Belgium continues to strengthen its national cybersecurity framework through a combination of strategic policy initiatives and a rapidly evolving body of legislation. The country’s overarching policy blueprint is the National Cybersecurity Strategy 2.0 (2021–2025), led by the Centre for Cybersecurity Belgium (CCB). This strategy aims to position Belgium among the least cyber-vulnerable countries in Europe by:

• reinforcing trust in digital services;
• improving the capabilities of users and system administrators;
• enhancing the protection of vital companies;
• increasing the effectiveness of incident detection and response; and
• deepening collaboration across the public, private and academic sectors.

The CCB plays a central role in co-ordinating implementation, supported by sectoral authorities and the National Crisis Center (NCCN). An updated cybersecurity strategy for the period 2025–2030 has been announced but not yet published. The National Cybersecurity Strategy 3.0 is expected to build on the foundations of the previous Strategy, with an emphasis on improving national detection capabilities in order to strengthen overall resilience.

Belgium’s legislative landscape has undergone significant development as part of this broader policy effort. The most consequential reform is the transposition of the EU NIS 2 Directive through the Belgian Act of 26 April 2024, which entered into force on 18 October 2024. This law considerably broadens the scope of cybersecurity regulation in Belgium by classifying organisations as “essential” or “important” entities based on the nature of their services and their size, and by imposing detailed cybersecurity risk management, governance, supply chain oversight and incident notification requirements. Registration of in-scope entities through the CCB’s Safeonweb@Work portal became mandatory as of 18 October 2024.

Parallel regulatory developments apply to the financial sector. The EU Digital Operational Resilience Act (DORA), effective since January 2025, establishes a harmonised framework for ICT risk management, major incident reporting, operational resilience testing and the oversight of Critical Third Party ICT Service Providers. In Belgium, supervision is exercised by the National Bank of Belgium (NBB) and the Financial Services and Markets Authority (FSMA). While many financial institutions also fall within the scope of NIS 2, DORA operates as a lex specialis for the sector. Incident reporting under DORA is made directly to the NBB or FSMA, which then ensures co-ordination with the CCB as needed.

Another important component of the EU cybersecurity framework with direct relevance for companies doing business in Belgium is the Cyber Resilience Act (CRA) (Regulation (EU) 2024/2847). This horizontal regulation applies to products with digital elements (eg, connected devices) placed on the EU market. It introduces secure by design obligations, detailed requirements for vulnerability management and incident reporting, and market surveillance mechanisms. While the CRA entered into force in December 2024, its substantive obligations will become fully applicable in December 2027, with certain intermediary obligations taking effect in September 2026, such as reporting actively exploited vulnerabilities.

Belgium also continues to develop its national cybersecurity certification framework under the EU Cybersecurity Act. The CCB, acting as Belgium’s National Cybersecurity Certification Authority, has created the CyberFundamentals (CyFun®) Framework, which offers a structured set of controls aligned with widely recognised international standards. The framework provides a presumption of conformity for NIS 2 purposes when verified or certified by an authorised Conformity Assessment Body. Therefore, achieving CyFun® certification/verification (or ISO 27001, if aligned with CyFun®) means an entity is presumed to have implemented the necessary, proportionate and adequate cybersecurity measures required by the NIS 2 Directive in Belgium. A new version of the framework, CyFun® 2025, introduces enhanced governance provisions, clearer control formulations and an expanded focus on supply chain and operational technology security.

In addition to these horizontal regimes, sector-specific rules continue to play an important role. For example:

• the Belgian Institute for Postal Services and Telecommunications (BIPT) enforces telecom sector obligations related to network security, incident notification and the management of high-risk vendors in the context of 5G deployment;
• for healthcare providers and medical device manufacturers, cybersecurity obligations arise under the EU Medical Devices Regulation, accompanied by strict incident reporting duties to the Federal Agency for Medicines and Health Products (FAMHP); and
• the Belgian Data Protection Authority (DPA) enforces security and breach notification requirements under the EU General Data Protection Regulation (GDPR), and has recently launched a dedicated national portal that introduces a structured two-stage notification process.

Taken together, these developments reflect Belgium’s shift toward a more comprehensive, integrated and assurance-driven cybersecurity regulatory environment. The Belgian legislature now frames cybersecurity as a matter of both national security and economic continuity, embedding obligations directly at the organisational, sectoral and product levels. The combined effect is a regulatory model that prioritises robust governance, verifiable risk management practices, transparent incident reporting and greater accountability across supply chains. For companies operating in Belgium, understanding the interplay between NIS 2, DORA, the CRA, the GDPR and sector-specific regimes has therefore become an essential element of compliance planning and a core component of overall cyber resilience strategy.

Principal Cybersecurity Statutes and Regulations in Belgium

Belgium’s cybersecurity regulatory landscape consists of a layered system built from constitutional guarantees, EU level regulations and national implementing legislation. The key instruments governing cybersecurity and cyber risk management are as follows.

Belgian Constitution – Article 22

• Scope: protects the right to privacy, forming the constitutional basis for cybersecurity and data protection obligations.
• Organisations in scope: all private and public bodies processing personal data in Belgium.

GDPR (Regulation (EU) 2016/679)

• Scope: protection and security of personal data, with breach notification and accountability obligations.
• Organisations in scope: controllers and processors established in Belgium or targeting individuals in Belgium.
• Guidance: EDPB guidelines (eg, on breach notification and security measures) influence interpretation by the DPA and courts.

Belgian data protection framework

• The DPA Act (Act of 3 December 2017, amended 2023) and the Data Protection Act (Act of 30 July 2018) supplement the GDPR and clarify the role and investigative powers of the DPA.
• Guidance: DPA’s decisions, recommendations and inspection reports.

Belgian Criminal Code and Criminal Procedure Code

• Criminalise hacking, unlawful interception, system interference, computer sabotage and computer-related fraud.
• Modernised as part of Belgium’s 2024 criminal law reform (entering into force April 2026).
• Apply to any individual or organisation in Belgium implicated in cybercrime.

NIS 2 Act – Belgian Act of 26 April 2024

• Subject matter scope: cybersecurity of networks and information systems essential for public security and the economy.
• Organisations in scope: “essential” and “important” entities in sectors listed in Annexes I and II (eg, energy, transport, digital infrastructure, healthcare, public administration, cloud providers, online marketplaces).
• Territorial reach: applies to entities established in Belgium providing services within the EU.
• Guidance: the CCB has issued, for example:
1. NIS 2 guidelines and FAQs; and
2. the CyberFundamentals Framework (CyFun®) used for conformity assessments.

DORA (Regulation (EU) 2022/2554)

• Scope: digital operational resilience of the financial sector.
• Organisations in scope: more than 20 types of EU financial entities, such as credit institutions, investment firms, trading venues, insurers and payment institutions, as well as third-party ICT service providers.
• Territorial reach: DORA applies to nearly all financial entities regulated under EU law that are operating in Belgium, regardless of their size. In addition, DORA applies to non-EU ICT service providers, such as cloud platforms, data centres and software vendors, if they provide services to financial entities in Belgium.
• Guidance: Belgian regulators (NBB, FSMA) supplement DORA with circulars, supervisory expectations and incident reporting instructions.

Cyber Resilience Act (CRA – Regulation (EU) 2024/2847)

• Scope: cybersecurity requirements for products with digital elements (PDEs).
• Organisations in scope: manufacturers, importers and distributors of PDEs.
• Territorial reach: EU-wide, and also applying to non-EU manufacturers placing PDEs on the EU market.
• Binding guidance: the CRA introduces a single EU vulnerability reporting platform. ENISA guidance will play a significant compliance role.

Cybersecurity Act (Regulation (EU) 2019/881)

• Establishes EU-wide security certification schemes for ICT products and services.
• In Belgium, the CCB acts as the National Cybersecurity Certification Authority.

Critical Entities Regulation (CER Directive – EU 2022/2557) and Belgian Critical Infrastructures Act (2011, amended 2023)

• Focuses on the resilience of critical infrastructure in key sectors (energy, transport, digital infrastructure).
• Operators under the Critical Infrastructures Act automatically fall under the NIS 2 category of “essential entities”.

AI Act (Regulation (EU) 2024/1689)

• Creates cybersecurity obligations for high-risk AI systems (eg, protection against adversarial attacks and data poisoning).
• Supports harmonisation with cybersecurity certification schemes under the Cybersecurity Act.

Interplay Between NIS 2, DORA, the CRA and Other Instruments

Belgium’s cybersecurity framework is now characterised by vertical (sector-specific) and horizontal (cross-sectoral) EU legislation. Their relationship can be summarised as follows.

NIS 2 as the horizontal baseline

NIS 2 is the overarching EU cybersecurity instrument, which:

• sets minimum risk management, governance and incident reporting requirements;
• applies across a broad range of public and private sectors; and
• acts as the default compliance framework unless a more specific EU law overrides it.

In Belgium, the NIS 2 Act ensures integration with national crisis management structures and sectoral regulators co-ordinated by the CCB.

DORA as a sector-specific lex specialis for the financial sector

• For financial entities, DORA supersedes NIS 2 where requirements overlap, especially regarding ICT risk management, testing and incident reporting.
• Belgian financial regulators (NBB and FSMA) serve as frontline supervisors and forward incident reports to the CCB.

CRA as a product security regime complementing NIS 2

• While NIS 2 focuses on organisational security obligations, the CRA imposes product level cybersecurity requirements.
• CRA obligations apply to the entire life cycle of PDEs, including vulnerability reporting.
• Important and critical PDE manufacturers face heightened conformity assessment obligations, which may feed into broader NIS 2 or DORA compliance.

Cybersecurity Act and certification as a connecting layer

• ENISA-led certification schemes under the Cybersecurity Act support compliance with both NIS 2 and CRA.
• Belgium’s CyFun® certification serves as an operational tool for demonstrating NIS 2 conformity.

AI Act interactions

• High-risk AI systems deployed by NIS 2 entities or financial institutions must meet cybersecurity requirements aligned with ENISA standards.
• The AI Act’s security provisions complement, rather than replace, NIS 2 and DORA obligations. The AI Act focuses on specific risks associated with AI systems (eg, data governance, robustness), whereas NIS 2 and DORA provide broader, sector-specific cybersecurity obligations, creating a layered, non-conflicting compliance framework.

Belgium’s cybersecurity enforcement framework is built around several federal authorities with complementary mandates. These bodies supervise compliance with key cybersecurity laws, including the NIS 2 Act, the Cybersecurity Act, DORA, the Critical Infrastructures Act and sector-specific security requirements. Their roles, powers and operational capabilities, including incident response functions, are summarised below.

Centre for Cybersecurity Belgium (CCB)

Mandate

The CCB is Belgium’s central cybersecurity authority, reporting to the Federal Prime Minister. It designs, co-ordinates and oversees national cybersecurity strategy, and leads implementation of the NIS 2 Act. It also serves as Belgium’s national point of contact for EU cybersecurity bodies.

Supervisory and enforcement powers

• Monitors and enforces NIS 2 compliance for essential and important entities.
• Conducts on-site and remote inspections, and may request policies, logs, risk management evidence and technical documentation.
• Issues binding mitigation measures and corrective orders.
• Imposes administrative sanctions in co-operation with sectoral authorities.
• Co-ordinates national-level response to major cyber incidents.

Investigative tools

• Access to threat intelligence via its Cyber Threat Research and Intelligence Sharing (CyTRIS) unit.
• Technical analysis of incident notifications.
• Structured co-operation with law enforcement, intelligence services and the NCCN.
• Authority to request information and forensic data from regulated entities.

Incident response role

The CCB hosts Belgium’s national Computer Emergency Response Team (CERT.be), providing 24/7 monitoring, triage and incident co-ordination. CERT.be collaborates with sectoral Computer Security Incident Response Teams (CSIRTs) and EU-level networks.

Sectoral Competent Authorities Under the NIS 2 Act

Sector-specific authorities work alongside the CCB to supervise cybersecurity obligations within their respective domains. They hold regulatory, investigative and enforcement powers tailored to sector risks.

Energy sector: Federal Public Service Economy

Mandate

• Oversight of cybersecurity obligations for electricity, gas and petroleum operators designated under NIS 2.

Powers

• Sectoral audits and compliance reviews.
• Requests for technical reports, security documentation and evidence of incident response readiness.
• Orders for remediation and additional reporting.

Incident response

• Operators typically maintain internal CSIRTs that co-ordinate with CERT.be.

Transport sector

• Aviation and land transport: Federal Minister for Transport.
• Maritime and port infrastructure: Federal Minister for Maritime Mobility.

Powers

• Inspections, security audits and mandatory cybersecurity assessments.

Incident response

• Sub-sectors such as air navigation services and port authorities maintain dedicated response teams that escalate major incidents to CERT.be.

Health sector – Federal Public Service Public Health

Mandate

• Oversight of cybersecurity requirements applicable to hospitals, laboratories and other NIS 2-designated health entities.

Powers

• Access to IT system documentation, incident response plans and security controls.
• Verification of adequate cybersecurity risk management measures.

Incident response

• Large hospitals often operate internal CSIRTs.

Digital infrastructure and digital services – BIPT

Mandate

• Oversight of electronic communications networks, digital infrastructure, cloud providers, DNS operators and certain online platforms.

Powers

• On-site inspections and technical vulnerability assessments.
• Binding instructions and enforcement of sector-specific rules.
• Broad administrative enforcement authority.

Incident response

• BIPT collaborates closely with CERT.be.

National Crisis Center (NCCN)

Mandate

• The NCCN co-ordinates national cyber crisis management, including risk assessments, emergency planning and international information exchange on threats to critical infrastructure.

Powers

• Ability to request detailed reporting for national threat assessments.
• Co-ordination of emergency plans and activation of crisis response mechanisms.
• Oversight of crisis communication and support for regional authorities.

Incident response

While not a CSIRT, the NCCN works closely with the CCB and CERT.be during major cyber incidents affecting public safety or national security.

Belgian Data Protection Authority (DPA)

Mandate

• The DPA enforces GDPR requirements relating to data security and personal data breach notifications.

Powers

• Investigations via its Inspection Body.
• Requests for policies, logs, breach documentation and technical evidence.
• Corrective measures, reprimands and administrative fines.
• Orders to improve data security controls.

Incident response

• The DPA may co-operate with the CCB when a cybersecurity incident also constitutes a personal data breach or raises national level cybersecurity concerns.

Coordination Unit for Threat Analysis (CUTA)

Mandate

• CUTA assesses extremist and terrorist threats, including cyber-enabled threats. Though not a cybersecurity regulator, it forms part of Belgium’s broader national security architecture.

Powers

• Access to national intelligence sources and analytical platforms.
• Ability to issue threat warnings to public authorities and critical operators.

National Security Council (NSC)

Mandate

• The NSC defines Belgium’s national security strategy and sets strategic priorities for cybersecurity, intelligence and critical infrastructure protection. Its role is primarily strategic rather than operational.

Belgium has implemented the NIS 2 Directive through the NIS 2 Act of 26 April 2024, which significantly expands the types of public and private entities subject to cybersecurity oversight.

The NIS 2 Act applies to the following organisations established in Belgium that provide services listed in Annex I (essential sectors) or Annex II (important sectors) within the EU:

• essential entities are typically large operators in sectors such as energy, transport, banking, digital infrastructure and healthcare; and
• important entities include medium-sized and large providers operating in sectors such as waste management, manufacturing of key goods and (digital) services.

Whether an entity falls within scope depends on the nature of the activity and whether it meets the applicable size criteria under Commission Recommendation 2003/361/EC, unless the Annex introduces a different size-based test.

Belgium’s approach is intentionally broad. The CCB has clarified that the NIS 2 Act applies to the entirety of an in-scope organisation, not only the business unit performing the regulated service. Even where the regulated activity is ancillary, the NIS 2 Act may still apply unless the Annex expressly limits scope based on principal or ancillary activities.

From a territorial standpoint, “establishment” requires stable and continuous operations in Belgium, including subsidiaries, branches or permanent installations. Operators designated as critical infrastructure under the Belgian Critical Infrastructures Act are automatically deemed essential entities under the NIS 2 Act.

While the NIS 2 Act reduces many uncertainties that existed under the former NIS 1 regime, organisations must still engage in careful mapping of their services, supply chains and group structures to determine coverage. Despite extensive guidance from the CCB, the most persistent uncertainties and challenges concern:

• determining sector applicability;
• digital services classification, especially for hybrid providers whose digital services are ancillary rather than core; and
• group level size calculations, especially across multinational structures.

Entities subject to the NIS 2 Act must implement a comprehensive, risk-based cybersecurity programme that aligns with the heightened obligations introduced under the NIS 2 Directive. Belgian law requires in-scope organisations to:

• register with competent authorities, including completing onboarding via Safeonweb@Work and identifying the entity’s applicable sector classification;
• adopt cybersecurity risk management measures that are effective and proportionate, addressing governance, operational security, business continuity, incident handling, encryption, access control and vulnerability management;
• ensure cybersecurity expertise within their management bodies, including regular training and documented responsibilities for supervisory and oversight functions;
• assess and manage supply chain risk, particularly where ICT service providers support the delivery of essential or important services – the CCB recommends contractually requiring suppliers to meet cybersecurity certification standards such as CyFun® or equivalent; and
• prepare for and comply with incident notification obligations, as outlined in 2.3 Incident Response and Notification Obligations.

The CCB’s CyFun® Framework remains the primary national reference point for demonstrating compliance. Entities that obtain CyFun® or ISO/IEC 27001 certification benefit from a presumption of conformity with NIS 2 security requirements.

Incident Classification and Thresholds

Under the Belgian NIS 2 Act, incident reporting obligations apply only to significant incidents – ie, those that have a substantial impact on the continuity or security of Annex I/II services and that:

• cause or are likely to cause severe operational disruption to essential or important services;
• result in material financial loss for the entity; or
• lead to considerable material, physical, personal or non-material damage.

Mandatory Multi-Stage Notification Timeline

The Belgian NIS 2 Act adopts a three-phase reporting model that mirrors the requirements of the NIS 2 Directive. Reporting deadlines run from the moment the entity becomes aware of the significant incident.

Early warning – within 24 hours

Entities must notify the CCB:

• without undue delay; and
• within 24 hours of becoming aware of a significant incident.

The early warning aims to provide preliminary situational awareness to the CCB. It may include suspected causes, early indicators of compromise, initial containment measures and any cross-border implications. The CCB recognises that information at this stage is preliminary, and encourages early notification even when investigative findings remain incomplete.

Incident notification – within 72 hours

A more detailed incident notification must be submitted:

• within 72 hours of awareness; or
• within 24 hours for qualified trust service providers (as defined in Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market).

The notification should include updated technical details, the systems and services affected, the assessed or likely impact, known or suspected attack vectors, indicators of compromise, and measures taken or planned to contain the incident.

For entities in the financial sector subject to DORA, notifications must be submitted to the NBB or the FSMA; these authorities then transmit the notification to the CCB.

Final report – within one month

A comprehensive final report must be submitted within one month after the detailed notification.

The report must include a root cause analysis, a complete timeline from detection through recovery, a detailed impact and remediation analysis, and long-term mitigation measures. The CCB or relevant sectoral authority may request additional interim updates.

Notification Channels and Competent Authorities

All notifications must be submitted through the CCB’s secure online reporting platform, accessible via Safeonweb@Work. The CCB functions as Belgium’s:

• national CSIRT;
• national cybersecurity authority; and
• single point of contact for NIS 2 implementation.

The CCB shares information with relevant sectoral authorities and, for essential entities, with the NCCN, which co-ordinates national level crisis management.

Sector-specific oversight bodies include:

• BIPT for electronic communications and digital infrastructure;
• FPS Economy for digital services and online platforms;
• FPS Public Health for healthcare operators;
• transport authorities covering rail, air, road and maritime sectors; and
• the NBB and FSMA for financial services.

Required Content of Notifications

Regulators expect the following elements, tailored to the maturity of the investigation.

Early warning (24 hours)

• High-level description of the incident.
• Suspected origin or cause.
• Early assessment of impact on regulated services.
• Potential cross-border effects.

Incident notification (72 hours)

• Confirmed technical facts and system details;
• Identification of impacted assets and service dependencies;
• Updated severity assessment;
• Implemented containment measures and additional mitigation steps.

Final report (one month)

• Full forensic and root cause analysis.
• Comprehensive timeline of the incident and response measures.
• Detailed impact assessment for services, customers and third parties.
• Long-term security improvements and recommended preventative measures.

The CCB has released a “NIS 2 Quickstart Guide” and provides a library of template policies (eg, for risk management and incident handling) to help organisations standardise their internal procedures. The CCB is also expected to issue unified templates to standardise reporting across sectors.

Treatment of Early Warnings

The CCB treats early warnings as situational awareness tools, not enforcement triggers. It recognises that information may be incomplete or subject to change, and typically does not penalise entities for corrections or updates. Instead, the CCB encourages swift reporting to prevent potential incident escalation.

Obligation to Inform Recipients and the Public

If an incident is likely to adversely affect service recipients, the entity must:

• notify recipients without undue delay;
• provide actionable guidance on protective steps; and
• communicate any mitigation actions the entity has taken.

In cases of broader public risk, the CCB may require public disclosure.

Multi-Agency and Parallel Reporting Obligations

Depending on the nature of the incident, additional reporting requirements may apply, as follows.

• GDPR: personal data breaches must be reported to the DPA within 72 hours, and possibly to affected individuals if a high risk exists.
• DORA: financial entities must follow DORA’s incident classification and reporting model, submitting notifications to the NBB or FSMA.
• Critical Infrastructure Act: operators designated as critical infrastructure may need to provide additional reports to the NCCN.
• Medical Devices Regulation: cyber incidents involving medical devices may trigger reporting to the Federal Agency for Medicines and Health Products (FAMHP) if they cause or have the potential to cause death, serious deterioration of health, or serious public health threats.

The CCB is responsible for overseeing all aspects of NIS 2 implementation in Belgium, including:

• co-ordinating and supervising essential and important entities;
• monitoring national cybersecurity readiness;
• managing CSIRT operations; and
• ensuring alignment with EU cybersecurity frameworks.

The CCB represents Belgium in the NIS Cooperation Group, the CSIRT Network and the European Cyber Crisis Liaison Organisation Network (EU CyCLONe).

The NCCN supports the CCB in national cyber crisis management, risk preparedness and handling incidents with cross-sector or national level impact.

Sectoral regulators continue to enforce sector-specific obligations, with enhanced collaboration mechanisms introduced under NIS 2 to ensure coherent national supervision and co-ordinated incident response.

Belgium applies DORA as the primary regulatory framework governing the operational resilience of financial entities. DORA has applied since 17 January 2025 and covers a broad range of regulated financial entities established in Belgium or operating through Belgian or other EU branches, including:

• credit institutions;
• insurers and reinsurers;
• investment firms;
• payment and e-money institutions;
• crypto-asset service providers;
• trading venues and market infrastructures;
• Institutions for Occupational Retirement Provision (IORPs); and
• various intermediaries.

DORA also applies indirectly to third-party ICT service providers that supply ICT services to financial entities. An ICT provider that is designated as “critical” by the European Supervisory Authorities becomes subject to direct EU level oversight and must establish an EU legal presence, even if headquartered outside the European Union. In this way, DORA has a limited but significant extraterritorial impact on non-EU critical ICT service providers that support the EU financial sector.

The NBB and the FSMA serve as the competent authorities responsible for supervising DORA implementation by financial entities. Where DORA applies as a sector-specific lex specialis, its requirements prevail over horizontal obligations under the NIS 2 Act.

DORA imposes detailed contractual, governance and oversight obligations on financial entities engaging third-party ICT service providers. “ICT service providers” are broadly defined to include providers of cloud computing, data centres, hosting and storage, cybersecurity services, network services, managed IT services, software, data analytics, back-up and recovery solutions, and related support and maintenance.

Financial entities within scope of DORA must maintain a comprehensive Register of Information (RoI) covering all third-party ICT arrangements. Contracts supporting “critical or important functions” must meet specific minimum standards, including:

• a detailed description of the services, including the business functions supported;
• identification of all locations where data is processed and services are performed, with advance notification of any changes;
• clear service levels and performance metrics;
• information security, business continuity and incident response obligations, including:
1. full audit, inspection and access rights for the financial entity, its auditors and competent authorities;
2. robust subcontracting and chain outsourcing provisions, including transparency, consent mechanisms and flow down of obligations;
3. support for digital operational resilience testing, including participation in threat-led penetration tests when applicable; and
4. exit, transition and data portability arrangements, including return and deletion obligations.

Belgian supervisory practice reflects the EU level regulatory technical standards (RTS/ITS), including those on contractual requirements, subcontracting, classification of incidents, and RoI harmonisation.

Financial entities must implement a management body-owned ICT risk management framework addressing identification, protection, detection, response and recovery.

Financial entities must classify ICT-related incidents using EU harmonised materiality thresholds. If they determine that an ICT incident is “major” based on factors like impact on clients, transactions, data and duration, they must report the major incident within the following strict timelines.

• Initial notification: as soon as possible, no later than four hours after classifying an incident as “major”, and in any case within 24 hours of detection.
• Intermediate report: within 72 hours after the initial notification.
• Final report: within one month after the latest intermediate report.

Financial entities must also notify clients where major incidents materially affect the financial interests or the continuity of services provided to them. DORA introduces a voluntary notification mechanism for “significant cyber threats”, enabling authorities to share threat information horizontally across the sector.

For financial entities in Belgium that are subject to DORA, incident reports are submitted to the NBB or FSMA, as applicable. These authorities subsequently transmit the reports to the CCB, ensuring alignment with the Belgian NIS 2 notification framework.

The NBB and FSMA supervise compliance by financial entities with DORA’s ICT risk management and third-party oversight requirements. National supervisory measures may include remedial actions, heightened supervision and administrative fines for breaches of DORA obligations.

In parallel, the European Supervisory Authorities (EBA, EIOPA and ESMA) designate certain ICT service providers as Critical ICT Third Party Providers (CTPPs). For each designated CTPP, one of the ESAs acts as the Lead Overseer. The Lead Overseer’s enforcement and oversight tools include requesting information, conducting investigations and on-site inspections, issuing recommendations, performing ongoing oversight activities, and imposing periodic penalty payments to ensure the CTPP’s compliance with DORA’s operational resilience requirements.

DORA does not impose general EU data localisation requirements; however, it requires transparency and risk mitigation for all locations in which data is processed or stored. Where ICT services involve personal data, the GDPR’s rules on international data transfers (Chapter V) apply, including obligations to ensure that the transferred data remains protected via adequacy decisions, Standard Contractual Clauses or Binding Corporate Rules, and that Transfer Impact Assessments are performed, where required.

Financial entities should integrate GDPR transfer risk assessments into their DORA third-party risk management processes. Contractual arrangements should specify data processing locations and set out notification and approval mechanisms for the relocation of data or services to third countries.

Under Articles 26–27 of DORA, certain “significant” financial entities must conduct threat-led penetration testing (TLPT) every three years. The EU TLPT Regulatory Technical Standards, effective July 2025, align with the EU’s Threat Intelligence Based Ethical Red Teaming (TIBER EU) framework, which Belgium implements through the NBB’s TIBER BE programme.

TIBER BE co-ordinates intelligence-led red team testing of entities’ critical or important functions using realistic cyber-attack scenarios. Co-operation from ICT service providers may be required where they are identified as CTPPs for the systems in scope.

TLPT exercises performed in accordance with TIBER EU’s mandatory requirements may be recognised across borders by competent TLPT authorities.

Financial entities in Belgium likely to be designated as “significant” should prepare by:

• assessing their critical functions;
• establishing relationships with qualified threat intelligence and red team providers;
• updating contractual provisions to support TLPT participation; and
• aligning internal teams with TIBER BE operational requirements.

Belgium’s cyber-resilience framework is defined largely by directly applicable EU legislation – most notably the Cyber Resilience Act (CRA), which entered into force on 10 December 2024. As a horizontal regulatory framework, the CRA establishes mandatory cybersecurity requirements for PDEs placed on the EU/Belgian market. The CRA applies irrespective of where the manufacturer of the PDE is located; non-EU entities placing PDEs on the Belgian market are fully in scope.

The CRA requires cybersecurity to be embedded throughout the entire life cycle of a PDE, from initial design and development to post-market monitoring and end of support activities.

The CRA complements, rather than replaces, sector-specific Belgian and EU regimes, such as the NIS 2 Act, the Cybersecurity Act and sectoral instruments governing telecoms, medical devices and financial services.

Its scope is intentionally broad. PDEs include nearly any software or hardware product – such as consumer and industrial IoT devices, embedded systems, connected hardware, enterprise and standalone software – whose intended or foreseeable use involves a direct or indirect data connection to a device or network. Pure SaaS and cloud services are generally excluded unless the service forms part of a PDE or is required for a PDE’s functioning. Cloud service providers may still fall under other regulatory frameworks such as NIS 2, and under DORA when providing ICT services to in-scope financial entities.

The CCB will play a central role in co-ordination, market surveillance and enforcement support, working alongside the Federal Public Service Economy and relevant EU bodies. It is expected to materially strengthen Belgium’s security posture by reducing systemic vulnerabilities in the digital products that underpin commercial operations and public services.

The CRA imposes a set of cybersecurity obligations on manufacturers, importers and distributors of PDEs placed on the EU/Belgian market, and (in limited cases) open source software stewards. These obligations focus on embedding cybersecurity into the design, development, distribution and maintenance of all PDEs placed on the Belgian market.

Security by Design and Security by Default Requirements

PDE manufacturers must ensure that cybersecurity is built into PDEs from the earliest stages of product conception. Key requirements include:

• designing PDEs to reduce attack surfaces and prevent known vulnerabilities;
• implementing secure architectures, appropriate encryption and protective technical controls;
• ensuring secure configurations by default, such as disabling weak credentials and enabling secure update mechanisms; and
• maintaining detailed technical documentation demonstrating compliance.

Manufacturers must also implement processes for continuous improvement and adhere to “state of the art” security expectations throughout the product’s life cycle.

Vulnerability Handling, Patching and Update Timelines

The CRA introduces harmonised EU rules for vulnerability management. Manufacturers of PDEs must:

• maintain a formal Coordinated Vulnerability Disclosure (CVD) process;
• issue security updates and patches without undue delay following discovery or notification of vulnerabilities;
• provide security support throughout the declared support period, which must be communicated transparently to customers; and
• maintain appropriate logging, monitoring and diagnostic functionality.

As of 11 September 2026, manufacturers will also be required to report actively exploited vulnerabilities and severe cybersecurity incidents through the EU’s new single reporting platform. This includes:

• an early warning within 24 hours of becoming aware of the incident;
• a full incident notification within 72 hours; and
• a final report, submitted once the investigation is concluded.

Post-Market Surveillance Obligations

Manufacturers of PDEs are required under the CRA to conduct post-market monitoring and ensure continued cybersecurity throughout the product’s support period. This includes:

• ongoing assessment of vulnerabilities affecting the PDE and its components;
• deploying remediation measures and issuing patches or updates without undue delay once vulnerabilities are discovered or reported;
• maintaining detailed technical documentation, including the results of post-market surveillance and actions taken; and
• monitoring cybersecurity-related anomalies and incidents, and reporting actively exploited vulnerabilities and severe incidents to the relevant authorities.

Importers and distributors operating in Belgium must ensure that any PDE they place on the EU market:

• bears the CE marking;
• is accompanied by required documentation; and
• is not supplied if non-compliant with CRA requirements.

Conformity Assessment and CE Marking

All PDEs must undergo a conformity assessment to demonstrate compliance with the CRA’s essential cybersecurity requirements. Public EU guidance makes clear that:

• default category PDEs may undergo self-assessment by the manufacturer, irrespective of whether harmonised standards exist;
• important category PDEs may also use self-assessment only when the manufacturer fully applies harmonised standards or common specifications, or holds qualifying European cybersecurity certifications;
• important and critical PDEs (eg, identity management tools, password managers, firewalls, operating systems and smart meters) may require third-party conformity assessment by a notified body; and
• once conformity is demonstrated, the manufacturer must issue an EU Declaration of Conformity and affix the CE mark before placing the PDE on the market.

These conformity assessment obligations become mandatory from 11 December 2027, when the CRA enters into full application.

Transparency and Information Requirements

Manufacturers of PDEs must provide users with clear and accessible information, including:

• instructions for secure installation and configuration;
• the PDE’s batch or serial number;
• the end of support date, specifying how long security updates will be provided; and
• contact details and documentation enabling users to understand the PDE’s cybersecurity posture.

These disclosures aim to support more informed procurement decisions by Belgian businesses and public entities.

Product Recall, Withdrawal and Corrective Measures

When cybersecurity risks cannot be mitigated through patches or updates, authorities may require PDE manufacturers, importers or distributors to:

• withdraw the PDE from the market;
• recall the PDE from customers; or
• implement other appropriate corrective measures.

Market surveillance authorities may also require insecure product functionality to be disabled where necessary.

Enforcement and Penalty Structures

The CRA establishes a unified EU-wide enforcement and market surveillance framework aimed at ensuring consistent oversight of cybersecurity requirements for PDEs across all EU member states. Enforcement operates under the EU’s horizontal market surveillance architecture (Regulation (EU) 2019/1020), with each EU member state designating its own competent authorities.

In Belgium, CRA supervision is carried out by the CCB and the Federal Public Service Economy, which together perform the roles of market surveillance authority and enforcement body within the national context.

Competent authorities – whether Belgian or EU level – are empowered to undertake a broad range of supervisory actions, including:

• conducting inspections;
• requesting and reviewing technical documentation; and
• ordering corrective or risk mitigating measures where a PDE presents cybersecurity deficiencies or non-compliance with essential requirements.

In addition, the CRA introduces a harmonised penalty framework, setting the following maximum administrative fines:

• up to EUR15 million or 2.5% of global annual turnover (whichever is higher) for breaches of essential cybersecurity requirements;
• up to EUR10 million or 2% of global annual turnover for violations involving technical documentation, reporting failures or conformity assessment obligations; and
• periodic penalty payments for ongoing non-compliance, ensuring that entities cannot indefinitely delay corrective actions.

Belgium adopts a multi-layered approach to cybersecurity certification that combines national, EU-wide and sector-specific frameworks. Together, these create both voluntary and mandatory obligations depending on the product, service or sector concerned, and increasingly influence procurement, supply chain assurance and market access for companies operating in Belgium.

National Framework: CyberFundamentals (CyFun®)

Belgium’s flagship national scheme is CyFun®, managed by the CCB, which also serves as the National Cybersecurity Certification Authority. CyFun® is designed to raise cybersecurity maturity across Belgian organisations and support compliance with the Belgian NIS 2 Act. CyFun® offers four levels:

• small (entry-level guidance);
• basic;
• important; and
• essential.

Basic and Important require independent verification, whereas Essential requires full certification by an accredited and CCB-authorised Conformity Assessment Body (CAB). CyFun® is not legally mandatory but is widely used because it provides for the presumption of conformity with NIS 2 requirements.

EU Level Schemes Under the Cybersecurity Act

At the EU level, certification follows the Cybersecurity Act (Regulation (EU) 2019/881), which establishes an EU‑wide framework for harmonised cybersecurity certification schemes.

The first adopted scheme is the EUCC, formalised by Implementing Regulation (EU) 2024/482. The EUCC is based on the Common Criteria (ISO/IEC 15408) and the Common Evaluation Methodology (ISO/IEC 18045). It provides two assurance levels: Substantial and High, applicable to a wide range of ICT products, including software, hardware and security components. EUCC certification is voluntary under the Cybersecurity Act, but may become mandatory where required by EU sectoral legislation or EU member state law, and procurement rules may also impose it.

Two additional schemes, still under development, will have significant future impact.

• The EUCS (cloud services) scheme is intended to certify cloud services at Basic, Substantial and High assurance levels. Its adoption has been repeatedly delayed due to political debate over so‑called “sovereignty” requirements, including whether high‑assurance cloud offerings must be operated exclusively under EU jurisdiction with EU‑only data residency and immunity from non‑EU laws. Once finalised, EUCS is expected to significantly influence cloud procurement practices across the EU (including in Belgium) where public sector and regulated sector buyers increasingly rely on EU‑level certification frameworks.
• EU5G – work is progressing on 5G-related security requirements, but no binding EU scheme is yet in force.

The proposed 2026 revision of the Cybersecurity Act aims to streamline certification, strengthen supply chain protections, and enhance the role of the EU Agency for Cybersecurity (ENISA), likely making certification increasingly relevant for access to public sector markets.

Mandatory Sector-Specific Schemes

Some certification regimes are not voluntary and directly determine market access.

• UNECE R155/R156 – automotive cybersecurity and software updates. Mandatory for EU vehicle type approval, manufacturers must implement and maintain certified Cybersecurity Management Systems (CSMS) and Software Update Management Systems (SUMS). Compliance is required for obtaining type approval and is effectively a prerequisite for selling vehicles in the EU.
• RED Delegated Regulation (EU) 2022/30 – cybersecurity for radio equipment. From 1 August 2025, internet‑connected radio and IoT devices placed on the EU market must comply with mandatory cybersecurity essential requirements covering network protection, privacy and fraud prevention, as part of CE marking.

Interactions With Belgian Practice

Organisations operating in Belgium typically use a combination of CyFun® (organisational maturity), EUCC (product assurance), RED compliance (IoT devices) and sectoral schemes, such as UNECE R155. NIS 2-regulated entities increasingly require suppliers to demonstrate certification, making these schemes important not only for regulatory compliance but also for staying competitive in procurement.

Belgium’s cybersecurity and personal data breach notification obligations derive primarily from the GDPR and the Belgian Data Protection Act of 30 July 2018, which supplements the GDPR at national level. The DPA is the competent supervisory authority. The combined framework imposes robust expectations on organisations regarding technical and organisational security measures, risk management, vendor oversight and timely incident reporting.

This section outlines the core cybersecurity requirements applicable when processing personal data in Belgium and provides an overview of the thresholds, timelines and content obligations for breach notifications.

Security Requirements for Processing Personal Data

General obligations

Controllers and processors must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of personal data. This requirement obliges organisations to consider:

• the nature, scope, context and purposes of processing;
• the likelihood and severity of risks for individuals; and
• industry-appropriate security norms and state of the art protections.

Typical measures expected in Belgium

While Belgian law remains technology-neutral, the DPA generally expects measures such as:

• identity and access management, including role-based access, multi-factor authentication and least privilege principles;
• the encryption of personal data in transit and at rest, especially for sensitive or high-risk data categories;
• logging and continuous monitoring, including proactive detection of unauthorised or anomalous activities;
• robust incident response procedures, with predefined roles, communication lines and decision-making protocols;
• business continuity and disaster recovery procedures capable of restoring access to personal data in a timely manner after a physical or technical incident; and
• vendor and supply chain diligence, ensuring processors maintain security standards equivalent to those of the controller.

Where appropriate, Belgium also expects regular testing and evaluation of security measures (eg, penetration tests, audits, tabletop exercises).

Definition and Assessment of a Personal Data Breach

Belgium applies the GDPR definition of a personal data breach, under which a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”. The Belgian DPA emphasises that not every security incident amounts to a breach; however, controllers must conduct a prompt and documented assessment of every incident involving personal data.

Notification to the Belgian DPA

Threshold for notification

Controllers must notify the DPA unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals. Risk indicators include:

• sensitive or financial data;
• large volumes of data or high numbers of individuals;
• child or vulnerable-person data; and
• indicators of malicious intent (eg, hacking, exfiltration).

Deadline

The DPA launched a new, centralised online portal for data breach notifications in June 2025 that introduces a structured, mandatory two-stage notification process.

• Part 1 (initial notification): must be submitted within the GDPR-mandated 72-hour window after discovering a breach. Completing this part generates an official Data Breach Notification (DBN) case reference number.
• Part 2 (detailed follow-up): requires additional, in-depth information about the scope, cause and impact of the breach. Organisations have a maximum of 21 calendar days to complete this part. Failure to complete the second part within 21 days results in the initial submission (Part 1) being treated as the final submission.

Required content

The notification to the DPA must include at least the following:

• a description of the breach, including categories and approximate numbers of impacted data subjects and records;
• likely consequences of the breach;
• measures taken or proposed to address or mitigate adverse effects;
• contact details of the DPO or relevant contact point; and
• any additional relevant information (eg, forensic insights, containment measures, system logs).

Belgium’s AI-specific cybersecurity obligations are now primarily driven by the directly applicable EU Artificial Intelligence Act (AI Act), which imposes security by design and security by default requirements throughout the life cycle of AI systems.

Under the AI Act, high-risk AI systems must be technically resilient, protected against data poisoning, model evasion and other adversarial attacks, and supported by secure logging, monitoring and post market surveillance mechanisms. Providers and deployers of high-risk AI systems must also address supply chain and model component risks, ensuring that upstream general purpose or foundational models are subject to appropriate due diligence, vulnerability testing and mitigation measures.

The AI Act’s incident reporting framework requires notification of “serious incidents”, including systemic cybersecurity failures, while any personal data breach triggered by an AI security incident must also be notified under Belgium’s GDPR regime.

For entities already subject to NIS 2, the AI Act operates alongside Belgium’s 24-hour early warning and 72-hour incident notification rules, creating a layered reporting landscape. Belgian regulators have emphasised that AI-related obligations do not displace existing cybersecurity or data protection duties; instead, the AI Act complements the GDPR’s security requirements by imposing additional model-specific safeguards and enhanced accountability for organisations developing or deploying AI systems.

Cybersecurity requirements in Belgium’s healthcare sector stem from a combination of EU-level product regulations, horizontal cybersecurity legislation and sector-specific supervisory expectations. Healthcare providers, hospitals, medical device manufacturers and operators of electronic health record (EHR) systems must comply not only with the GDPR and NIS 2 Act but also with the security and safety requirements embedded in the EU Medical Devices Regulation (MDR). Belgium’s Federal Agency for Medicines and Health Products (FAMHP) plays a central role in supervising device-related incidents, while the DPA oversees data protection and breach notification obligations.

Healthcare Providers and Hospitals

Hospitals and many other healthcare providers qualify as “essential” or “important” entities under the NIS 2 Act. As a result, they must implement proportionate technical and organisational cybersecurity measures, including:

• risk assessments;
• identity and access management;
• network segmentation;
• continuous monitoring;
• incident handling; and
• business continuity planning.

They must also comply with Belgium’s multi-stage incident reporting framework, which requires an early warning within 24 hours, a 72-hour incident notification, and a final report within one month. These expectations are reinforced by sector-specific guidance and broader national trends toward assurance-based supervision.

Where incidents involve personal data such as patient records, healthcare providers must also comply with notification obligations under the GDPR.

Medical Devices and Software as a Medical Device (SaMD)

The EU Medical Device Regulation (MDR) imposes detailed cybersecurity obligations on manufacturers. Devices incorporating software – including SaMD and connected medical devices – must be “developed and manufactured in accordance with the state of the art”, including robust information security controls. Manufacturers must define minimum IT network characteristics, hardware requirements and security controls, including protections against unauthorised access.

Manufacturers must also operate post-market surveillance systems, monitor emerging vulnerabilities, and implement corrective and preventative measures when security flaws are identified. Cybersecurity weaknesses that could affect patient safety require immediate reporting to the FAMHP through the EU’s vigilance system.

Electronic Health Record Systems

EHR systems process large quantities of sensitive health data and therefore fall within the GDPR’s heightened security framework. Controllers must:

• adopt state of the art technical and organisational measures;
• conduct data protection impact assessments;
• enforce strict access governance; and
• maintain audit trails.

If an EHR provider meets the criteria of an essential or important NIS 2 entity, or acts as a critical third-party ICT provider to a hospital, it must comply with Belgium’s NIS 2 risk management and incident reporting requirements.

Procurement and Certification

Belgium’s shift toward assurance-based cybersecurity also affects procurement. While certification is not mandatory for healthcare providers, the national CyFun® framework is increasingly used to demonstrate compliance and is relevant for suppliers of medical IT systems. Healthcare sector procurement increasingly includes requirements relating to secure development, patch management, supplier assurance and conformity assessment for MDR-regulated devices.