NIS2 in Belgium: What the Law Actually Requires from Your Security Testing

## NIS2 is Belgian law now

The NIS2 Directive was transposed into Belgian law through the NIS2 Act of 26 April 2024, which entered into force on 18 October 2024. The Centre for Cybersecurity Belgium (CCB) is the national competent authority for most sectors. Sectoral regulators (the NBB for financial entities, the BIPT for digital infrastructure, and others) handle supervision in their own domains.

If you are a Belgian organization that has been waiting to see how NIS2 would land in Belgium before doing anything, the waiting period is over.

This post covers which Belgian organizations are affected, what the law actually requires around security testing, and how penetration testing fits into compliance.

## Who is in scope in Belgium

NIS2 divides affected entities into two tiers: essential entities and important entities. Both have obligations; essential entities face stricter supervision and higher penalties.

In Belgium, the CCB maintains a registration portal where affected organizations must register. Registration itself is an obligation — it is not voluntary self-assessment.

Essential entities in Belgium include:

– Energy providers (electricity, gas, oil, district heating, hydrogen)
– Transport operators (air, rail, water, road)
– Banking and financial market infrastructure
– Health sector (hospitals, reference laboratories, pharmaceutical manufacturers)
– Drinking water and wastewater operators
– Digital infrastructure (DNS providers, TLD registries, IXPs, cloud providers, data centers, CDNs, TSPs)
– ICT service management (B2B managed service providers and managed security service providers)
– Public administration at federal and regional level
– Space infrastructure operators

Important entities include most of the same sectors at smaller scale, plus food production, chemicals, waste management, manufacturing (medical devices, electronics, machinery, motor vehicles), digital providers (online marketplaces, search engines, social networks), and postal and courier services.

Size thresholds apply. Generally, organizations with 250+ employees or €50M+ revenue and a €43M+ balance sheet qualify as essential. Organizations with 50–249 employees or €10M–€50M revenue qualify as important. Certain high-risk entities (DNS, TLD, cloud, data centers, trust services, some public communications providers) are in scope regardless of size.

If you are unsure whether your organization is in scope, the CCB’s website has guidance, and the safe assumption for organizations in the sectors listed above is that you are.

## What NIS2 requires around security testing

NIS2 does not mandate penetration testing by name. What it does require, under Article 21, is that covered organizations implement “appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems.”

Article 21 then lists minimum measures that must be included. Four of them are directly relevant to security testing.

The obligation to have risk analysis and information system security policies means you need to assess what risks exist. That assessment is hard to do credibly without testing.

The requirement for vulnerability handling and disclosure policies means you need a process for identifying, assessing, and addressing vulnerabilities. Regular penetration testing is the most systematic way to find vulnerabilities before attackers do.

The security in network and information systems acquisition, development, and maintenance requirement directly implies that your systems should be tested for weaknesses, not just built to a checklist.

Basic cyber hygiene and cybersecurity training requirements are easier to validate when you have actually tested whether hygiene failures exist rather than assuming they do not.

The Belgian NIS2 Act gives the CCB authority to conduct supervisory reviews, request evidence of compliance, and issue binding instructions. In practice, this means the CCB can ask you to demonstrate that your risk management measures are effective — not just that they exist on paper.

Penetration testing provides evidence of effectiveness. An up-to-date penetration test report showing what was tested, what was found, and what was remediated is the kind of documentation that answers supervisory questions credibly.

## What “regular testing” means in practice

NIS2 does not specify testing frequencies. The Belgian transposition does not add specific frequencies either. What the law requires is a risk-based approach.

For most Belgian organizations in scope, annual external and internal penetration testing is a defensible baseline. Testing after significant infrastructure changes, major application releases, or following a security incident should be standard practice regardless of schedule.

Organizations at the higher end of the risk profile — healthcare providers handling patient data, financial institutions, critical infrastructure operators — should test more frequently, and should consider whether threat-led penetration testing (the style used in TIBER-EU and DORA) provides a more meaningful assurance than standard assessment formats.

## The CCB’s supervisory approach

The CCB has indicated it will take a proportionate approach to supervision in the early years of NIS2 enforcement in Belgium. That does not mean enforcement is theoretical.

The CCB has existing enforcement powers from the earlier NIS Directive and has used them. The NIS2 Act substantially increases both the scope of organizations subject to oversight and the penalties available: up to €10 million or 2% of global annual turnover for important entities, and up to €20 million or 4% of global annual turnover for essential entities — whichever is higher.

The enforcement mechanism is not primarily fine-driven at this stage. The CCB’s initial approach involves registration, baseline assessments, and guidance. The trajectory, based on what supervisory authorities in the Netherlands and Germany have done under equivalent legislation, is toward increasing scrutiny of actual security practice over time.

Organizations that have documented, current evidence of their security testing program are better positioned for supervisory engagement than those that cannot demonstrate what testing they have done or when.

## Interaction with other Belgian compliance obligations

Belgian organizations often face NIS2 alongside other requirements that also touch security testing.

GDPR Article 32 requires regular testing of technical security measures. If you are a covered entity under NIS2, you almost certainly process personal data, which means GDPR obligations run in parallel. A penetration test serves both.

DORA applies to financial entities in Belgium and imposes its own testing requirements, including threat-led penetration testing at defined intervals for significant institutions. For entities that are in scope for both NIS2 and DORA, DORA’s testing requirements are typically more prescriptive and demanding.

Sector-specific NBB circulars add further expectations for Belgian banks, insurance companies, and payment institutions. The NBB has consistently signaled that it expects regulated firms to test their cyber defenses regularly, and its supervisory expectations are not satisfied by purely automated scanning.

## Practical steps for Belgian organizations

Register with the CCB first if you are in scope and have not done so. Registration is a legal obligation, not a voluntary self-assessment, and it is the baseline from which supervisory engagement will follow.

Conduct a gap assessment of your Article 21 measures. The requirements are not uniformly implemented across Belgian organizations. An honest gap assessment tells you where you fall short of what the law requires before the CCB asks.

Get a penetration test if you have not tested your external attack surface or key applications recently. The report is documentation of your testing program. It is also useful in its own right — finding and fixing vulnerabilities is the point.

Document your security program. The CCB can ask for evidence. Security policies, penetration test reports, remediation records, and training logs are the materials that answer supervisory questions credibly.

Build a testing cadence. Annual testing as a baseline, additional testing after significant infrastructure changes or major application releases. Put it in your security budget and your vendor contract renewal cycles so it does not get skipped.

## What TSO does

TSO provides penetration testing and red team assessments for Belgian organizations subject to NIS2 and related regulations. We understand the Belgian regulatory context — the CCB’s expectations, how the NIS2 Act interacts with sector-specific requirements, and what good documentation of a testing program looks like for supervisory purposes.

If you need to build a testing program that supports NIS2 compliance, [we can help](/contact).