NIS2 is here. Are you ready?

In Belgium, NIS2 has triggered an essential wave of self-assessment and external audits. But once those reports are completed and the gaps identified, the real question begins: how do we sustain security in practice?

53.7%

of cyber incidents in Europe affected essential entities under NIS2 (source: ENISA)

60%

of intrusions start with phishing; AI-supported identity compromise dominates

81.1%

ransomware still dominates
cybercrime activity against EU organisations

"For security leaders, the assume breach principle requires a shift from compliance-driven activity to continuous readiness. This involves testing response plans, training teams, monitoring systems 24/7, and partnering for expertise."

Marcel van Asperdt.

CISO, Eye Security

Marcel van Asperdt.

CISO, Eye Security

Meet Eye Security

Consult the official CCB NIS2 portal to verify your classification and understand which authority supervises your sector. If you are part of another organisation’s supply chain, the CCB recommends aligning at least with the Basic level of the CyberFundamentals (CyFun®) framework.

This ensures your organisation is officially recognised and can receive updates, guidance, and instructions from the authorities. It is also the starting point for meeting your reporting obligations in case of a cyber incident. You can complete this process via the official CCB platform.

Be ready to report incidents

From 18 October 2024 onward, all in-scope organisations must notify the CCB within 24–72 hours of any significant cybersecurity incident. This requires not only knowing how to report via the Safeonweb notification platform, but also having a tested incident response plan.

Determine your CyFun® assurance level

Organisations using the Belgian CyFun® framework should define which assurance level applies to them: Basic, Important, or Essential. This level determines the depth of controls and the form of evidence required for compliance or certification.

Train leadership and teams

NIS2 explicitly requires that management be capable of making informed cybersecurity decisions. Board and leadership teams should have completed cybersecurity and risk management training by April 2025 at the latest. In parallel, employee awareness remains a core control under NIS2’s risk management measures.

Implement the right controls

Once the scope and level are defined, organisations must conduct a gap analysis against CyFun® (or ISO/IEC 27001) and implement the required controls. This process should be structured, gradual, and evidence-based, ensuring documentation and review at each stage of implementation.

Validate and maintain compliance

Essential entities are required to undergo regular third-party assessments, ideally through CyFun® certification by an accredited body. The initial assurance level must be achieved by April 2026, with full certification required by April 2027.

Important entities are encouraged to follow the same path, as certification provides clear proof of compliance and strengthens trust with clients and regulators.

Test your compliance readiness with a free NIST scan.

Stay compliant with the NIST framework
Stay one step ahead of threat actors
Get a free consultation

Start scan

Test your compliance readiness with a free NIST scan.

Stay compliant with the NIST framework
Stay one step ahead of threat actors
Get a free consultation

Start scan

Ultimately, the new rules are meant to make organisations more resilient. So avoid rushing that. Instead, make use of the extra time you have. NIS2 helps make your business safer and healthier. It can also take you to a higher level of knowledge. And it is certainly not a stick to beat with. On the contrary, it is an effective tool. Think of it as tailwind instead of a headwind.

Simone Pelkmans
Partner Digital Regulations

In order for the legislation to be effective, Europe is in need of a highly skilled workforce to exercise the tasks designated by NIS2. Independent security audits, risk assessment, cybersecurity architecture design and implementation, and incident management and reporting need to be carried out by certified professionals.

Chris Dimitriadis
Chief Global Strategy Officer, ISACA

Remaining proactive in enhancing cyber security is vital to maintaining competitiveness. This is not only about complying with laws and regulations, but about ensuring that your business is cyber resilient and able to deal with the ongoing cyber threat landscape and risks.

Auke Huistra
Managing Director, Applied Risk

Many think the NIS2 Directive is a technical issue and run at the technical side of it. But it is the strategical and tactical side of it to be implemented and from that perspective translate into what needs to be done in operations. To achieve this, there must be policies, procedures and processes to be agreed upon and then implemented within operations.

Mohamad Adib Baroud
Expert NIS2 Directive

Enterprise-grade, made for the mid-market.

This is tailored cybersecurity that meets the scale and complexity of mid-market organisations without the overhead of enterprise-only tools. Simple and to the point. AI-driven detection and expert-led response prevent downtime, protect revenue, and safeguard operations while helping you prepare for the unexpected.

Protect business continuity

Best-of-breed EDR and ITDR
24/7 in-house SOC
24/7 incident response

Build future readiness

Annual cyber reviews
Attack surface deep dives
Proactive vulnerability and threat hunting

Simplify cybersecurity

All-in-one, all-you-need package
Onboarding within hours
Built for your scale and risk profile

Accelerate compliance

Streamlined audits and regulatory alignment
Competitive cyber insurance premiums
Frictionless insurance qualification and renewals

Get in touch

Discover why companies choose Eye Security.

Protect yourself against digital threats with Europe's leading Open XDR solution. Try a demo to see how Eye Security compares to your existing solution.