How Belgium’s NIS2 Competent Authority (CCB) Combines CERT.be, CyTRIS, NCCA, and NCC-BE Into One Oversight Structure
Belgium was the first EU member state to transpose the NIS2 Directive into national law. The Law of 26 April 2024 entered into force on 18 October 2024 — the same day the EU-wide transposition deadline expired — and designates the Centre for Cybersecurity Belgium (CCB) as the single national competent authority under Article 8 of EU Directive 2022/2555.
The CCB holds a structurally unusual position: it simultaneously serves as Belgium’s national CSIRT, national cybersecurity certification authority, national coordination centre for EU cybersecurity funding, and the sole NIS2 supervisory authority. Most EU member states distribute these functions across separate agencies; Belgium concentrates them in four operational units — CERT.be, CyTRIS, NCCA, and NCC-BE — within one body. For compliance officers, CISOs, and SME owners subject to Belgium’s NIS2 Law, understanding which unit handles what is not just organisational detail. It determines who contacts you when a vulnerability is detected, where incident reports must go, which authority certifies supplier cybersecurity claims, and how your conformity assessment proceeds.
This guide maps each CCB unit to its NIS2 compliance implications, explains Belgium’s registration and incident reporting process, covers the enforcement framework and penalty exposure, and shows how the CyberFundamentals (CyFun) framework functions as Belgium’s CCB-approved compliance pathway.
Belgium’s NIS2 Law: Scope, Deadlines, and Registration
Belgium’s NIS2 implementation is the Law of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security. It transposes EU Directive 2022/2555 and covers all 18 sector categories specified in Annexes I and II of the Directive, with one significant exception: financial entities subject to DORA are excluded from the Belgian NIS2 Law entirely. The CCB determines entity classification using the NIS2 Directive’s standard thresholds.
| Entity type | Size threshold | Supervision model |
|---|---|---|
| Essential entity | ≥250 employees OR ≥€50M turnover AND ≥€43M balance sheet, in Annex I sectors | Proactive — mandatory conformity assessments |
| Important entity | ≥50 employees OR ≥€10M turnover AND ≥€10M balance sheet, in Annex I–II sectors | Reactive — incident- or complaint-triggered |
| Financial entities (banking, investment, insurance) | Any size | Excluded from Belgian NIS2 Law; supervised under DORA |
| Public administrations | All levels | Covered; exempt from financial penalties |
If you are uncertain whether your organisation falls in scope, the CCB provides a NIS2 Scope Test Tool through Safeonweb@Work and a practical guide to distinguishing essential from important entities. For scope queries, contact the CCB at nis@ccb.belgium.be.
Key Belgian NIS2 compliance dates:
| Date | Obligation | Applies to |
|---|---|---|
| 18 October 2024 | NIS2 Law enters into force | All in-scope entities |
| 18 December 2024 | Registration deadline | Digital sector entities |
| 18 March 2025 | Registration deadline | All other NIS2 entities |
| 18 April 2026 | Verification Statement submission (CyFun Basic/Important or ISO 27001) | Essential entities |
| 18 April 2027 | Full CyFun Essential certification or ISO 27001:2022 certification | Essential entities |
All registration runs through the Safeonweb@Work portal at atwork.safeonweb.be. Organisations registered in the Crossroads Bank for Enterprises (CBE) complete registration online; entities without a CBE number contact the CCB directly at nis@ccb.belgium.be. For a step-by-step walkthrough of the NIS2 entity registration process, the CCB’s registration guide on Safeonweb@Work covers every required field.
Inside the CCB: Four Operational Units and What Each Means for Your Organisation
The CCB’s four operational units each connect to your compliance obligations differently. The unit you deal with depends on what is happening — reporting an incident, receiving a proactive threat warning, verifying a supplier’s EU certification, or seeking EU R&D funding each routes to a different team within the same authority.
CERT.be — Incident Response
CERT.be (Cyber Emergency Response Team) is one of two operational departments within the CCB’s national CSIRT function. Its work is reactive: when a NIS2 entity reports a significant incident, CERT.be provides technical assistance to analyse, contain, mitigate, and eradicate the attack. For essential entities, this means active operational support; for important entities, assistance is best-effort, with scope limited by available capacity.
CERT.be operates as a second-line service — it does not proactively contact attack victims. Your organisation must initiate contact. Reporting channels for NIS2 incidents:
- Primary (online form): notif.safeonweb.be
- Email: incident@ccb.belgium.be
- Emergency phone (NIS2 significant incidents only, 24/7): +32 (0)2 501 05 60
- General queries (office hours): Monday–Friday, 09:30–16:30, excluding public holidays
CyTRIS — Threat Intelligence
CyTRIS (Cyber Threat Research & Intelligence Sharing) is the proactive complement to CERT.be’s reactive response function. Where CERT.be waits for reports, CyTRIS monitors. It collects and analyses threat data daily, produces strategic cyber threat intelligence (CTI) reporting, and sends spear warnings — individual notifications sent directly to organisations when CyTRIS independently detects that they have a specific vulnerability, an active malware infection, or compromised credentials posted online.
If your organisation receives a CyTRIS spear warning, treat it as a priority action requiring immediate investigation. The warning means CyTRIS has identified a specific, confirmed threat to your infrastructure — independent of any report you have filed. Receiving a spear warning does not discharge your notification obligation: if the underlying event meets the significance threshold, a formal incident notification through the standard channel is still required.
CyTRIS is also the first contact point when you call in to report an incident — it conducts initial triage and routes to CERT.be for active response. It operates the Early Warning System (EWS) and the MISP Threat Sharing platform, and hosts quarterly “Connect & Share” briefings for essential entities, sectoral authorities, and national security agencies on active threat campaigns.
NCCA — National Cybersecurity Certification Authority
The NCCA (National Cybersecurity Certification Authority) oversees EU cybersecurity certification schemes in Belgium: EU Common Criteria (for ICT products, processes, and services), EU Cloud Scheme, EU 5G certification, and cryptographic evaluation. It monitors the Conformity Assessment Bodies (CABs) that issue certificates and handles complaints about certificate misuse or non-compliance.
The NCCA’s NIS2 relevance is most direct for supply chain security under Article 21(2)(d). When a critical supplier claims an EU cybersecurity certification, the NCCA is the Belgian authority that can confirm the certificate’s validity and standing. Supplier certification queries can be directed to certification@ccb.belgium.be.
NCC-BE — National Cybersecurity Coordination Centre
The CCB was designated as Belgium’s NCC-BE under EU Regulation 2021/887 establishing the European Cybersecurity Competence Centre (ECCC). NCC-BE represents Belgium on the ECCC Governing Board and coordinates Belgian participation in ECCC-funded cybersecurity research and innovation programmes.
For most NIS2-obligated entities, NCC-BE operates in the background, with no direct compliance obligations attached to it. Its relevance is primarily for organisations developing cybersecurity products or services and seeking EU co-funded research grants, or those participating in pan-European cybersecurity projects.
Which unit will your organisation interact with?
| Situation | CCB unit |
|---|---|
| Submitting a significant incident report | CyTRIS (initial triage) → CERT.be (technical response) |
| Receiving a proactive vulnerability or credential warning | CyTRIS |
| Quarterly threat intelligence briefings | CyTRIS |
| Verifying a supplier’s EU cybersecurity certificate | NCCA |
| EU cybersecurity R&D funding applications | NCC-BE |
| NIS2 registration and general compliance queries | CCB general: nis@ccb.belgium.be |
Belgium’s Three-Stage NIS2 Incident Notification Process
Belgium implements the NIS2 Directive’s Article 23 notification framework without material modifications. The CCB provides a detailed notification guide with practical examples and references to Commission Implementing Regulation 2024/2690 for assessing incident significance.
A “significant” incident is one that causes — or is likely to cause — severe operational disruption to NIS2-covered services, significant financial losses to the entity, or considerable damage to other natural or legal persons. When in doubt, file the early warning: under-reporting a borderline incident carries more regulatory risk than reporting an event that turns out to be below the significance threshold.
The three mandatory notification stages under Belgium’s NIS2 Law:
| Stage | Deadline | Required content |
|---|---|---|
| Early warning | 24 hours from discovery | Basic incident details; whether malicious activity is suspected; potential cross-border impact; any assistance requested from CERT.be |
| Incident notification | 72 hours from discovery (24 hours for trust service providers) | Updated incident information; initial severity and impact assessment; indicators of compromise |
| Final report | 1 month from discovery | Full incident description; root cause analysis; cross-border impact assessment; remedial and preventive actions taken |
All notifications are submitted through the Safeonweb@Work reporting portal (notif.safeonweb.be) or via CERT.be’s direct contact channels. CERT.be sends an automatic acknowledgment with a case number. Response prioritisation depends on incident severity and current operational capacity.
CyTRIS may have independently detected activity related to your incident before you report — its monitoring operates independently of the notification system. This does not create a conflict: CyTRIS’s detection and your notification obligation are parallel tracks, not alternatives.
Compliance note for incident response teams: The 24-hour early-warning deadline runs from discovery, not from confirmed impact assessment. Log the discovery time immediately — before investigation is complete — and submit the early warning on that basis. Waiting to confirm the full scope before notifying is the most common cause of early-warning deadline breaches. For teams building or reviewing their incident response procedure, the NIS2 incident reporting guide covers what the CCB expects at each notification stage.
CCB Enforcement Powers and Penalty Exposure Under Belgium’s NIS2 Law
The CCB’s enforcement approach divides by entity type: essential entities face proactive mandatory conformity assessments; important entities face reactive supervision triggered by incidents, complaints, or intelligence signals. Both carry penalty exposure, and the CCB has signalled that from 2026, enforcement has moved from education-focused to operationally active — with healthcare, local government, and manufacturing as priority sectors.
The Belgian NIS2 penalty structure:
| Entity type | Maximum administrative fine | Supervision model |
|---|---|---|
| Essential entity | €10,000,000 or 2% of worldwide annual turnover (whichever is higher) | Proactive: regular mandatory conformity assessments |
| Important entity | €7,000,000 or 1.4% of worldwide annual turnover (whichever is higher) | Reactive: incident- or complaint-triggered |
| Public administration | No financial penalties | Subject to binding corrective instructions |
Before issuing final sanctions, the CCB must provide written notice of enforcement intent with detailed justification and give entities an opportunity to present a defence. Appeals proceed to the Raad van State (Council of State).
The CCB’s enforcement tools beyond financial penalties:
- On-site inspections and ad-hoc audits — triggered by incidents, complaints, or CyTRIS-detected vulnerabilities that go unresolved
- Corrective instructions with mandatory compliance deadlines — binding orders to implement specific security measures within a defined timeframe
- CyFun certification suspension or withdrawal — removes eligibility for public procurement contracts requiring cybersecurity certification
- Public disclosure of violations — the CCB publishes the entity’s name and the nature of the breach
- Referral to prosecutors — where suspected criminal conduct is involved
- Court referral for management suspension — for repeated non-compliance by essential entities, the CCB can request a court to temporarily bar individuals from exercising management functions
Management personal liability: Belgium’s NIS2 Law establishes personal liability for board members who fail to approve and oversee cybersecurity measures. This is an enforcement mechanism, not a governance recommendation. Boards that delegate cybersecurity responsibility without maintaining documented evidence of active oversight — board minutes approving the security policy, resolution records confirming security budgets, training attendance records for management — face direct personal exposure. The CCB’s board obligations guide explains the documentation requirements for demonstrating board-level compliance.
Incident reports to CERT.be in Q4 2024 rose 50% compared to the same quarter in 2023, reaching 116 reports. The CCB attributed this increase to stricter NIS2 reporting obligations taking hold. Each incident report creates an audit trail that CERT.be and the CCB can reference when assessing post-incident compliance — the primary trigger for reactive enforcement against important entities.
The CyberFundamentals Framework: Belgium’s Compliance Pathway Under NIS2
Unlike most EU member states where NIS2 Article 21 compliance is assessed directly against the directive’s 10 security measure domains, Belgium provides a nationally developed framework as a CCB-approved compliance pathway. The CyberFundamentals (CyFun) framework, developed by the CCB, is recognised in Belgium’s NIS2 Law as a means of demonstrating Article 21 compliance. By early 2026, approximately 75% of registered Belgian NIS2 entities had selected CyFun as their primary compliance framework, according to the CCB’s one-year NIS2 implementation report. ISO 27001:2022 is the only other accepted equivalent.
CyFun 2025 aligns with NIST Cybersecurity Framework 2.0 and covers six functions: Identify, Protect, Detect, Respond, Recover, and Govern. The added Govern function — absent from earlier versions — directly maps to NIS2 Article 21’s governance and board accountability requirements. The framework has four assurance tiers:
| Tier | Controls | Intended for | Verification method |
|---|---|---|---|
| Small | 7 controls | Micro-enterprises | Self-assessment (no external verification) |
| Basic | 34 controls | Entry-level security hygiene; SMEs | Third-party Verification Statement |
| Important | ~65 controls | NIS2 important entities | Third-party Verification Statement |
| Essential | ~106 controls | NIS2 essential entities | Independent certification by accredited CAB |
The mandatory CyFun compliance sequence for essential entities:
- By 18 April 2026: Submit a Verification Statement to the CCB demonstrating conformity with CyFun Basic or Important level, or ISO 27001:2022 Stage 1 audit equivalent. This intermediate milestone is mandatory — it signals that implementation is underway.
- By 18 April 2027: Achieve full CyFun Essential certification from an accredited CAB, or ISO 27001:2022 certification. The CCB treats these as equivalent for NIS2 purposes.
For important entities, no mandatory verification deadline currently exists. The CCB expects framework selection and self-assessment, but the 2026 deadline applies exclusively to essential entities.
Organisations already holding ISO 27001:2022 certification do not need to additionally certify to CyFun. However, they should document the mapping between their ISO 27001 controls and NIS2 Article 21 security domains for CCB audit purposes. The NIS2 vs ISO 27001 comparison guide covers the control mapping and any residual gaps in detail.
Romania and Ireland are pursuing mutual recognition of CyFun through the European Cooperation for Accreditation, which would allow Belgian entities operating in those jurisdictions to use a single CyFun certification across multiple markets — reducing cross-border compliance overhead for multinational organisations.
Which Authority Supervises Your Sector in Belgium
The CCB is Belgium’s single NIS2 competent authority and retains ultimate enforcement power across all sectors. Several sectors have designated sectoral authorities that handle day-to-day compliance oversight alongside the CCB. CCB supervisors have identified incomplete dual-contact documentation in incident escalation procedures as a recurring gap during post-incident reviews.
| Sector | Sectoral authority | Notes |
|---|---|---|
| Banking, financial market infrastructure | National Bank of Belgium (NBB) + FSMA | Excluded from Belgian NIS2 Law; supervised under DORA (effective 17 January 2025) |
| Telecom, digital infrastructure, digital service providers | BIPT (Belgian Institute for Postal Services and Telecommunications) | Covers digital infrastructure and DSPs |
| Energy and nuclear | FANC (nuclear safety) + CREG (energy market regulation) | Two separate authorities: nuclear safety and energy market |
| Federal public administration | FOD BOSA | Regional administrations have own contact points |
| Health, water, waste, space | CCB (direct) | No designated sectoral authority; CCB supervises directly |
| Cross-sector or systemic events | CCB (override) | CCB assumes full authority for national-impact or cross-border incidents regardless of sector |
The DORA exclusion for financial entities: Belgian banks, investment firms, insurance companies, and financial market infrastructure operators are excluded from the Belgian NIS2 Law under the lex specialis principle (NIS2 Directive Article 4(1)). Their cybersecurity obligations are fulfilled through DORA (EU Regulation 2022/2554), which became directly applicable on 17 January 2025 without national transposition. DORA supervision falls to the NBB and FSMA, not the CCB. The NIS2 for banking and finance guide explains the DORA boundary and compliance overlap in detail.
Dual-contact requirement: For sectors with both a sectoral authority and the CCB in play, your incident escalation procedure should document both contacts by name — the Safeonweb@Work portal (primary NIS2 notification channel) and your sectoral regulator. Treating these as sequential rather than simultaneous is the most common procedural gap CCB supervisors have identified in post-incident reviews.
Frequently Asked Questions
Does my organisation need to register with the CCB even if we already interact with a sectoral regulator?
Yes, in almost all cases. NIS2-obligated entities must register through the Safeonweb@Work portal directly with the CCB, regardless of any existing sectoral regulator relationship. The main exception is financial entities subject to DORA — they do not register under the Belgian NIS2 Law.
What will trigger the CCB to proactively contact our organisation?
Two primary channels: CyTRIS spear warnings (when your infrastructure is detected as compromised, vulnerable, or associated with leaked credentials) and CCB conformity assessment notifications for essential entities approaching or past the April 2026 deadline. If you are an important entity and have not received unsolicited contact, that is expected — reactive supervision means the CCB responds to incidents and complaints rather than initiating routine checks.
Should a NIS2 incident be reported to CERT.be or to our sectoral regulator?
Both, where applicable. The formal NIS2 notification goes through the Safeonweb@Work portal to the CCB and CERT.be. Your sectoral regulator may have parallel reporting requirements under sector-specific legislation. For cross-border incidents, the CCB is Belgium’s single point of contact for EU-level coordination. Treating CCB notification and sectoral regulator notification as two separate checklist items in your incident response procedure is the clearest approach.
What is MISP and is participation mandatory for NIS2 compliance?
MISP (Malware Information Sharing Platform) is an open-source threat intelligence sharing platform operated by CyTRIS. Participation is voluntary — it is not a mandatory NIS2 compliance obligation. Registered entities can access threat intelligence feeds relevant to their sector. CyTRIS also operates the Early Warning System (EWS), which automatically alerts registered organisations about active threats without requiring active MISP participation.
Can the CCB issue financial penalties to a public administration?
No. Public administrations at all levels are covered by Belgium’s NIS2 Law but are exempt from financial penalties. The CCB can issue binding corrective instructions with mandatory compliance deadlines — non-compliance with those instructions carries procedural consequences — but the financial penalty structure does not apply to public sector bodies.
Three Actions for Belgian NIS2 Entities in 2026
Belgium’s CCB structure has one practical implication that most compliance guides overlook: the unit you interact with changes depending on what is happening. CyTRIS monitors and warns proactively; CERT.be responds and assists reactively; NCCA certifies and handles supplier certification complaints; NCC-BE coordinates EU-level policy and funding. A compliance programme with only a generic “contact the CCB” escalation path leaves unit-specific protocols undocumented.
Three concrete steps for Belgian NIS2-obligated entities:
- Verify your registration status at atwork.safeonweb.be. CCB data confirmed persistent registration gaps in some sectors even after the March 2025 deadline. An unregistered essential entity has been in breach since the date the obligation applied — not from the date the CCB identifies the gap.
- Confirm your compliance framework and timeline. Essential entities face a hard 18 April 2026 deadline for Verification Statement submission to the CCB. A NIS2 compliance checklist can help map your current posture against CyFun’s requirements before the assessment.
- Document your dual escalation path. Your incident response procedure must name the Safeonweb@Work portal (for CERT.be/CyTRIS notification) and your sectoral authority contact — with a named individual responsible for triggering each channel within the 24-hour early-warning window.
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
Sources
- CCB Belgium — NIS2 overview: ccb.belgium.be/regulation/nis2
- CCB Belgium — CERT.be: ccb.belgium.be/cert
- CCB Belgium — NIS2 Notification Guide: ccb.belgium.be/cert/report-incident/nis2-notifications-howto
- CCB Belgium — CyTRIS: ccb.belgium.be/cytris
- CCB Belgium — NCCA: ccb.belgium.be/ncca
- European Commission — NIS2 Directive Implementation in Belgium
- CCB Belgium — One Year of NIS2: ccb.belgium.be/news/one-year-nis2-belgium-leading-way-and-moving-forward
- CCB Belgium — NIS2 Reporting Statistics (Q4 2024)
- EUR-Lex — Directive (EU) 2022/2555 (NIS2): eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555
- Jimber.io — NIS2 Fines in Belgium: Enforcement Overview (2026)
- ISMS.online — NIS2 Belgium Enforcement Structure
