et_mfg_mach", "label": "Machinery and equipment n.e.c. (NACE C28)", "next": "e_010" }, { "id": "et_mfg_motor", "label": "Motor vehicles, trailers and semi-trailers (NACE C29)", "next": "e_010" }, { "id": "et_mfg_other", "label": "Other transport equipment (NACE C30)", "next": "e_010" } ], "edge_case": "NACE codes are guidance only, not definitive. 'Manufacturing' is an autonomous EU law concept (physical/chemical transformation). Consult an expert for borderline cases (AMB-8)." }, "s_020_digiproviders": { "id": "s_020_digiproviders", "stage": "S3_SECTOR", "type": "question", "text": "Which digital provider type?", "legal_ref": "Annex II, sector 6", "options": [ { "id": "et_dp_market", "label": "Online marketplace provider", "next": "e_010" }, { "id": "et_dp_search", "label": "Online search engine provider", "next": "e_010" }, { "id": "et_dp_social", "label": "Social networking services platform provider", "next": "e_010" } ] }, "sp_dns": { "id": "sp_dns", "stage": "S4_SPECIAL", "type": "result", "scope_status": "IN_SCOPE", "title": "DNS service provider — Essential (regardless of size)", "summary": "DNS service providers are in scope regardless of size and classified as ESSENTIAL.", "classification": "ESSENTIAL", "cyfun_level": "ESSENTIAL", "size_exempt": true, "obligations": [ "Registration on Safeonweb@Work (deadline: 18 December 2024)", "11 risk management measures (Art. 30)", "EU Implementing Regulation 2024/2690 technical requirements", "Incident notification (Art. 34-37)", "Management body training and accountability (Art. 31)", "Mandatory periodic conformity assessment (Art. 39)", "CyFun Essential certification or ISO 27001 certification" ], "deadlines": [ { "date": "2024-12-18", "description": "Registration deadline" }, { "date": "2026-04-18", "description": "First conformity milestone: verification at Basic or Important level" }, { "date": "2027-04-18", "description": "Second conformity milestone: certification at Essential level" } ], "legal_ref": "Art. 3 §3, 1° c); Art. 9, 2°", "sanctions": { "max_fine": "EUR 10,000,000 or 2% worldwide annual turnover (whichever is higher)", "recidivism": "Fine doubled", "suspension_possible": true, "management_ban_possible": true }, "notes": [ "Subject to proactive (ex ante) supervision." ], "proposed_2026_changes": "PROPOSED 2026: COM(2026) 13 would apply the general size-cap rule to DNS providers (at least medium-sized required). If adopted, micro/small DNS providers would be OUT OF SCOPE.", "next_steps": [ { "step": "Register on Safeonweb@Work", "url": "https://atwork.safeonweb.be/fr/register-my-organisation", "description": "Registration deadline: 18 December 2024 (digital sector entities)" }, { "step": "Complete CyFun self-assessment", "url": "https://atwork.safeonweb.be", "description": "Evaluate your current maturity against CyberFundamentals controls" }, { "step": "Review EU Implementing Regulation 2024/2690", "description": "Digital infrastructure entities must also comply with EU-level technical requirements" }, { "step": "Engage management body", "description": "Board/management must formally approve cybersecurity measures and undergo training (Art. 31)" }, { "step": "Prepare incident notification process", "url": "https://notif.safeonweb.be", "description": "Set up internal procedures for 24h/72h/1month notification timelines" }, { "step": "Plan conformity assessment", "description": "Contact an authorised CAB for certification/verification" }, { "step": "Review CCB guidance", "url": "https://ccb.belgium.be/en/nis-2", "description": "Stay updated with latest CCB publications and guidance" } ], "conformity_paths": [ { "id": "cyfun", "name": "CyberFundamentals (CyFun)", "description": "CCB's own framework mapped to NIST CSF 2.0, ISO 27001, CIS Controls v8, and IEC 62443", "level": "ESSENTIAL", "controls": 140, "assessment_type": "Certification (ISO 17021-1)", "cycle": "3-year cycle with annual surveillance", "authorized_cabs": 2, "self_assessment_url": "https://atwork.safeonweb.be", "pros": [ "Specifically designed for Belgian NIS2 compliance", "Free framework and self-assessment tools from CCB", "Controls pre-mapped to NIS2 Art. 30 measures", "Lower CyFun level possible if justified by entity's risk analysis (Royal Decree Art. 7)" ], "cons": [ "Only 2 authorized CABs currently (Brand Compliance, What a Work)", "Belgian-specific framework — not recognized outside Belgium" ] }, { "id": "iso27001", "name": "ISO/IEC 27001:2022", "description": "International Information Security Management System standard", "assessment_type": "Certification (ISO 17021-1)", "cycle": "3-year certification cycle with annual surveillance", "authorized_cabs": 17, "pros": [ "Internationally recognized standard", "17 authorized CABs available in Belgium", "Entity may already hold ISO 27001 certification", "Recognized across EU member states" ], "cons": [ "Scope must cover the ENTIRE entity (not just IT or NIS2 services)", "Statement of Applicability must cover all 11 NIS2 Art. 30 risk management measures", "ISO 27001 standard must be purchased from NBN (not freely available)", "No free self-assessment tool provided by CCB" ] }, { "id": "inspection", "name": "CCB Inspection", "description": "Direct inspection by CCB's inspection service or sectoral inspection service", "note": "Inspection fees are charged to the entity. No presumption of conformity is granted.", "essential_only": false } ], "compliance_timeline": [ { "date": "2024-04-26", "label": "NIS2 law enacted (Loi du 26 avril 2024)", "status": "past" }, { "date": "2024-10-18", "label": "Law in force — All obligations active (risk management, incident notification, management training)", "status": "past" }, { "date": "2024-12-18", "label": "Registration deadline (digital infrastructure entities)", "status": "past" }, { "date": "2026-04-18", "label": "18-month milestone — CyFun Basic/Important verification OR ISO 27001 scope + Statement of Applicability submitted to CCB", "status": "upcoming" }, { "date": "2027-04-18", "label": "30-month milestone — CyFun Essential certification OR ISO 27001 full certification obtained by approved CAB", "status": "future" } ], "conformity_mandatory": true }, "sp_tld": { "id": "sp_tld", "stage": "S4_SPECIAL", "type": "result", "scope_status": "IN_SCOPE", "title": "TLD name registry — Essential (regardless of size)", "summary": "TLD name registries are in scope regardless of size and classified as ESSENTIAL.", "classification": "ESSENTIAL", "cyfun_level": "ESSENTIAL", "size_exempt": true, "obligations": [ "Registration on Safeonweb@Work (deadline: 18 December 2024)", "11 risk management measures (Art. 30)", "EU Implementing Regulation 2024/2690 technical requirements", "Incident notification (Art. 34-37)", "Management body training and accountability (Art. 31)", "Mandatory periodic conformity assessment (Art. 39)", "CyFun Essential certification or ISO 27001 certification" ], "deadlines": [ { "date": "2024-12-18", "description": "Registration deadline" }, { "date": "2026-04-18", "description": "First conformity milestone" }, { "date": "2027-04-18", "description": "Second conformity milestone: certification at Essential level" } ], "legal_ref": "Art. 3 §3, 1° c); Art. 9, 2°", "sanctions": { "max_fine": "EUR 10,000,000 or 2% worldwide annual turnover", "recidivism": "Fine doubled", "suspension_possible": true, "management_ban_possible": true }, "notes": [], "proposed_2026_changes": null, "next_steps": [ { "step": "Register on Safeonweb@Work", "url": "https://atwork.safeonweb.be/fr/register-my-organisation", "description": "Registration deadline: 18 December 2024 (digital sector entities)" }, { "step": "Complete CyFun self-assessment", "url": "https://atwork.safeonweb.be", "description": "Evaluate your current maturity against CyberFundamentals controls" }, { "step": "Review EU Implementing Regulation 2024/2690", "description": "Digital infrastructure entities must also comply with EU-level technical requirements" }, { "step": "Engage management body", "description": "Board/management must formally approve cybersecurity measures and undergo training (Art. 31)" }, { "step": "Prepare incident notification process", "url": "https://notif.safeonweb.be", "description": "Set up internal procedures for 24h/72h/1month notification timelines" }, { "step": "Plan conformity assessment", "description": "Contact an authorised CAB for certification/verification" }, { "step": "Review CCB guidance", "url": "https://ccb.belgium.be/en/nis-2", "description": "Stay updated with latest CCB publications and guidance" } ], "conformity_paths": [ { "id": "cyfun", "name": "CyberFundamentals (CyFun)", "description": "CCB's own framework mapped to NIST CSF 2.0, ISO 27001, CIS Controls v8, and IEC 62443", "level": "ESSENTIAL", "controls": 140, "assessment_type": "Certification (ISO 17021-1)", "cycle": "3-year cycle with annual surveillance", "authorized_cabs": 2, "self_assessment_url": "https://atwork.safeonweb.be", "pros": [ "Specifically designed for Belgian NIS2 compliance", "Free framework and self-assessment tools from CCB", "Controls pre-mapped to NIS2 Art. 30 measures", "Lower CyFun level possible if justified by entity's risk analysis (Royal Decree Art. 7)" ], "cons": [ "Only 2 authorized CABs currently (Brand Compliance, What a Work)", "Belgian-specific framework — not recognized outside Belgium" ] }, { "id": "iso27001", "name": "ISO/IEC 27001:2022", "description": "International Information Security Management System standard", "assessment_type": "Certification (ISO 17021-1)", "cycle": "3-year certification cycle with annual surveillance", "authorized_cabs": 17, "pros": [ "Internationally recognized standard", "17 authorized CABs available in Belgium", "Entity may already hold ISO 27001 certification", "Recognized across EU member states" ], "cons": [ "Scope must cover the ENTIRE entity (not just IT or NIS2 services)", "Statement of Applicability must cover all 11 NIS2 Art. 30 risk management measures", "ISO 27001 standard must be purchased from NBN (not freely available)", "No free self-assessment tool provided by CCB" ] }, { "id": "inspection", "name": "CCB Inspection", "description": "Direct inspection by CCB's inspection service or sectoral inspection service", "note": "Inspection fees are charged to the entity. No presumption of conformity is granted.", "essential_only": false } ], "compliance_timeline": [ { "date": "2024-04-26", "label": "NIS2 law enacted (Loi du 26 avril 2024)", "status": "past" }, { "date": "2024-10-18", "label": "Law in force — All obligations active (risk management, incident notification, management training)", "status": "past" }, { "date": "2024-12-18", "label": "Registration deadline (digital infrastructure entities)", "status": "past" }, { "date": "2026-04-18", "label": "18-month milestone — CyFun Basic/Important verification OR ISO 27001 scope + Statement of Applicability submitted to CCB", "status": "upcoming" }, { "date": "2027-04-18", "label": "30-month milestone — CyFun Essential certification OR ISO 27001 full certification obtained by approved CAB", "status": "future" } ], "conformity_mandatory": true }, "sp_qtsp": { "id": "sp_qtsp", "stage": "S4_SPECIAL", "type": "result", "scope_status": "IN_SCOPE", "title": "Qualified trust service provider — Essential (regardless of size)", "summary": "Qualified trust service providers are in scope regardless of size and classified as ESSENTIAL.", "classification": "ESSENTIAL", "cyfun_level": "ESSENTIAL", "size_exempt": true, "obligations": [ "Registration on Safeonweb@Work (deadline: 18 December 2024)", "11 risk management measures (Art. 30)", "EU Implementing Regulation 2024/2690 technical requirements", "Incident notification (Art. 34-37) — 24h deadline for incident notification (not 72h)", "Management body training and accountability (Art. 31)", "Mandatory periodic conformity assessment (Art. 39)", "CyFun Essential certification or ISO 27001 certification" ], "deadlines": [ { "date": "2024-12-18", "description": "Registration deadline" }, { "date": "2026-04-18", "description": "First conformity milestone" }, { "date": "2027-04-18", "description": "Second conformity milestone" } ], "legal_ref": "Art. 3 §3, 1° b); Art. 9, 2°", "sanctions": { "max_fine": "EUR 10,000,000 or 2% worldwide annual turnover", "recidivism": "Fine doubled", "suspension_possible": true, "management_ban_possible": true }, "notes": [ "Trust service providers have a 24-hour (not 72-hour) deadline for the incident notification step." ], "proposed_2026_changes": null, "next_steps": [ { "step": "Register on Safeonweb@Work", "url": "https://atwork.safeonweb.be/fr/register-my-organisation", "description": "Registration deadline: 18 December 2024 (digital sector entities)" }, { "step": "Complete CyFun self-assessment", "url": "https://atwork.safeonweb.be", "description": "Evaluate your current maturity against CyberFundamentals controls" }, { "step": "Review EU Implementing Regulation 2024/2690", "description": "Digital infrastructure entities must also comply with EU-level technical requirements" }, { "step": "Engage management body", "description": "Board/management must formally approve cybersecurity measures and undergo training (Art. 31)" }, { "step": "Prepare incident notification process", "url": "https://notif.safeonweb.be", "description": "Set up internal procedures for 24h/72h/1month notification timelines" }, { "step": "Plan conformity assessment", "description": "Contact an authorised CAB for certification/verification" }, { "step": "Review CCB guidance", "url": "https://ccb.belgium.be/en/nis-2", "description": "Stay updated with latest CCB publications and guidance" } ], "conformity_paths": [ { "id": "cyfun", "name": "CyberFundamentals (CyFun)", "description": "CCB's own framework mapped to NIST CSF 2.0, ISO 27001, CIS Controls v8, and IEC 62443", "level": "ESSENTIAL", "controls": 140, "assessment_type": "Certification (ISO 17021-1)", "cycle": "3-year cycle with annual surveillance", "authorized_cabs": 2, "self_assessment_url": "https://atwork.safeonweb.be", "pros": [ "Specifically designed for Belgian NIS2 compliance", "Free framework and self-assessment tools from CCB", "Controls pre-mapped to NIS2 Art. 30 measures", "Lower CyFun level possible if justified by entity's risk analysis (Royal Decree Art. 7)" ], "cons": [ "Only 2 authorized CABs currently (Brand Compliance, What a Work)", "Belgian-specific framework — not recognized outside Belgium" ] }, { "id": "iso27001", "name": "ISO/IEC 27001:2022", "description": "International Information Security Management System standard", "assessment_type": "Certification (ISO 17021-1)", "cycle": "3-year certification cycle with annual surveillance", "authorized_cabs": 17, "pros": [ "Internationally recognized standard", "17 authorized CABs available in Belgium", "Entity may already hold ISO 27001 certification", "Recognized across EU member states" ], "cons": [ "Scope must cover the ENTIRE entity (not just IT or NIS2 services)", "Statement of Applicability must cover all 11 NIS2 Art. 30 risk management measures", "ISO 27001 standard must be purchased from NBN (not freely available)", "No free self-assessment tool provided by CCB" ] }, { "id": "inspection", "name": "CCB Inspection", "description": "Direct inspection by CCB's inspection service or sectoral inspection service", "note": "Inspection fees are charged to the entity. No presumption of conformity is granted.", "essential_only": false } ], "compliance_timeline": [ { "date": "2024-04-26", "label": "NIS2 law enacted (Loi du 26 avril 2024)", "status": "past" }, { "date": "2024-10-18", "label": "Law in force — All obligations active (risk management, incident notification, management training)", "status": "past" }, { "date": "2024-12-18", "label": "Registration deadline (digital infrastructure entities)", "status": "past" }, { "date": "2026-04-18", "label": "18-month milestone — CyFun Basic/Important verification OR ISO 27001 scope + Statement of Applicability submitted to CCB", "status": "upcoming" }, { "date": "2027-04-18", "label": "30-month milestone — CyFun Essential certification OR ISO 27001 full certification obtained by approved CAB", "status": "future" } ], "conformity_mandatory": true }, "sp_nqtsp": { "id": "sp_nqtsp", "stage": "S4_SPECIAL", "type": "info", "text": "Non-qualified trust service provider — In scope regardless of size", "help": "Non-qualified TSPs are in scope regardless of size (Art. 3 §3, 1° b). Classification depends on size: small/medium = Important, large = Essential (FAQ 1.21.3). Note: this classification rule comes from the FAQ, not the statute.", "legal_ref": "Art. 3 §3, 1° b); FAQ 1.21.3", "size_exempt": true, "special_classification": { "small": "IMPORTANT", "medium": "IMPORTANT", "large": "ESSENTIAL" }, "next": "sz_010" }, "sp_telecom": { "id": "sp_telecom", "stage": "S4_SPECIAL", "type": "info", "text": "Telecom provider — In scope regardless of size", "help": "Providers of public electronic communications networks/services are in scope regardless of size (Art. 3 §3, 1° a). Classification depends on size: small/micro = Important, medium or large = Essential (Art. 9, 3°; FAQ 1.21.3).", "legal_ref": "Art. 3 §3, 1° a); Art. 9, 3°; FAQ 1.21.3", "size_exempt": true, "special_classification": { "small": "IMPORTANT", "medium": "ESSENTIAL", "large": "ESSENTIAL" }, "next": "sz_010" }, "sp_domreg": { "id": "sp_domreg", "stage": "S4_SPECIAL", "type": "info", "text": "Domain name registration service provider — In scope regardless of size", "help": "Domain name registration service providers are in scope regardless of size (Art. 3 §5). Classification follows the general size-cap rules (not automatically essential). For registration obligations, they are in the early registration group.", "legal_ref": "Art. 3 §5", "size_exempt": true, "special_classification": { "small": "IMPORTANT", "medium": "IMPORTANT", "large": "ESSENTIAL" }, "notes": [ "Classification follows general Annex I rules since domain name registration falls under Digital Infrastructure (Annex I, sector 8).", "Classification of small domain registrars is not explicitly defined in the law. Art. 3 §5 places them in scope regardless of size, but Art. 9 (essential) and Art. 10 (important) don't specifically address small domain registrars. This wizard classifies them as IMPORTANT by analogy with other Annex I size-exempt entity types. Consider consulting the CCB for confirmation." ], "next": "sz_010" }, "sp_federal_admin": { "id": "sp_federal_admin", "stage": "S4_SPECIAL", "type": "result", "scope_status": "IN_SCOPE", "title": "Federal public administration — Essential (regardless of size)", "summary": "Public administration entities dependent on the Federal State are essential entities regardless of size.", "classification": "ESSENTIAL", "cyfun_level": "ESSENTIAL", "size_exempt": true, "obligations": [ "Registration on Safeonweb@Work (deadline: 18 March 2025)", "11 risk management measures (Art. 30)", "Incident notification (Art. 34-37)", "Management body training and accountability (Art. 31)", "Mandatory periodic conformity assessment (Art. 39)" ], "deadlines": [ { "date": "2025-03-18", "description": "Registration deadline" }, { "date": "2026-04-18", "description": "First conformity milestone" }, { "date": "2027-04-18", "description": "Second conformity milestone" } ], "legal_ref": "Art. 3 §3, 3° a); Art. 9, 4°", "sanctions": { "max_fine": "N/A — public administration entities are exempt from fines", "administrative_measures": "Warnings, binding instructions, cease-and-desist orders (Art. 58, points 1-7)" }, "notes": [ "Public administration entities are exempt from fines (Art. 60) and from suspension/management ban measures.", "Administrative measures (Art. 58, points 1-7) DO apply.", "Partner/linked enterprise consolidation rules do NOT apply for public administration size calculation (FAQ 2.6)." ], "proposed_2026_changes": null, "next_steps": [ { "step": "Register on Safeonweb@Work", "url": "https://atwork.safeonweb.be/fr/register-my-organisation", "description": "Registration deadline: 18 March 2025" }, { "step": "Complete CyFun self-assessment", "url": "https://atwork.safeonweb.be", "description": "Evaluate your current maturity against CyberFundamentals controls" }, { "step": "Engage management body", "description": "Management must formally approve cybersecurity measures and undergo training (Art. 31)" }, { "step": "Prepare incident notification process", "url": "https://notif.safeonweb.be", "description": "Set up internal procedures for mandatory incident reporting" }, { "step": "Review CCB guidance", "url": "https://ccb.belgium.be/en/nis-2", "description": "Stay updated with latest CCB publications and guidance" } ], "conformity_paths": [ { "id": "cyfun", "name": "CyberFundamentals (CyFun)", "description": "CCB's own framework mapped to NIST CSF 2.0, ISO 27001, CIS Controls v8, and IEC 62443", "level": "ESSENTIAL", "controls": 140, "assessment_type": "Certification (ISO 17021-1)", "cycle": "3-year cycle with annual surveillance", "authorized_cabs": 2, "self_assessment_url": "https://atwork.safeonweb.be", "pros": [ "Specifically designed for Belgian NIS2 compliance", "Free framework and self-assessment tools from CCB", "Controls pre-mapped to NIS2 Art. 30 measures", "Lower CyFun level possible if justified by entity's risk analysis (Royal Decree Art. 7)" ], "cons": [ "Only 2 authorized CABs currently (Brand Compliance, What a Work)", "Belgian-specific framework — not recognized outside Belgium" ] }, { "id": "iso27001", "name": "ISO/IEC 27001:2022", "description": "International Information Security Management System standard", "assessment_type": "Certification (ISO 17021-1)", "cycle": "3-year certification cycle with annual surveillance", "authorized_cabs": 17, "pros": [ "Internationally recognized standard", "17 authorized CABs available in Belgium", "Entity may already hold ISO 27001 certification", "Recognized across EU member states" ], "cons": [ "Scope must cover the ENTIRE entity (not just IT or NIS2 services)", "Statement of Applicability must cover all 11 NIS2 Art. 30 risk management measures", "ISO 27001 standard must be purchased from NBN (not freely available)", "No free self-assessment tool provided by CCB" ] }, { "id": "inspection", "name": "CCB Inspection", "description": "Direct inspection by CCB's inspection service or sectoral inspection service", "note": "Inspection fees are charged to the entity. No presumption of conformity is granted.", "essential_only": false } ], "compliance_timeline": [ { "date": "2024-04-26", "label": "NIS2 law enacted (Loi du 26 avril 2024)", "status": "past" }, { "date": "2024-10-18", "label": "Law in force — All obligations active (risk management, incident notification, management training)", "status": "past" }, { "date": "2025-03-18", "label": "Registration deadline (all other NIS2 entities)", "status": "past" }, { "date": "2026-04-18", "label": "18-month milestone — CyFun Basic/Important verification OR ISO 27001 scope + Statement of Applicability submitted to CCB", "status": "upcoming" }, { "date": "2027-04-18", "label": "30-month milestone — CyFun Essential certification OR ISO 27001 full certification obtained by approved CAB", "status": "future" } ], "conformity_mandatory": true }, "sp_federated_admin": { "id": "sp_federated_admin", "stage": "S4_SPECIAL", "type": "question", "text": "Has this federated public administration entity been formally identified by the CCB?", "help": "Public administration entities dependent on Regions and Communities must be formally identified by the CCB (Art. 11 §2) based on a risk assessment. Without identification, they are not automatically in scope.", "legal_ref": "Art. 3 §3, 3° b); Art. 11 §2", "options": [ { "id": "sp_fed_a", "label": "Yes — identified as essential", "next": "r_federated_essential" }, { "id": "sp_fed_b", "label": "Yes — identified as important", "next": "r_federated_important" }, { "id": "sp_fed_c", "label": "No — not yet identified", "next": "r_federated_not_identified" }, { "id": "sp_fed_d", "label": "I don't know", "next": "r_federated_unknown" } ] }, "r_federated_essential": { "id": "r_federated_essential", "stage": "RESULT", "type": "result", "scope_status": "IN_SCOPE", "title": "Federated public administration — Essential", "summary": "Your entity has been identified as essential by the CCB.", "classification": "ESSENTIAL", "cyfun_level": "ESSENTIAL", "obligations": [ "Registration on Safeonweb@Work", "11 risk management measures (Art. 30)", "Incident notification (Art. 34-37)", "Management body training and accountability (Art. 31)", "Mandatory periodic conformity assessment (Art. 39)" ], "deadlines": [ { "date": "2025-03-18", "description": "Registration deadline" }, { "date": "2026-04-18", "description": "First conformity milestone" }, { "date": "2027-04-18", "description": "Second conformity milestone" } ], "legal_ref": "Art. 11 §2; Art. 9, 6°", "sanctions": { "max_fine": "N/A — public administration entities are exempt from fines" }, "notes": [ "Public admin entities are exempt from fines but subject to administrative measures." ], "proposed_2026_changes": null, "next_steps": [ { "step": "Register on Safeonweb@Work", "url": "https://atwork.safeonweb.be/fr/register-my-organisation", "description": "Registration deadline: 18 March 2025" }, { "step": "Complete CyFun self-assessment", "url": "https://atwork.safeonweb.be", "description": "Evaluate your current maturity against CyberFundamentals controls" }, { "step": "Engage management body", "description": "Management must formally approve cybersecurity measures and undergo training (Art. 31)" }, { "step": "Prepare incident notification process", "url": "https://notif.safeonweb.be", "description": "Set up internal procedures for mandatory incident reporting" }, { "step": "Review CCB guidance", "url": "https://ccb.belgium.be/en/nis-2", "description": "Stay updated with latest CCB publications and guidance" } ], "conformity_paths": [ { "id": "cyfun", "name": "CyberFundamentals (CyFun)", "description": "CCB's own framework mapped to NIST CSF 2.0, ISO 27001, CIS Controls v8, and IEC 62443", "level": "ESSENTIAL", "controls": 140, "assessment_type": "Certification (ISO 17021-1)", "cycle": "3-year cycle with annual surveillance", "authorized_cabs": 2, "self_assessment_url": "https://atwork.safeonweb.be", "pros": [ "Specifically designed for Belgian NIS2 compliance", "Free framework and self-assessment tools from CCB", "Controls pre-mapped to NIS2 Art. 30 measures", "Lower CyFun level possible if justified by entity's risk analysis (Royal Decree Art. 7)" ], "cons": [ "Only 2 authorized CABs currently (Brand Compliance, What a Work)", "Belgian-specific framework — not recognized outside Belgium" ] }, { "id": "iso27001", "name": "ISO/IEC 27001:2022", "description": "International Information Security Management System standard", "assessment_type": "Certification (ISO 17021-1)", "cycle": "3-year certification cycle with annual surveillance", "authorized_cabs": 17, "pros": [ "Internationally recognized standard", "17 authorized CABs available in Belgium", "Entity may already hold ISO 27001 certification", "Recognized across EU member states" ], "cons": [ "Scope must cover the ENTIRE entity (not just IT or NIS2 services)", "Statement of Applicability must cover all 11 NIS2 Art. 30 risk management measures", "ISO 27001 standard must be purchased from NBN (not freely available)", "No free self-assessment tool provided by CCB" ] }, { "id": "inspection", "name": "CCB Inspection", "description": "Direct inspection by CCB's inspection service or sectoral inspection service", "note": "Inspection fees are charged to the entity. No presumption of conformity is granted.", "essential_only": false } ], "compliance_timeline": [ { "date": "2024-04-26", "label": "NIS2 law enacted (Loi du 26 avril 2024)", "status": "past" }, { "date": "2024-10-18", "label": "Law in force — All obligations active (risk management, incident notification, management training)", "status": "past" }, { "date": "2025-03-18", "label": "Registration deadline (all other NIS2 entities)", "status": "past" }, { "date": "2026-04-18", "label": "18-month milestone — CyFun Basic/Important verification OR ISO 27001 scope + Statement of Applicability submitted to CCB", "status": "upcoming" }, { "date": "2027-04-18", "label": "30-month milestone — CyFun Essential certification OR ISO 27001 full certification obtained by approved CAB", "status": "future" } ], "conformity_mandatory": true }, "r_federated_important": { "id": "r_federated_important", "stage": "RESULT", "type": "result", "scope_status": "IN_SCOPE", "title": "Federated public administration — Important", "summary": "Your entity has been identified as important by the CCB.", "classification": "IMPORTANT", "cyfun_level": "IMPORTANT", "obligations": [ "Registration on Safeonweb@Work", "11 risk management measures (Art. 30)", "Incident notification (Art. 34-37)", "Management body training and accountability (Art. 31)", "Voluntary conformity assessment (Art. 41)" ], "deadlines": [ { "date": "2025-03-18", "description": "Registration deadline" } ], "legal_ref": "Art. 11 §2; Art. 10, 2°", "sanctions": { "max_fine": "N/A — public administration entities are exempt from fines" }, "notes": [], "proposed_2026_changes": null, "next_steps": [ { "step": "Register on Safeonweb@Work", "url": "https://atwork.safeonweb.be/fr/register-my-organisation", "description": "Registration deadline: 18 March 2025" }, { "step": "Complete CyFun self-assessment", "url": "https://atwork.safeonweb.be", "description": "Evaluate your current maturity against CyberFundamentals controls" }, { "step": "Engage management body", "description": "Management must formally approve cybersecurity measures and undergo training (Art. 31)" }, { "step": "Prepare incident notification process", "url": "https://notif.safeonweb.be", "description": "Set up internal procedures for mandatory incident reporting" }, { "step": "Review CCB guidance", "url": "https://ccb.belgium.be/en/nis-2", "description": "Stay updated with latest CCB publications and guidance" } ], "conformity_paths": [ { "id": "cyfun", "name": "CyberFundamentals (CyFun)", "description": "CCB's own framework mapped to NIST CSF 2.0, ISO 27001, CIS Controls v8, and IEC 62443", "level": "IMPORTANT", "controls": 117, "assessment_type": "Verification (ISO 17029)", "cycle": "3-year cycle with annual surveillance", "authorized_cabs": 2, "self_assessment_url": "https://atwork.safeonweb.be", "pros": [ "Specifically designed for Belgian NIS2 compliance", "Free framework and self-assessment tools from CCB", "Controls pre-mapped to NIS2 Art. 30 measures", "Lower CyFun level (BASIC) possible if justified by entity's risk analysis" ], "cons": [ "Only 2 authorized CABs currently (Brand Compliance, What a Work)", "Belgian-specific framework — not recognized outside Belgium" ] }, { "id": "iso27001", "name": "ISO/IEC 27001:2022", "description": "International Information Security Management System standard", "assessment_type": "Certification (ISO 17021-1)", "cycle": "3-year certification cycle with annual surveillance", "authorized_cabs": 17, "pros": [ "Internationally recognized standard", "17 authorized CABs available in Belgium", "Entity may already hold ISO 27001 certification", "Recognized across EU member states" ], "cons": [ "Scope must cover the ENTIRE entity (not just IT or NIS2 services)", "Statement of Applicability must cover all 11 NIS2 Art. 30 risk management measures", "ISO 27001 standard must be purchased from NBN (not freely available)", "No free self-assessment tool provided by CCB" ] }, { "id": "inspection", "name": "CCB Inspection", "description": "Direct inspection by CCB's inspection service or sectoral inspection service", "note": "Inspection fees are charged to the entity. No presumption of conformity is granted.", "essential_only": false } ], "compliance_timeline": [ { "date": "2024-04-26", "label": "NIS2 law enacted", "status": "past" }, { "date": "2024-10-18", "label": "Law in force — All obligations active (risk management, incident notification, management training)", "status": "past" }, { "date": "2025-03-18", "label": "Registration deadline (all other NIS2 entities)", "status": "past" }, { "date": "2026-04-18", "label": "Voluntary: CyFun Important verification or ISO 27001 certification (no mandatory deadline for Important entities)", "status": "upcoming" } ], "conformity_mandatory": false }, "r_federated_not_identified": { "id": "r_federated_not_identified", "stage": "RESULT", "type": "result", "scope_status": "LIKELY_OUT_OF_SCOPE", "title": "Federated public administration — Not yet identified", "summary": "Federated public administration entities are only in scope after formal identification by the CCB (Art. 11 §2). Without identification, you are currently not in scope. The CCB reviews identifications every 2 years.", "classification": null, "cyfun_level": null, "obligations": [], "deadlines": [], "legal_ref": "Art. 3 §3, 3° b); Art. 11 §2", "notes": [ "Monitor for CCB identification decisions. The CCB may identify your entity in the future.", "Voluntary NIS2 compliance and CyFun adoption are possible." ], "proposed_2026_changes": null, "next_steps": [ { "step": "Check Safeonweb@Work", "url": "https://atwork.safeonweb.be", "description": "Verify if your entity has been identified by the CCB" }, { "step": "Consider voluntary CyFun adoption", "url": "https://ccb.belgium.be/en/cyberfundamentals-framework", "description": "Prepare proactively in case of future identification" } ] }, "r_federated_unknown": { "id": "r_federated_unknown", "stage": "RESULT", "type": "result", "scope_status": "CONSULT_EXPERT", "title": "Federated public administration — Status unknown", "summary": "Federated public administration entities (Regions, Communities) are in scope only after formal identification by the CCB (Art. 11 §2). If your entity has not been formally identified, you are currently not in scope. However, if you believe your entity provides critical services, you should proactively contact the CCB. The CCB reviews identifications every 2 years.", "classification": null, "cyfun_level": null, "obligations": [ { "category": "Recommended action", "description": "Contact the CCB at nis@ccb.belgium.be or check the Safeonweb@Work platform to verify your entity's identification status." } ], "deadlines": [], "legal_ref": "Art. 11 §2", "notes": [ "If identified, most federated entities are classified as Essential. Contact nis@ccb.belgium.be for clarification." ], "proposed_2026_changes": null, "next_steps": [ { "step": "Check Safeonweb@Work", "description": "Log in to verify if your entity has been identified", "url": "https://atwork.safeonweb.be" }, { "step": "Contact CCB", "description": "Email nis@ccb.belgium.be to ask about your identification status" } ] }, "sp_rescue": { "id": "sp_rescue", "stage": "S4_SPECIAL", "type": "result", "scope_status": "IN_SCOPE", "title": "Rescue zone / Brussels Fire & Emergency — Important entity (regardless of size)", "summary": "Rescue zones and the Brussels Fire & Emergency Medical Service are explicitly listed in Annex I, sector 10, and are in scope regardless of size (Art. 3 §3, 3° c). Per the CCB Entity Definition Matrix, they are classified as Important entities. Art. 9 only lists federal public administration as automatically essential — rescue zones are not dependent on the Federal State.", "classification": "IMPORTANT", "cyfun_level": "IMPORTANT", "size_exempt": true, "obligations": [ "Registration on Safeonweb@Work (deadline: 18 March 2025)", "11 risk management measures (Art. 30)", "Incident notification (Art. 34-37)", "Management body training and accountability (Art. 31)" ], "deadlines": [ { "date": "2025-03-18", "description": "Registration deadline" }, { "date": "2026-04-18", "description": "Voluntary: CyFun Important verification (no mandatory deadline for Important entities)" } ], "legal_ref": "Art. 3 §3, 3° c); Annex I, sector 10", "sanctions": { "max_fine": "N/A — public administration entities are exempt from fines" }, "notes": [ "Rescue zones are in scope regardless of size (Art. 3 §3, 3° c) but are NOT automatically essential. Art. 9, 4° only covers 'public administration entities dependent on the Federal State' — rescue zones are autonomous provincial-level entities.", "The CCB Entity Definition Matrix (v1.0.2) confirms: Important at all sizes.", "The CCB may still identify a specific rescue zone as Essential under Art. 11 if criteria are met (sole provider of a critical service, systemic risk, etc.).", "Public administration entities are exempt from fines (Art. 60) but administrative measures still apply." ], "proposed_2026_changes": null, "next_steps": [ { "step": "Register on Safeonweb@Work", "url": "https://atwork.safeonweb.be/fr/register-my-organisation", "description": "Registration deadline: 18 March 2025" }, { "step": "Complete CyFun self-assessment", "url": "https://atwork.safeonweb.be", "description": "Evaluate your current maturity against CyberFundamentals controls" }, { "step": "Engage management body", "description": "Management must formally approve cybersecurity measures and undergo training (Art. 31)" }, { "step": "Prepare incident notification process", "url": "https://notif.safeonweb.be", "description": "Set up internal procedures for mandatory incident reporting" }, { "step": "Review CCB guidance", "url": "https://ccb.belgium.be/en/nis-2", "description": "Stay updated with latest CCB publications and guidance" } ], "conformity_paths": [ { "id": "cyfun", "name": "CyberFundamentals (CyFun)", "description": "CCB's own framework — Important level applies", "level": "IMPORTANT", "note": "As an Important entity, the CyFun Important level (117 controls) applies. The CCB may reclassify specific rescue zones as Essential under Art. 11.", "self_assessment_url": "https://atwork.safeonweb.be" }, { "id": "iso27001", "name": "ISO/IEC 27001:2022", "description": "International Information Security Management System standard", "assessment_type": "Certification (ISO 17021-1)", "cycle": "3-year certification cycle with annual surveillance", "authorized_cabs": 17, "pros": [ "Internationally recognized standard", "17 authorized CABs available in Belgium", "Entity may already hold ISO 27001 certification", "Recognized across EU member states" ], "cons": [ "Scope must cover the ENTIRE entity (not just IT or NIS2 services)", "Statement of Applicability must cover all 11 NIS2 Art. 30 risk management measures", "ISO 27001 standard must be purchased from NBN (not freely available)", "No free self-assessment tool provided by CCB" ] }, { "id": "inspection", "name": "CCB Inspection", "description": "Direct inspection by CCB's inspection service or sectoral inspection service", "note": "Inspection fees are charged to the entity. No presumption of conformity is granted.", "essential_only": false } ], "compliance_timeline": [ { "date": "2024-04-26", "label": "NIS2 law enacted", "status": "past" }, { "date": "2024-10-18", "label": "Law in force — All obligations active", "status": "past" }, { "date": "2025-03-18", "label": "Registration deadline", "status": "past" }, { "date": "2026-04-18", "label": "Conformity milestone — consult CCB for applicable level and path", "status": "upcoming" } ], "conformity_mandatory": null }, "sp_local_admin": { "id": "sp_local_admin", "stage": "S4_SPECIAL", "type": "question", "text": "Has this local entity been specifically identified by the CCB?", "help": "Local public entities (municipalities, provinces, CPAS, etc.) are NOT automatically in NIS2 scope due to the principle of local autonomy (Art. 162 Constitution). They can only be brought in scope through CCB identification under Art. 11 §1.", "legal_ref": "Art. 11 §1; FAQ 2.6", "options": [ { "id": "sp_loc_a", "label": "Yes — identified by the CCB", "next": "r_identified_by_ccb" }, { "id": "sp_loc_b", "label": "No", "next": "r_out_local_admin" } ] }, "r_out_local_admin": { "id": "r_out_local_admin", "stage": "RESULT", "type": "result", "scope_status": "OUT_OF_SCOPE", "title": "Local public entity — Not in NIS2 scope", "summary": "Local public entities (municipalities, provinces, CPAS) are not automatically in NIS2 scope. They can be brought in scope only through specific CCB identification (Art. 11 §1).", "classification": null, "cyfun_level": null, "obligations": [], "deadlines": [], "legal_ref": "Art. 162 Constitution; FAQ 2.6", "notes": [ "If the local entity provides a NIS2 service (e.g., drinking water distribution), it may be in scope for THAT sector rather than as public administration.", "Voluntary NIS2 compliance and CyFun adoption are recommended." ], "proposed_2026_changes": null }, "e_010": { "id": "e_010", "stage": "S4_SPECIAL", "type": "question", "text": "Is your entity identified as an operator of critical infrastructure or a critical entity?", "help": "Entities identified as operators of critical infrastructure (Law of 1 July 2011) or critical entities (CER Law of 19 December 2025) are in NIS2 scope regardless of size and classified as ESSENTIAL.", "legal_ref": "Art. 3 §4; Art. 9, 5°", "options": [ { "id": "e_010_a", "label": "Yes — identified as critical infrastructure operator (Law of 1 July 2011) or critical entity (CER Law of 19 December 2025)", "next": "r_critical_infra" }, { "id": "e_010_b", "label": "No", "next": "e_020" }, { "id": "e_010_c", "label": "I don't know", "next": "e_020", "note": "If you are unsure, proceed with the standard assessment. If you are later identified as a critical infrastructure operator, you will be classified as Essential regardless of this assessment's result." } ] }, "r_critical_infra": { "id": "r_critical_infra", "stage": "RESULT", "type": "result", "scope_status": "IN_SCOPE", "title": "Critical infrastructure operator / Critical entity — Essential", "summary": "Entities identified as operators of critical infrastructure or critical entities are in NIS2 scope regardless of size and classified as ESSENTIAL.", "classification": "ESSENTIAL", "cyfun_level": "ESSENTIAL", "size_exempt": true, "obligations": [ "Registration on Safeonweb@Work (deadline: 18 March 2025)", "11 risk management measures (Art. 30)", "Incident notification (Art. 34-37)", "Management body training and accountability (Art. 31)", "Mandatory periodic conformity assessment (Art. 39)", "CyFun Essential certification or ISO 27001 certification", "CER obligations also apply (CER Law of 19 December 2025)" ], "deadlines": [ { "date": "2025-03-18", "description": "Registration deadline" }, { "date": "2026-04-18", "description": "First conformity milestone" }, { "date": "2027-04-18", "description": "Second conformity milestone" } ], "legal_ref": "Art. 3 §4; Art. 9, 5°", "sanctions": { "max_fine": "EUR 10,000,000 or 2% worldwide annual turnover", "recidivism": "Fine doubled", "suspension_possible": true, "management_ban_possible": true }, "notes": [ "This applies to ANY entity identified as critical infrastructure operator, regardless of Annex I/II sector." ], "proposed_2026_changes": null, "next_steps": [ { "step": "Register on Safeonweb@Work", "url": "https://atwork.safeonweb.be/fr/register-my-organisation", "description": "Mandatory registration for all NIS2 entities" }, { "step": "Complete CyFun self-assessment", "url": "https://atwork.safeonweb.be", "description": "Evaluate your current maturity against CyberFundamentals controls" }, { "step": "Engage management body", "description": "Board/management must formally approve cybersecurity measures and undergo training (Art. 31)" }, { "step": "Prepare incident notification process", "url": "https://notif.safeonweb.be", "description": "Set up internal procedures for 24h/72h/1month notification timelines" }, { "step": "Plan conformity assessment", "description": "Contact an authorised CAB for audit scheduling (essential entities must be certified by April 2027)" }, { "step": "Review CCB guidance", "url": "https://ccb.belgium.be/en/nis-2", "description": "Stay updated with latest CCB publications and guidance" } ], "conformity_paths": [ { "id": "cyfun", "name": "CyberFundamentals (CyFun)", "description": "CCB's own framework mapped to NIST CSF 2.0, ISO 27001, CIS Controls v8, and IEC 62443", "level": "ESSENTIAL", "controls": 140, "assessment_type": "Certification (ISO 17021-1)", "cycle": "3-year cycle with annual surveillance", "authorized_cabs": 2, "self_assessment_url": "https://atwork.safeonweb.be", "pros": [ "Specifically designed for Belgian NIS2 compliance", "Free framework and self-assessment tools from CCB", "Controls pre-mapped to NIS2 Art. 30 measures", "Lower CyFun level possible if justified by entity's risk analysis (Royal Decree Art. 7)" ], "cons": [ "Only 2 authorized CABs currently (Brand Compliance, What a Work)", "Belgian-specific framework — not recognized outside Belgium" ] }, { "id": "iso27001", "name": "ISO/IEC 27001:2022", "description": "International Information Security Management System standard", "assessment_type": "Certification (ISO 17021-1)", "cycle": "3-year certification cycle with annual surveillance", "authorized_cabs": 17, "pros": [ "Internationally recognized standard", "17 authorized CABs available in Belgium", "Entity may already hold ISO 27001 certification", "Recognized across EU member states" ], "cons": [ "Scope must cover the ENTIRE entity (not just IT or NIS2 services)", "Statement of Applicability must cover all 11 NIS2 Art. 30 risk management measures", "ISO 27001 standard must be purchased from NBN (not freely available)", "No free self-assessment tool provided by CCB" ] }, { "id": "inspection", "name": "CCB Inspection", "description": "Direct inspection by CCB's inspection service or sectoral inspection service", "note": "Inspection fees are charged to the entity. No presumption of conformity is granted.", "essential_only": false } ], "compliance_timeline": [ { "date": "2024-04-26", "label": "NIS2 law enacted (Loi du 26 avril 2024)", "status": "past" }, { "date": "2024-10-18", "label": "Law in force — All obligations active (risk management, incident notification, management training)", "status": "past" }, { "date": "2025-03-18", "label": "Registration deadline (all other NIS2 entities)", "status": "past" }, { "date": "2026-04-18", "label": "18-month milestone — CyFun Basic/Important verification OR ISO 27001 scope + Statement of Applicability submitted to CCB", "status": "upcoming" }, { "date": "2027-04-18", "label": "30-month milestone — CyFun Essential certification OR ISO 27001 full certification obtained by approved CAB", "status": "future" } ], "conformity_mandatory": true }, "e_020": { "id": "e_020", "stage": "S4_SPECIAL", "type": "question", "text": "Has the CCB specifically identified your entity as essential or important (Art. 11)?", "help": "The CCB can identify any entity as essential or important, regardless of size, based on criteria such as: sole provider of a critical service, significant impact on public safety/security/health, systemic risk, or specific national/regional importance.", "legal_ref": "Art. 11 §1", "options": [ { "id": "e_020_a", "label": "Yes — identified as essential", "next": "r_ccb_essential" }, { "id": "e_020_b", "label": "Yes — identified as important", "next": "r_ccb_important" }, { "id": "e_020_c", "label": "No / Not applicable", "next": "sz_010" } ] }, "r_ccb_essential": { "id": "r_ccb_essential", "stage": "RESULT", "type": "result", "scope_status": "IN_SCOPE", "title": "CCB-identified Essential entity", "summary": "Your entity has been identified as essential by the CCB under Art. 11.", "classification": "ESSENTIAL", "cyfun_level": "ESSENTIAL", "obligations": [ "Registration on Safeonweb@Work", "11 risk management measures (Art. 30)", "Incident notification (Art. 34-37)", "Management body training and accountability (Art. 31)", "Mandatory periodic conformity assessment (Art. 39)", "CyFun Essential certification or ISO 27001 certification" ], "deadlines": [ { "date": "2025-03-18", "description": "Registration deadline (or per identification timing)" }, { "date": "2026-04-18", "description": "First conformity milestone" }, { "date": "2027-04-18", "description": "Second conformity milestone" } ], "legal_ref": "Art. 9, 6°; Art. 11 §1", "sanctions": { "max_fine": "EUR 10,000,000 or 2% worldwide annual turnover", "recidivism": "Fine doubled", "suspension_possible": true, "management_ban_possible": true }, "notes": [ "CCB reviews identifications every 2 years (Art. 11 §4)." ], "proposed_2026_changes": null, "next_steps": [ { "step": "Register on Safeonweb@Work", "url": "https://atwork.safeonweb.be/fr/register-my-organisation", "description": "Mandatory registration for all NIS2 entities" }, { "step": "Complete CyFun self-assessment", "url": "https://atwork.safeonweb.be", "description": "Evaluate your current maturity against CyberFundamentals controls" }, { "step": "Engage management body", "description": "Board/management must formally approve cybersecurity measures and undergo training (Art. 31)" }, { "step": "Prepare incident notification process", "url": "https://notif.safeonweb.be", "description": "Set up internal procedures for 24h/72h/1month notification timelines" }, { "step": "Plan conformity assessment", "description": "Contact an authorised CAB for audit scheduling (essential entities must be certified by April 2027)" }, { "step": "Review CCB guidance", "url": "https://ccb.belgium.be/en/nis-2", "description": "Stay updated with latest CCB publications and guidance" } ], "conformity_paths": [ { "id": "cyfun", "name": "CyberFundamentals (CyFun)", "description": "CCB's own framework mapped to NIST CSF 2.0, ISO 27001, CIS Controls v8, and IEC 62443", "level": "ESSENTIAL", "controls": 140, "assessment_type": "Certification (ISO 17021-1)", "cycle": "3-year cycle with annual surveillance", "authorized_cabs": 2, "self_assessment_url": "https://atwork.safeonweb.be", "pros": [ "Specifically designed for Belgian NIS2 compliance", "Free framework and self-assessment tools from CCB", "Controls pre-mapped to NIS2 Art. 30 measures", "Lower CyFun level possible if justified by entity's risk analysis (Royal Decree Art. 7)" ], "cons": [ "Only 2 authorized CABs currently (Brand Compliance, What a Work)", "Belgian-specific framework — not recognized outside Belgium" ] }, { "id": "iso27001", "name": "ISO/IEC 27001:2022", "description": "International Information Security Management System standard", "assessment_type": "Certification (ISO 17021-1)", "cycle": "3-year certification cycle with annual surveillance", "authorized_cabs": 17, "pros": [ "Internationally recognized standard", "17 authorized CABs available in Belgium", "Entity may already hold ISO 27001 certification", "Recognized across EU member states" ], "cons": [ "Scope must cover the ENTIRE entity (not just IT or NIS2 services)", "Statement of Applicability must cover all 11 NIS2 Art. 30 risk management measures", "ISO 27001 standard must be purchased from NBN (not freely available)", "No free self-assessment tool provided by CCB" ] }, { "id": "inspection", "name": "CCB Inspection", "description": "Direct inspection by CCB's inspection service or sectoral inspection service", "note": "Inspection fees are charged to the entity. No presumption of conformity is granted.", "essential_only": false } ], "compliance_timeline": [ { "date": "2024-04-26", "label": "NIS2 law enacted (Loi du 26 avril 2024)", "status": "past" }, { "date": "2024-10-18", "label": "Law in force — All obligations active (risk management, incident notification, management training)", "status": "past" }, { "date": "2025-03-18", "label": "Registration deadline (all other NIS2 entities)", "status": "past" }, { "date": "2026-04-18", "label": "18-month milestone — CyFun Basic/Important verification OR ISO 27001 scope + Statement of Applicability submitted to CCB", "status": "upcoming" }, { "date": "2027-04-18", "label": "30-month milestone — CyFun Essential certification OR ISO 27001 full certification obtained by approved CAB", "status": "future" } ], "conformity_mandatory": true }, "r_ccb_important": { "id": "r_ccb_important", "stage": "RESULT", "type": "result", "scope_status": "IN_SCOPE", "title": "CCB-identified Important entity", "summary": "Your entity has been identified as important by the CCB under Art. 11.", "classification": "IMPORTANT", "cyfun_level": "IMPORTANT", "obligations": [ "Registration on Safeonweb@Work", "11 risk management measures (Art. 30)", "Incident notification (Art. 34-37)", "Management body training and accountability (Art. 31)", "Voluntary conformity assessment (Art. 41)" ], "deadlines": [ { "date": "2025-03-18", "description": "Registration deadline (or per identification timing)" } ], "legal_ref": "Art. 10, 2°; Art. 11 §1", "sanctions": { "max_fine": "EUR 7,000,000 or 1.4% worldwide annual turnover", "recidivism": "Fine doubled", "suspension_possible": false, "management_ban_possible": false }, "notes": [ "CCB reviews identifications every 2 years (Art. 11 §4)." ], "proposed_2026_changes": null, "next_steps": [ { "step": "Register on Safeonweb@Work", "url": "https://atwork.safeonweb.be/fr/register-my-organisation", "description": "Mandatory registration for all NIS2 entities" }, { "step": "Complete CyFun self-assessment", "url": "https://atwork.safeonweb.be", "description": "Evaluate your current maturity against CyberFundamentals controls" }, { "step": "Engage management body", "description": "Board/management must formally approve cybersecurity measures and undergo training (Art. 31)" }, { "step": "Prepare incident notification process", "url": "https://notif.safeonweb.be", "description": "Set up internal procedures for 24h/72h/1month notification timelines" }, { "step": "Plan conformity assessment", "description": "Contact an authorised CAB for audit scheduling (essential entities must be certified by April 2027)" }, { "step": "Review CCB guidance", "url": "https://ccb.belgium.be/en/nis-2", "description": "Stay updated with latest CCB publications and guidance" } ], "conformity_paths": [ { "id": "cyfun", "name": "CyberFundamentals (CyFun)", "description": "CCB's own framework mapped to NIST CSF 2.0, ISO 27001, CIS Controls v8, and IEC 62443", "level": "IMPORTANT", "controls": 117, "assessment_type": "Verification (ISO 17029)", "cycle": "3-year cycle with annual surveillance", "authorized_cabs": 2, "self_assessment_url": "https://atwork.safeonweb.be", "pros": [ "Specifically designed for Belgian NIS2 compliance", "Free framework and self-assessment tools from CCB", "Controls pre-mapped to NIS2 Art. 30 measures", "Lower CyFun level (BASIC) possible if justified by entity's risk analysis" ], "cons": [ "Only 2 authorized CABs currently (Brand Compliance, What a Work)", "Belgian-specific framework — not recognized outside Belgium" ] }, { "id": "iso27001", "name": "ISO/IEC 27001:2022", "description": "International Information Security Management System standard", "assessment_type": "Certification (ISO 17021-1)", "cycle": "3-year certification cycle with annual surveillance", "authorized_cabs": 17, "pros": [ "Internationally recognized standard", "17 authorized CABs available in Belgium", "Entity may already hold ISO 27001 certification", "Recognized across EU member states" ], "cons": [ "Scope must cover the ENTIRE entity (not just IT or NIS2 services)", "Statement of Applicability must cover all 11 NIS2 Art. 30 risk management measures", "ISO 27001 standard must be purchased from NBN (not freely available)", "No free self-assessment tool provided by CCB" ] }, { "id": "inspection", "name": "CCB Inspection", "description": "Direct inspection by CCB's inspection service or sectoral inspection service", "note": "Inspection fees are charged to the entity. No presumption of conformity is granted.", "essential_only": false } ], "compliance_timeline": [ { "date": "2024-04-26", "label": "NIS2 law enacted", "status": "past" }, { "date": "2024-10-18", "label": "Law in force — All obligations active (risk management, incident notification, management training)", "status": "past" }, { "date": "2025-03-18", "label": "Registration deadline (all other NIS2 entities)", "status": "past" }, { "date": "2026-04-18", "label": "Voluntary: CyFun Important verification or ISO 27001 certification (no mandatory deadline for Important entities)", "status": "upcoming" } ], "conformity_mandatory": false }, "sz_010": { "id": "sz_010", "stage": "S5_SIZE", "type": "question", "text": "What is the entity's staff headcount (in Annual Work Units / FTE)?", "help": "Count all employees, owner-managers, and temporary workers as full-time equivalents over one year. Exclude apprentices and persons on maternity/parental leave. Data must be for the ENTIRE legal entity (including activities outside the EU). If you have partner enterprises (25-50% ownership), add their data proportionally. If you have linked enterprises (>50% ownership), consolidate 100% of their data. Art. 3 §4 of Recommendation 2003/361 (linking through natural persons) does NOT apply for NIS2. Note: if your entity has crossed a size threshold, the change only takes effect after TWO consecutive accounting periods above or below the threshold.", "legal_ref": "Recommendation 2003/361/EC, Art. 5; Belgian NIS2 Law Art. 3 §1", "options": [ { "id": "sz_010_a", "label": "0 — 49 FTE", "value": "SMALL", "next": "sz_020" }, { "id": "sz_010_b", "label": "50 — 249 FTE", "value": "MEDIUM", "next": "sz_020" }, { "id": "sz_010_c", "label": "250 or more FTE", "value": "LARGE", "next": "sz_020" } ], "edge_case": "For partner or linked enterprises (EU Rec. 2003/361), you must consolidate staff headcount and financial data across all linked entities. Use the combined figures, not standalone. If an independence mechanism applies (e.g., public investment funds), consult the CCB.", "proposed_2026_changes": "PROPOSED (COM(2026) 13): A new 'small mid-cap' category would be introduced for entities with < 750 employees and < EUR 150M turnover. Annex I entities qualifying as small mid-caps would be classified as Important instead of Essential. This is NOT yet in force." }, "sz_020": { "id": "sz_020", "stage": "S5_SIZE", "type": "question", "text": "What is the entity's annual turnover (excluding VAT)?", "help": "Net annual turnover excluding VAT and other indirect duties/taxes. From the last approved (closed) accounting period. Consolidated with partner/linked enterprises if applicable.", "legal_ref": "Recommendation 2003/361/EC, Art. 4", "options": [ { "id": "sz_020_a", "label": "Less than EUR 10 million", "value": "BELOW_10M", "next": "sz_030" }, { "id": "sz_020_b", "label": "EUR 10 million to EUR 50 million (inclusive)", "value": "10M_TO_50M", "next": "sz_030" }, { "id": "sz_020_c", "label": "More than EUR 50 million (strictly above)", "value": "ABOVE_50M", "next": "sz_030" } ] }, "sz_030": { "id": "sz_030", "stage": "S5_SIZE", "type": "question", "text": "What is the entity's annual balance sheet total?", "help": "Total assets on the balance sheet. From the last approved (closed) accounting period. Consolidated with partner/linked enterprises if applicable.", "legal_ref": "Recommendation 2003/361/EC, Art. 4", "options": [ { "id": "sz_030_a", "label": "Less than EUR 10 million", "value": "BELOW_10M", "next": "sz_result" }, { "id": "sz_030_b", "label": "EUR 10 million to EUR 43 million (inclusive)", "value": "10M_TO_43M", "next": "sz_result" }, { "id": "sz_030_c", "label": "More than EUR 43 million (strictly above)", "value": "ABOVE_43M", "next": "sz_result" } ] }, "sz_result": { "id": "sz_result", "stage": "S5_SIZE", "type": "computed", "description": "Size is computed from the three inputs (headcount, turnover, balance sheet). The wizard code applies the following logic:", "logic": { "LARGE": "headcount >= 250 OR (turnover > EUR 50M AND balance_sheet > EUR 43M)", "MEDIUM": "headcount >= 50 OR (turnover > EUR 10M AND balance_sheet > EUR 10M) — and NOT large", "SMALL_MICRO": "headcount < 50 AND (turnover <= EUR 10M OR balance_sheet <= EUR 10M)", "computation_table": [ { "headcount": "SMALL", "turnover": "BELOW_10M", "balance": "BELOW_10M", "result": "SMALL_MICRO" }, { "headcount": "SMALL", "turnover": "BELOW_10M", "balance": "10M_TO_43M", "result": "SMALL_MICRO" }, { "headcount": "SMALL", "turnover": "BELOW_10M", "balance": "ABOVE_43M", "result": "SMALL_MICRO" }, { "headcount": "SMALL", "turnover": "10M_TO_50M", "balance": "BELOW_10M", "result": "SMALL_MICRO" }, { "headcount": "SMALL", "turnover": "10M_TO_50M", "balance": "10M_TO_43M", "result": "MEDIUM" }, { "headcount": "SMALL", "turnover": "10M_TO_50M", "balance": "ABOVE_43M", "result": "MEDIUM" }, { "headcount": "SMALL", "turnover": "ABOVE_50M", "balance": "BELOW_10M", "result": "SMALL_MICRO" }, { "headcount": "SMALL", "turnover": "ABOVE_50M", "balance": "10M_TO_43M", "result": "MEDIUM" }, { "headcount": "SMALL", "turnover": "ABOVE_50M", "balance": "ABOVE_43M", "result": "LARGE" }, { "headcount": "MEDIUM", "turnover": "BELOW_10M", "balance": "BELOW_10M", "result": "MEDIUM" }, { "headcount": "MEDIUM", "turnover": "BELOW_10M", "balance": "10M_TO_43M", "result": "MEDIUM" }, { "headcount": "MEDIUM", "turnover": "BELOW_10M", "balance": "ABOVE_43M", "result": "MEDIUM" }, { "headcount": "MEDIUM", "turnover": "10M_TO_50M", "balance": "BELOW_10M", "result": "MEDIUM" }, { "headcount": "MEDIUM", "turnover": "10M_TO_50M", "balance": "10M_TO_43M", "result": "MEDIUM" }, { "headcount": "MEDIUM", "turnover": "10M_TO_50M", "balance": "ABOVE_43M", "result": "MEDIUM" }, { "headcount": "MEDIUM", "turnover": "ABOVE_50M", "balance": "BELOW_10M", "result": "MEDIUM" }, { "headcount": "MEDIUM", "turnover": "ABOVE_50M", "balance": "10M_TO_43M", "result": "MEDIUM" }, { "headcount": "MEDIUM", "turnover": "ABOVE_50M", "balance": "ABOVE_43M", "result": "LARGE" }, { "headcount": "LARGE", "turnover": "BELOW_10M", "balance": "BELOW_10M", "result": "LARGE" }, { "headcount": "LARGE", "turnover": "BELOW_10M", "balance": "10M_TO_43M", "result": "LARGE" }, { "headcount": "LARGE", "turnover": "BELOW_10M", "balance": "ABOVE_43M", "result": "LARGE" }, { "headcount": "LARGE", "turnover": "10M_TO_50M", "balance": "BELOW_10M", "result": "LARGE" }, { "headcount": "LARGE", "turnover": "10M_TO_50M", "balance": "10M_TO_43M", "result": "LARGE" }, { "headcount": "LARGE", "turnover": "10M_TO_50M", "balance": "ABOVE_43M", "result": "LARGE" }, { "headcount": "LARGE", "turnover": "ABOVE_50M", "balance": "BELOW_10M", "result": "LARGE" }, { "headcount": "LARGE", "turnover": "ABOVE_50M", "balance": "10M_TO_43M", "result": "LARGE" }, { "headcount": "LARGE", "turnover": "ABOVE_50M", "balance": "ABOVE_43M", "result": "LARGE" } ], "note": "Size is determined by headcount OR financial thresholds. For headcount: >= 50 FTE = medium, >= 250 FTE = large. For financials alone (headcount < 50 FTE): BOTH turnover AND balance sheet must exceed the threshold — turnover > EUR 10M AND balance sheet > EUR 10M for medium; turnover > EUR 50M AND balance sheet > EUR 43M for large. A single financial figure exceeding the threshold is NOT sufficient." }, "routing": { "size_exempt_entities": { "description": "For size-exempt entity types (telecom, non-qualified TSP, domain registration), size determines classification but NOT scope. These entities arrived here via sp_telecom, sp_nqtsp, or sp_domreg which set special_classification rules.", "SMALL_MICRO": "Apply special_classification.small from the referring node", "MEDIUM": "Apply special_classification.medium from the referring node", "LARGE": "Apply special_classification.large from the referring node" }, "standard_entities": { "SMALL_MICRO": "r_out_too_small", "MEDIUM_ANNEX_I": "c_important_annex_I", "MEDIUM_ANNEX_II": "c_important_annex_II", "LARGE_ANNEX_I": "c_essential_standard", "LARGE_ANNEX_II": "c_important_annex_II" } } }, "r_out_too_small": { "id": "r_out_too_small", "stage": "RESULT", "type": "result", "scope_status": "OUT_OF_SCOPE", "title": "Below size threshold — Out of NIS2 scope", "summary": "Your entity does not meet the minimum size threshold for NIS2 scope (at least medium-sized enterprise: >= 50 FTE, or both turnover > EUR 10M AND balance sheet > EUR 10M).", "classification": null, "cyfun_level": null, "obligations": [], "deadlines": [], "legal_ref": "Art. 3 §1", "notes": [ "The CCB may still identify your entity as essential or important under Art. 11 if specific criteria are met (sole provider, significant impact, systemic risk, etc.).", "If your entity grows past the size threshold, check if you enter scope. The two-year rule applies: you must exceed thresholds for 2 consecutive fiscal years before changing size category (Art. 4.2 Recommendation 2003/361).", "You may still be subject to NIS2 supply chain requirements as a supplier to an in-scope entity.", "Voluntary NIS2 compliance and CyFun (Basic level) adoption are recommended." ], "proposed_2026_changes": null, "next_steps": [ { "step": "Consider voluntary CyFun Basic", "url": "https://ccb.belgium.be/en/cyberfundamentals-framework", "description": "CyFun Basic covers 34 controls targeting 82% of attacks — recommended even for out-of-scope entities" }, { "step": "Download CyFun Basic self-assessment", "url": "https://atwork.safeonweb.be", "description": "Evaluate your cybersecurity posture with the free self-assessment tool" }, { "step": "Monitor your size thresholds", "description": "If you exceed 50 FTE or EUR 10M turnover+balance for 2 consecutive years, you may enter NIS2 scope" } ] }, "c_essential_standard": { "id": "c_essential_standard", "stage": "S6_CLASSIFICATION", "type": "info", "text": "Your entity is classified as ESSENTIAL (Annex I, large enterprise).", "next": "dora_010" }, "c_important_annex_I": { "id": "c_important_annex_I", "stage": "S6_CLASSIFICATION", "type": "info", "text": "Your entity is classified as IMPORTANT (Annex I, medium enterprise).", "next": "dora_010" }, "c_important_annex_II": { "id": "c_important_annex_II", "stage": "S6_CLASSIFICATION", "type": "info", "text": "Your entity is classified as IMPORTANT (Annex II, medium or large enterprise).", "legal_ref": "Art. 10, 1°", "note": "Annex II entities are Important regardless of whether they are medium or large (unless identified as Essential by CCB under Art. 11, or identified as critical infrastructure operator under Art. 9, 5°).", "next": "dora_010" }, "dora_010": { "id": "dora_010", "stage": "S7_DORA", "type": "question", "text": "Is your entity subject to the Digital Operational Resilience Act (DORA — Regulation (EU) 2022/2554)?", "help": "DORA applies to financial entities: credit institutions, payment institutions, investment firms, insurance undertakings, crypto-asset service providers, central securities depositories, central counterparties, trading venues, and others listed in DORA Art. 2. If subject to DORA AND in the banking or financial market infrastructure sector (Annex I), Titles 3-5 of NIS2 are excluded. ICT third-party service providers under DORA are NOT covered by this exclusion.", "legal_ref": "Art. 6 §3", "options": [ { "id": "dora_a", "label": "Yes — banking or financial market infrastructure sector, subject to DORA", "next": "r_dora_partial" }, { "id": "dora_b", "label": "Yes — financial institution supervised by NBB (non-banking, non-FMI)", "description": "Financial institutions supervised by the NBB under Art. 8 and 12bis of the organic statute, that do not fall under the banking/FMI DORA exclusion.", "next": "r_nbb_partial" }, { "id": "dora_c", "label": "Yes — ICT third-party service provider under DORA", "description": "ICT third-party service providers are subject to BOTH DORA and NIS2. The lex specialis exclusion does NOT apply.", "next": "r_final_routing" }, { "id": "dora_d", "label": "No — not subject to DORA", "next": "r_final_routing" } ] }, "r_dora_partial": { "id": "r_dora_partial", "stage": "RESULT", "type": "result", "scope_status": "PARTIAL_EXCLUSION", "title": "DORA entity (banking/financial market infrastructure) — Partial NIS2 exclusion", "summary": "Your entity is in NIS2 scope but Titles 3, 4, and 5 are excluded because DORA applies as lex specialis. You must still register on Safeonweb@Work. Incident notifications go through BNB/FSMA (forwarded to CCB).", "classification": "AS_PER_SIZE_CAP", "cyfun_level": null, "obligations": [ "Registration on Safeonweb@Work (Title 2 applies)", "DORA risk management and incident notification apply instead of NIS2 Titles 3-5", "Incident notifications via BNB/FSMA mechanism (automatically forwarded to CCB)", "Voluntary notifications possible (Art. 38)" ], "deadlines": [ { "date": "2025-03-18", "description": "Registration deadline on Safeonweb@Work" } ], "legal_ref": "Art. 6 §3", "sanctions": { "note": "NIS2 sanctions (Title 5) do NOT apply — DORA enforcement applies instead" }, "notes": [ "Titles excluded: Title 3 (risk management + incident notification), Title 4 (supervision), Title 5 (sanctions).", "Titles that still apply: Title 1 (definitions), Title 2 (governance framework, registration).", "Your NIS2 classification (Essential or Important) is still determined by the standard size-cap rules. This determines your CCB registration details, even though DORA takes over operational obligations.", "The National Bank of Belgium's central securities depository activity is also covered by this DORA exclusion." ], "proposed_2026_changes": null, "next_steps": [ { "step": "Register on Safeonweb@Work", "url": "https://atwork.safeonweb.be/fr/register-my-organisation", "description": "Registration is required even under DORA partial exclusion" }, { "step": "Verify DORA compliance", "description": "Titles 3-5 of NIS2 are excluded; your primary obligations come from DORA (Regulation 2022/2554)" }, { "step": "Set up incident notification via NBB/FSMA", "description": "Incident notifications go through the financial sector supervisor, not directly to CCB" }, { "step": "Review CCB guidance", "url": "https://ccb.belgium.be/en/nis-2", "description": "Stay updated with latest CCB publications on DORA interaction" } ], "conformity_paths": [ { "id": "not_applicable", "name": "Conformity assessment not required", "description": "Titles 3-5 of NIS2 are excluded for this entity type. Conformity assessment under NIS2 Art. 39/41 does not apply.", "note": "Primary compliance obligations come from the applicable lex specialis regime (e.g., DORA for financial entities)." } ], "compliance_timeline": [ { "date": "2024-04-26", "label": "NIS2 law enacted", "status": "past" }, { "date": "2024-10-18", "label": "Law in force — Titles 1 and 2 applicable", "status": "past" }, { "date": "2025-03-18", "label": "Registration deadline on Safeonweb@Work", "status": "past" } ], "conformity_mandatory": false }, "r_nbb_partial": { "id": "r_nbb_partial", "stage": "RESULT", "type": "result", "scope_status": "PARTIAL_EXCLUSION", "title": "NBB-supervised financial institution — Partial NIS2 exclusion", "summary": "Financial institutions supervised by the NBB (non-banking, non-FMI) are subject to NIS2 but with partial exclusion: Title 3 Chapter 1, Title 4, and Title 5 do not apply.", "classification": "AS_PER_SIZE_CAP", "cyfun_level": null, "obligations": [ "Registration on Safeonweb@Work", { "category": "Incident Notification", "description": "Title 3 Chapter 2 (incident notification) still applies. Notify significant incidents via notif.safeonweb.be", "legal_ref": "Art. 6 §4; Art. 34-37", "timeline": [ { "step": "Early warning", "deadline": "Within 24 hours" }, { "step": "Full notification", "deadline": "Within 72 hours" }, { "step": "Intermediate report", "deadline": "Upon request from CCB" }, { "step": "Final report", "deadline": "Within 1 month" } ] }, "Title 2 (governance framework) applies" ], "deadlines": [ { "date": "2025-03-18", "description": "Registration deadline" } ], "legal_ref": "Art. 6 §4, 2°", "notes": [ "Title 3 Ch.1 (risk management), Title 4 (supervision), Title 5 (sanctions) excluded.", "Title 3 Ch.2 (incident notification) and Title 2 (governance) still apply." ], "proposed_2026_changes": null, "next_steps": [ { "step": "Register on Safeonweb@Work", "url": "https://atwork.safeonweb.be/fr/register-my-organisation", "description": "Registration is required even under DORA partial exclusion" }, { "step": "Verify DORA compliance", "description": "Titles 3-5 of NIS2 are excluded; your primary obligations come from DORA (Regulation 2022/2554)" }, { "step": "Set up incident notification via NBB/FSMA", "description": "Incident notifications go through the financial sector supervisor, not directly to CCB" }, { "step": "Review CCB guidance", "url": "https://ccb.belgium.be/en/nis-2", "description": "Stay updated with latest CCB publications on DORA interaction" } ], "conformity_paths": [ { "id": "not_applicable", "name": "Conformity assessment not required", "description": "Titles 3-5 of NIS2 are excluded for this entity type. Conformity assessment under NIS2 Art. 39/41 does not apply.", "note": "Primary compliance obligations come from the applicable lex specialis regime (e.g., DORA for financial entities)." } ], "compliance_timeline": [ { "date": "2024-04-26", "label": "NIS2 law enacted", "status": "past" }, { "date": "2024-10-18", "label": "Law in force — Titles 1 and 2 applicable", "status": "past" }, { "date": "2025-03-18", "label": "Registration deadline on Safeonweb@Work", "status": "past" } ], "conformity_mandatory": false }, "r_final_routing": { "id": "r_final_routing", "stage": "S8_RESULT", "type": "computed", "description": "Final result routing based on classification determined in earlier stages. The wizard code routes to the appropriate result node.", "routing": { "ESSENTIAL": "r_essential", "IMPORTANT": "r_important" } }, "r_essential": { "id": "r_essential", "stage": "RESULT", "type": "result", "scope_status": "IN_SCOPE", "title": "Essential Entity", "summary": "Your entity is classified as an ESSENTIAL entity under NIS2 Belgium. This entails the highest level of obligations, proactive supervision, and mandatory conformity assessment.", "classification": "ESSENTIAL", "cyfun_level": "ESSENTIAL", "supervision": "Proactive (ex ante + ex post)", "obligations": [ { "category": "Registration", "description": "Register on Safeonweb@Work (https://atwork.safeonweb.be/fr/register-my-organisation)", "legal_ref": "Art. 14, 26-29", "details": "Provide: size data, sector(s), entity type(s), relationship to Belgium, EU member states served, addresses, contact details (CIO/CISO), domain names, IP ranges." }, { "category": "Risk Management", "description": "Implement 11 minimum cybersecurity risk management measures", "legal_ref": "Art. 30 §2", "measures": [ "1. Risk analysis and information system security policies", "2. Incident handling", "3. Business continuity (backup, disaster recovery, crisis management)", "4. Supply chain security", "5. Network and information system acquisition, development and maintenance security (vulnerability handling)", "6. Policies to assess cybersecurity measure effectiveness", "7. Basic cyber hygiene and cybersecurity training", "8. Cryptography and encryption policies", "9. Human resources security, access control, asset management", "10. Multi-factor/continuous authentication, secured communications", "11. Coordinated vulnerability disclosure policy" ] }, { "category": "Management Body", "description": "Management body must approve, supervise, and be accountable for cybersecurity measures, and follow cybersecurity training", "legal_ref": "Art. 31" }, { "category": "Incident Notification", "description": "Notify significant incidents to CCB via https://notif.safeonweb.be", "legal_ref": "Art. 34-37", "timeline": [ { "step": "Early warning", "deadline": "24 hours", "content": "Suspected illicit/malicious cause? Cross-border impact?" }, { "step": "Incident notification", "deadline": "72 hours (24h for trust service providers)", "content": "Initial assessment, severity, impact, IoCs" }, { "step": "Intermediate report", "deadline": "On request", "content": "Situational updates" }, { "step": "Final report", "deadline": "1 month after notification", "content": "Detailed description, root cause, mitigation, cross-border impact" }, { "step": "Progress report", "deadline": "If incident ongoing at final report deadline", "content": "Available info; final report due within 1 month after resolution" } ], "forwarding": "CCB forwards to sectoral authority AND NCCN", "significant_incident_criteria": [ "Suspected malicious event compromising CIA with serious operational disruption", "Availability loss: >=20% users for >=1 hour, OR unknown scope for >=1 hour, OR SLA breach", "Financial loss: >EUR 250,000 or >5% annual turnover (whichever is lower); IP/trade secret loss", "Material/physical/moral damage to third parties: injuries, deaths, asset destruction, financial consequences", "Recurring: same root cause, >=2x in 6 months, collectively meeting above criteria" ], "eu_implementing_reg_note": "For entity types covered by EU Implementing Regulation 2024/2690: financial threshold is EUR 500,000 (not EUR 250,000)." }, { "category": "Conformity Assessment", "description": "Mandatory periodic conformity assessment", "legal_ref": "Art. 39", "options": [ { "path": "CyFun Essential", "type": "Certification (ISO 17021-1)", "assessor": "CAB accredited by BELAC and approved by CCB", "cycle": "3-year certification with annual surveillance" }, { "path": "ISO 27001", "type": "ISO 27001 Certification", "assessor": "CAB accredited by EA/IAF MLA member and approved by CCB", "note": "Scope must cover entire entity, not just NIS2 activities" }, { "path": "CCB Inspection", "type": "Direct inspection", "assessor": "CCB or sectoral inspection service" } ], "lower_level_option": "An entity may use a CyFun level lower than Essential if objectively justified by its risk analysis (Royal Decree Art. 7). No CCB approval required, but may be challenged by inspection." } ], "deadlines": [ { "date": "2024-10-18", "description": "Law enters into force. Risk management, incident notification, management body obligations begin." }, { "date": "2024-12-18", "description": "Registration deadline for digital infrastructure/provider entity types (Art. 14 §1)" }, { "date": "2025-03-18", "description": "Registration deadline for all other entity types" }, { "date": "2026-04-18", "description": "First conformity milestone (18 months): CyFun verification at Basic/Important level, OR ISO 27001 scope+SoA submission, OR CyFun self-assessment submission" }, { "date": "2027-04-18", "description": "Second conformity milestone (30 months): CyFun Essential certification, OR ISO 27001 certification by approved CAB, OR progress report for CCB inspection path" } ], "sanctions": { "max_fine": "EUR 10,000,000 or 2% of worldwide annual turnover (whichever is higher)", "recidivism": "Fine doubled for repeat offences within 3 years", "administrative_measures": [ "Warnings", "Binding instructions / injunctions", "Cease-and-desist orders", "Orders to remedy within deadline", "Orders to inform affected persons", "Orders to implement audit recommendations", "Orders to publicly disclose violations", "Compliance supervisor designation (essential entities only)" ], "escalation": [ "Temporary suspension of certification/authorisation", "Temporary ban on persons exercising management responsibilities (director-general/legal representative level)" ], "public_admin_exception": "Public administration entities are exempt from fines and escalation measures, but basic administrative measures apply." }, "eu_implementing_regulation": { "applies_to": [ "DNS service providers", "TLD name registries", "Cloud computing service providers", "Data centre service providers", "CDN providers", "Managed service providers", "Managed security service providers", "Online marketplace providers", "Online search engine providers", "Social networking services platforms", "Trust service providers" ], "description": "If your entity type is in this list, you must additionally comply with the technical and methodological requirements of EU Implementing Regulation 2024/2690." }, "notes": [ "NIS2 applies to the ENTIRE entity, not just the NIS2 service activities (FAQ 3.2).", "If you provide services in multiple sectors, the strictest classification prevails.", "Voluntary notifications of non-significant incidents, cyber threats, and near-misses are possible (Art. 38).", "NIS2 notification does NOT replace GDPR breach notification to the DPA — two separate notifications are required when personal data is involved." ], "proposed_2026_changes": [ "PROPOSED: New 'small mid-cap' category (COM(2026) 13) — Annex I entities qualifying as small mid-caps would be Important instead of Essential.", "PROPOSED: Maximum harmonisation for implementing acts — Member States could not add requirements beyond EU implementing acts.", "PROPOSED: Ransomware payment reporting obligation." ], "next_steps": [ { "step": "Register on Safeonweb@Work", "url": "https://atwork.safeonweb.be/fr/register-my-organisation", "description": "Mandatory registration for all NIS2 entities" }, { "step": "Complete CyFun self-assessment", "url": "https://atwork.safeonweb.be", "description": "Evaluate your current maturity against CyberFundamentals controls" }, { "step": "Engage management body", "description": "Board/management must formally approve cybersecurity measures and undergo training (Art. 31)" }, { "step": "Prepare incident notification process", "url": "https://notif.safeonweb.be", "description": "Set up internal procedures for 24h/72h/1month notification timelines" }, { "step": "Plan conformity assessment", "description": "Contact an authorised CAB for audit scheduling (essential entities must be certified by April 2027)" }, { "step": "Review CCB guidance", "url": "https://ccb.belgium.be/en/nis-2", "description": "Stay updated with latest CCB publications and guidance" } ], "conformity_paths": [ { "id": "cyfun", "name": "CyberFundamentals (CyFun)", "description": "CCB's own framework mapped to NIST CSF 2.0, ISO 27001, CIS Controls v8, and IEC 62443", "level": "ESSENTIAL", "controls": 140, "assessment_type": "Certification (ISO 17021-1)", "cycle": "3-year cycle with annual surveillance", "authorized_cabs": 2, "self_assessment_url": "https://atwork.safeonweb.be", "pros": [ "Specifically designed for Belgian NIS2 compliance", "Free framework and self-assessment tools from CCB", "Controls pre-mapped to NIS2 Art. 30 measures", "Lower CyFun level possible if justified by entity's risk analysis (Royal Decree Art. 7)" ], "cons": [ "Only 2 authorized CABs currently (Brand Compliance, What a Work)", "Belgian-specific framework — not recognized outside Belgium" ] }, { "id": "iso27001", "name": "ISO/IEC 27001:2022", "description": "International Information Security Management System standard", "assessment_type": "Certification (ISO 17021-1)", "cycle": "3-year certification cycle with annual surveillance", "authorized_cabs": 17, "pros": [ "Internationally recognized standard", "17 authorized CABs available in Belgium", "Entity may already hold ISO 27001 certification", "Recognized across EU member states" ], "cons": [ "Scope must cover the ENTIRE entity (not just IT or NIS2 services)", "Statement of Applicability must cover all 11 NIS2 Art. 30 risk management measures", "ISO 27001 standard must be purchased from NBN (not freely available)", "No free self-assessment tool provided by CCB" ] }, { "id": "inspection", "name": "CCB Inspection", "description": "Direct inspection by CCB's inspection service or sectoral inspection service", "note": "Inspection fees are charged to the entity. No presumption of conformity is granted.", "essential_only": false } ], "compliance_timeline": [ { "date": "2024-04-26", "label": "NIS2 law enacted (Loi du 26 avril 2024)", "status": "past" }, { "date": "2024-10-18", "label": "Law in force — All obligations active (risk management, incident notification, management training)", "status": "past" }, { "date": "2025-03-18", "label": "Registration deadline (all other NIS2 entities)", "status": "past" }, { "date": "2026-04-18", "label": "18-month milestone — CyFun Basic/Important verification OR ISO 27001 scope + Statement of Applicability submitted to CCB", "status": "upcoming" }, { "date": "2027-04-18", "label": "30-month milestone — CyFun Essential certification OR ISO 27001 full certification obtained by approved CAB", "status": "future" } ], "conformity_mandatory": true }, "r_important": { "id": "r_important", "stage": "RESULT", "type": "result", "scope_status": "IN_SCOPE", "title": "Important Entity", "summary": "Your entity is classified as an IMPORTANT entity under NIS2 Belgium. You have the same risk management and incident notification obligations as essential entities, but with reactive (ex post) supervision and voluntary conformity assessment.", "classification": "IMPORTANT", "cyfun_level": "IMPORTANT", "supervision": "Reactive (ex post only)", "obligations": [ { "category": "Registration", "description": "Register on Safeonweb@Work (https://atwork.safeonweb.be/fr/register-my-organisation)", "legal_ref": "Art. 14, 26-29" }, { "category": "Risk Management", "description": "Implement 11 minimum cybersecurity risk management measures (identical to essential entities)", "legal_ref": "Art. 30 §2", "measures": [ "1. Risk analysis and information system security policies", "2. Incident handling", "3. Business continuity (backup, disaster recovery, crisis management)", "4. Supply chain security", "5. Network and information system acquisition, development and maintenance security", "6. Policies to assess cybersecurity measure effectiveness", "7. Basic cyber hygiene and cybersecurity training", "8. Cryptography and encryption policies", "9. Human resources security, access control, asset management", "10. Multi-factor/continuous authentication, secured communications", "11. Coordinated vulnerability disclosure policy" ] }, { "category": "Management Body", "description": "Management body must approve, supervise, and be accountable for cybersecurity measures, and follow cybersecurity training", "legal_ref": "Art. 31" }, { "category": "Incident Notification", "description": "Notify significant incidents to CCB via https://notif.safeonweb.be", "legal_ref": "Art. 34-37", "timeline": [ { "step": "Early warning", "deadline": "24 hours" }, { "step": "Incident notification", "deadline": "72 hours (24h for trust service providers)" }, { "step": "Intermediate report", "deadline": "On request" }, { "step": "Final report", "deadline": "1 month after notification" }, { "step": "Progress report", "deadline": "If incident ongoing at final report deadline" } ], "forwarding": "CCB forwards to sectoral authority only (NOT to NCCN)" }, { "category": "Conformity Assessment", "description": "Voluntary — important entities may opt in to the same conformity assessment regime as essential entities", "legal_ref": "Art. 41", "options": [ { "path": "CyFun Important", "type": "Verification (ISO 17029)", "assessor": "CAB accredited by BELAC and approved by CCB", "cycle": "Full verification every 3 years" }, { "path": "ISO 27001", "type": "ISO 27001 Certification", "note": "Scope must cover entire entity" }, { "path": "CCB Inspection", "type": "Direct inspection (only after incident or evidence of non-compliance)" } ], "lower_level_option": "An entity may use CyFun Basic level if objectively justified by its risk analysis." } ], "deadlines": [ { "date": "2024-10-18", "description": "Law enters into force. Risk management, incident notification, management body obligations begin." }, { "date": "2024-12-18", "description": "Registration deadline for digital infrastructure/provider entity types (Art. 14 §1)" }, { "date": "2025-03-18", "description": "Registration deadline for all other entity types" } ], "sanctions": { "max_fine": "EUR 7,000,000 or 1.4% of worldwide annual turnover (whichever is higher)", "recidivism": "Fine doubled for repeat offences within 3 years", "administrative_measures": [ "Warnings", "Binding instructions / injunctions", "Cease-and-desist orders", "Orders to remedy within deadline", "Orders to inform affected persons", "Orders to implement audit recommendations", "Orders to publicly disclose violations" ], "escalation": "N/A — suspension and management ban measures do NOT apply to important entities", "public_admin_exception": "Public administration entities are exempt from fines." }, "eu_implementing_regulation": { "applies_to": [ "DNS service providers", "TLD name registries", "Cloud computing service providers", "Data centre service providers", "CDN providers", "Managed service providers", "Managed security service providers", "Online marketplace providers", "Online search engine providers", "Social networking services platforms", "Trust service providers" ], "description": "If your entity type is in this list, you must additionally comply with EU Implementing Regulation 2024/2690." }, "notes": [ "NIS2 applies to the ENTIRE entity, not just the NIS2 service activities (FAQ 3.2).", "Supervision is reactive only — inspections occur only after an incident or evidence of non-compliance.", "You may opt in to the mandatory conformity assessment regime at any time.", "NIS2 notification does NOT replace GDPR breach notification." ], "proposed_2026_changes": [ "PROPOSED: Ransomware payment reporting obligation.", "PROPOSED: Maximum harmonisation for implementing acts." ], "next_steps": [ { "step": "Register on Safeonweb@Work", "url": "https://atwork.safeonweb.be/fr/register-my-organisation", "description": "Mandatory registration for all NIS2 entities" }, { "step": "Complete CyFun self-assessment", "url": "https://atwork.safeonweb.be", "description": "Evaluate your current maturity against CyberFundamentals controls" }, { "step": "Engage management body", "description": "Board/management must formally approve cybersecurity measures and undergo training (Art. 31)" }, { "step": "Prepare incident notification process", "url": "https://notif.safeonweb.be", "description": "Set up internal procedures for 24h/72h/1month notification timelines" }, { "step": "Plan conformity assessment", "description": "Contact an authorised CAB for verification (reactive supervision, no mandatory certification deadline for Important entities)" }, { "step": "Review CCB guidance", "url": "https://ccb.belgium.be/en/nis-2", "description": "Stay updated with latest CCB publications and guidance" } ], "conformity_paths": [ { "id": "cyfun", "name": "CyberFundamentals (CyFun)", "description": "CCB's own framework mapped to NIST CSF 2.0, ISO 27001, CIS Controls v8, and IEC 62443", "level": "IMPORTANT", "controls": 117, "assessment_type": "Verification (ISO 17029)", "cycle": "3-year cycle with annual surveillance", "authorized_cabs": 2, "self_assessment_url": "https://atwork.safeonweb.be", "pros": [ "Specifically designed for Belgian NIS2 compliance", "Free framework and self-assessment tools from CCB", "Controls pre-mapped to NIS2 Art. 30 measures", "Lower CyFun level (BASIC) possible if justified by entity's risk analysis" ], "cons": [ "Only 2 authorized CABs currently (Brand Compliance, What a Work)", "Belgian-specific framework — not recognized outside Belgium" ] }, { "id": "iso27001", "name": "ISO/IEC 27001:2022", "description": "International Information Security Management System standard", "assessment_type": "Certification (ISO 17021-1)", "cycle": "3-year certification cycle with annual surveillance", "authorized_cabs": 17, "pros": [ "Internationally recognized standard", "17 authorized CABs available in Belgium", "Entity may already hold ISO 27001 certification", "Recognized across EU member states" ], "cons": [ "Scope must cover the ENTIRE entity (not just IT or NIS2 services)", "Statement of Applicability must cover all 11 NIS2 Art. 30 risk management measures", "ISO 27001 standard must be purchased from NBN (not freely available)", "No free self-assessment tool provided by CCB" ] }, { "id": "inspection", "name": "CCB Inspection", "description": "Direct inspection by CCB's inspection service or sectoral inspection service", "note": "Inspection fees are charged to the entity. No presumption of conformity is granted.", "essential_only": false } ], "compliance_timeline": [ { "date": "2024-04-26", "label": "NIS2 law enacted", "status": "past" }, { "date": "2024-10-18", "label": "Law in force — All obligations active (risk management, incident notification, management training)", "status": "past" }, { "date": "2025-03-18", "label": "Registration deadline (all other NIS2 entities)", "status": "past" }, { "date": "2026-04-18", "label": "Voluntary: CyFun Important verification or ISO 27001 certification (no mandatory deadline for Important entities)", "status": "upcoming" } ], "conformity_mandatory": false }, "x_020_nccn_tsp": { "id": "x_020_nccn_tsp", "stage": "S2_EXCLUSIONS", "type": "question", "text": "Does the NCCN also act as a trust service provider?", "help": "Even partially excluded entities lose their exclusion for trust service provider activities (Art. 5 §6). If the NCCN acts as a TSP, it would be in full NIS2 scope for those activities.", "legal_ref": "Art. 5 §5, 1°; Art. 5 §6", "options": [ { "id": "nccn_tsp_yes", "label": "Yes — acts as a trust service provider", "next": "s_010" }, { "id": "nccn_tsp_no", "label": "No", "next": "r_partial_nccn" } ] }, "x_020_ccb_tsp": { "id": "x_020_ccb_tsp", "stage": "S2_EXCLUSIONS", "type": "question", "text": "Does the CCB also act as a trust service provider?", "help": "Even partially excluded entities lose their exclusion for trust service provider activities (Art. 5 §6). If the CCB acts as a TSP, it would be in full NIS2 scope for those activities.", "legal_ref": "Art. 5 §5, 2°; Art. 5 §6", "options": [ { "id": "ccb_tsp_yes", "label": "Yes — acts as a trust service provider", "next": "s_010" }, { "id": "ccb_tsp_no", "label": "No", "next": "r_partial_ccb" } ] } }, "edge_cases_index": { "description": "Quick reference for wizard to display contextual edge case information. These map to nodes where the edge case is relevant.", "electricity_self_consumption": { "trigger_node": "e_010_producer", "summary": "Grid-connected self-consumption producers are in scope if medium+ but qualify for less strict supervision (CyFun Basic).", "source": "FAQ 1.22.1.1, 1.22.1.2" }, "internal_data_centre": { "trigger_node": "e_010_dc", "summary": "Internal/corporate data centres (not providing third-party services) are NOT data centre service providers.", "source": "NIS2 Directive Art. 6(31)" }, "intra_group_msp": { "trigger_node": "s_020_ict", "summary": "Intra-group IT service providers may qualify as MSPs if serving separate legal entities within the group.", "source": "FAQ 1.16.7" }, "drinking_water_non_essential_activity": { "trigger_node": "s_020_drinkwater", "summary": "Distributors for whom water distribution is a non-essential part of their general activity may be excluded.", "source": "Annex I, sector 6" }, "manufacturing_nace_codes": { "trigger_node": "s_020_manufacturing", "summary": "NACE codes are guidance only. 'Manufacturing' is an autonomous EU law concept (physical/chemical transformation).", "source": "FAQ; AMB-8" }, "public_entity_principal_activity": { "trigger_node": "s_020_pubadmin", "summary": "A public entity whose principal activity is in another NIS2 sector (e.g., hospital = Health) should be assessed under THAT sector.", "source": "FAQ 2.3; AMB-9" }, "two_year_size_rule": { "trigger_node": "sz_010", "summary": "Size category only changes after exceeding/falling below thresholds for 2 consecutive fiscal years.", "source": "Recommendation 2003/361, Art. 4.2; FAQ 1.5.2" }, "independence_mechanism": { "trigger_node": "sz_010", "summary": "Entity may claim IT/OT independence from linked/partner enterprises to reduce consolidated size. Case-by-case CCB assessment; entity bears burden of proof.", "source": "Art. 3 §2; FAQ 1.5.1; AMB-4" }, "linked_enterprise_natural_persons": { "trigger_node": "sz_010", "summary": "Art. 3 §4 of Recommendation 2003/361 (linking through natural persons) does NOT apply for NIS2.", "source": "Art. 3 §1, al. 2" }, "dora_ict_third_party": { "trigger_node": "dora_010", "summary": "ICT third-party service providers under DORA are NOT covered by the lex specialis exclusion — subject to BOTH DORA and NIS2.", "source": "FAQ 1.17" }, "multi_sector_strictest": { "trigger_node": "s_010", "summary": "If an entity operates in both Annex I and Annex II sectors, the strictest classification prevails (essential over important).", "source": "FAQ 1.10" }, "accessory_activity": { "trigger_node": "s_010", "summary": "NIS2 applies even if the NIS2 service is an accessory/non-essential part of the entity's activities — unless the annex definition explicitly considers the accessory character.", "source": "FAQ 1.3" }, "acquisition_change": { "trigger_node": "sz_010", "summary": "After acquisition, NIS2 qualification stays with the acquired entity. Size-cap may be recalculated after 2 years.", "source": "FAQ 1.13" }, "holding_companies": { "trigger_node": "sz_010", "summary": "Holdings not providing NIS2 services are not in scope, but their data counts for linked/partner enterprise size consolidation.", "source": "FAQ 1.16.6" }, "non_profit_in_scope": { "trigger_node": "sz_010", "summary": "Non-profits (ASBL/VZW) and any entity engaged in economic activity are considered 'enterprises' for NIS2 size assessment.", "source": "Recommendation 2003/361, Art. 1; FAQ 1.3" } }, "consult_expert_scenarios": [ { "id": "AMB-1", "scenario": "Rescue zones — potential reclassification to Essential", "description": "Rescue zones are Important by default (CCB Entity Definition Matrix), but the CCB may identify specific rescue zones as Essential under Art. 11 if they meet the criteria (sole provider, significant impact, systemic risk).", "node": "sp_rescue" }, { "id": "AMB-4", "scenario": "Independence mechanism for partner/linked enterprises", "description": "Art. 3 §2 allows CCB to assess independence of IT/OT networks, but criteria are not defined in law. Case-by-case assessment.", "node": "sz_010" }, { "id": "AMB-5", "scenario": "Non-essential part of general activity test", "description": "Used for drinking water, wastewater, and waste management exclusions. No formal test defined.", "node": "s_020_drinkwater" }, { "id": "AMB-6", "scenario": "Ancillary facilities at airports", "description": "No exhaustive list. Criteria: digital integration with airport systems. Requires CCB/sectoral authority cooperation.", "node": "s_020_transport" }, { "id": "AMB-7", "scenario": "Hydrogen sector definitions", "description": "NIS2 predates EU hydrogen policy framework. Definitions should reference Directive 2024/1788.", "node": "s_020_energy" }, { "id": "AMB-8", "scenario": "Manufacturing as autonomous EU law concept", "description": "Physical/chemical transformation definition; NACE codes are guidance only. Edge cases possible.", "node": "s_020_manufacturing" }, { "id": "AMB-9", "scenario": "Public entity principal activity determination", "description": "When a public entity provides services in multiple sectors, no quantitative test exists to determine the 'principal' activity.", "node": "s_020_pubadmin" }, { "id": "AMB-10", "scenario": "Complex group structures", "description": "Multiple legal entities in a group with intertwined IT services and varying NIS2 obligations.", "node": "sz_010" }, { "id": "AMB-11", "scenario": "Multi-jurisdiction for digital infrastructure entities", "description": "Determining principal establishment across EU Member States using the three-tier cascade test.", "node": "j_010" } ], "proposed_2026_amendments_summary": { "status": "PROPOSED — COM(2026) 13 final, dated 20 January 2026. Not yet adopted. Requires transposition into Belgian law.", "changes": [ { "id": "P1", "title": "Small mid-cap category", "impact": "Annex I entities qualifying as small mid-caps would be IMPORTANT instead of ESSENTIAL", "affects_nodes": [ "c_essential_standard", "sz_result" ] }, { "id": "P2", "title": "DNS providers subject to size-cap", "impact": "DNS providers would need to be at least medium-sized to be in scope", "affects_nodes": [ "sp_dns" ] }, { "id": "P3", "title": "Electricity producers — 1 MW threshold", "impact": "Producers with total generation capacity <= 1 MW would be out of scope", "affects_nodes": [ "e_010_producer" ] }, { "id": "P4", "title": "European Digital Identity Wallet providers", "impact": "Added as essential entities regardless of size", "affects_nodes": [ "s_020_digital_infra" ] }, { "id": "P5", "title": "Strategic dual-use infrastructure operators", "impact": "Added as essential entities", "affects_nodes": [ "e_010" ] }, { "id": "P6", "title": "Submarine data transmission infrastructure", "impact": "New entity type added to digital infrastructure", "affects_nodes": [ "s_020_digital_infra" ] }, { "id": "P7", "title": "Maximum harmonisation for implementing acts", "impact": "Member States could not add requirements beyond EU implementing acts", "affects_nodes": [ "r_essential", "r_important" ] }, { "id": "P8", "title": "Ransomware payment reporting", "impact": "New reporting obligation for ransomware payments", "affects_nodes": [ "r_essential", "r_important" ] } ] } }