Belgium NIS2 Fines: Up to EUR10M or 2% of Revenue

Belgium was the first EU member state to transpose the NIS2 Directive into national legislation. The Law of 26 April 2024 entered force on 18 October 2024, placing approximately 4,000 entities — 1,500 classified as essential and 2,500 as important — under the supervisory authority of the Centre for Cybersecurity Belgium (CCB).

The penalty figures are well-known: up to €10 million or 2% of global annual turnover for essential entities, up to €7 million or 1.4% for important entities, whichever is higher. What most guides skip is the fuller picture: a deliberate 2025 cooperative phase that has now given way to active enforcement; a supervisory toolkit of eight escalating measures that includes public naming and prosecutor referral; and a management personal liability mechanism under which the CCB can petition a court to suspend named board members from exercising management functions.

This guide covers all three: the penalty structure, how the CCB actually enforces, and what management accountability requires your board to have documented.

Who Is In Scope? Belgium’s Essential and Important Entity Categories

The first threshold question before penalties become relevant is whether the Belgian NIS2 Law applies to your organisation at all. Two criteria must both be met.

Sector check — 18 sectors covered: The law applies to organisations operating in energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, space, postal and courier services, waste management, chemicals, food production and processing, manufacturing of critical products, digital providers, and research. If your sector is not listed, the law does not apply regardless of size.

Size threshold: Most entities must additionally meet the medium-enterprise threshold — at least 50 employees, or annual turnover and balance sheet each exceeding €10 million. The size threshold does not apply to certain digital infrastructure providers (DNS registries, TLD registries, cloud computing services, data centres, content delivery networks, trust services), which are in scope regardless of headcount.

Entity type	Typical sectors (Annex I/II)	Size threshold	Additional supervisory measures
Essential entity	Energy, health, transport, banking, digital infrastructure (Annex I)	Large enterprise: ≥250 employees or turnover >€50M and balance sheet >€43M	Monitoring officer, court-ordered management suspension
Important entity	Annex I sectors below large-enterprise threshold; postal, waste, chemicals, food, manufacturing, digital providers (Annex II)	Medium enterprise: ≥50 employees or turnover >€10M	Standard CCB toolkit only

The distinction matters beyond the penalty ceiling. Essential entities face more intensive ex-ante supervision — including CyFun Important-level verification requirements and tighter compliance timelines — and are the only category subject to monitoring officer designation and management suspension. For an overview of how the essential vs. important entity classification works across all EU member states, and for a structured walk through the full NIS2 scope criteria, those articles cover the EU-level rules that underpin the Belgian implementation.

The CCB’s one-year review confirmed 1,500 essential and 2,500 important entities registered as of mid-2026, though it noted that registration in some sectors was still lagging — meaning not all in-scope organisations have yet self-identified. The CCB offers a scope test tool at safeonweb.be for entities uncertain about their classification.

The Belgian Penalty Tiers: How the Fine Structure Works

The fine structure follows the essential/important classification directly. Article 34 of the NIS2 Directive (EU) 2022/2555 establishes the penalty floors; Belgium’s Law of 26 April 2024 transposes these without exceeding them.

Entity type	Maximum administrative fine	Operative rule
Essential entity	€10,000,000 or 2% of total worldwide annual turnover (preceding fiscal year)	Whichever is higher
Important entity	€7,000,000 or 1.4% of total worldwide annual turnover (preceding fiscal year)	Whichever is higher

The “whichever is higher” formulation is significant and often misread. For a company with €150 million in global annual turnover classified as essential, the operative maximum is €3 million (2% × €150M) — well below the €10 million nominal cap. For large multinationals, the turnover percentage can far exceed the nominal ceiling. The €10 million cap protects the Directive’s proportionality requirement for very small essential entities; it does not reduce the exposure of large ones.

The Belgian law also establishes a minimum fine floor of €500 for minor technical infractions, giving the CCB proportionate tools for less severe violations rather than forcing a binary choice between no penalty and headline-level fines.

Proportionality factors the CCB must weigh (Title 4, Chapter 2, Law of 26 April 2024):

The entity’s classification (essential or important — affects baseline expectation of controls)
The severity and duration of the infraction
The number and history of prior violations by the same entity
The actual or potential damages caused
The degree of negligence or intentional conduct involved

Before imposing any fine, the CCB must notify the entity of its intent, provide written justification, and allow the entity to present a defence. This procedural sequence is not a formality: organisations that can produce evidence of ongoing compliance efforts are in a materially better position than those that cannot. Documented controls, board approval records, and CyFun assessment progress directly affect the proportionality analysis.

Belgian essential entities face fines up to €10M or 2% of global revenue — and the CCB expects Article 21 control evidence to exist at the time of inspection, not to be promised for later.

76 Templates That Give CCB Auditors the Article 21 Evidence They Look For — Covering Belgium’s Full Penalty Exposure

Risk Assessment Table (XLSX, 502-row register) + Risk Treatment Plan — pre-structured for Art. 21(2)(a), the first document layer CCB inspectors request as evidence of formal risk management
Board Briefing Pack + Board Resolution template — implements Art. 20 management approval, the specific evidence the CCB uses when establishing whether the management body had formal oversight

Instant DOCX + XLSX download. 1 year of updates included. Stripe-secured checkout.

€497
See what’s inside →

Belgium’s Enforcement Timeline: From Law to Active Supervision

Belgium moved through NIS2 implementation faster than any other EU member state. The Law of 26 April 2024 entered force on 18 October 2024, precisely meeting the EU’s transposition deadline. The enforcement trajectory since then has run in three distinct phases.

Phase 1 — Registration (October 2024 – March 2025): Digital service providers faced a registration deadline of 18 December 2024; most essential and important entities had until 18 March 2025 to register on the Safeonweb@work portal. Registration is mandatory, not voluntary — failure to register is independently enforceable. The CCB designated Safeonweb@work as the single portal for registration, incident reporting, and compliance pathway tracking.

Phase 2 — Cooperative phase (2025): The CCB’s 2025 annual report confirmed that the authority’s approach during the first year focused on “education and support rather than punishment.” Belgium was the first EU member state to transpose NIS2, and the CCB used 2025 to build the compliance infrastructure: the CyFun framework, the scope test tool, and the accredited Conformity Assessment Body (CAB) network. The 2025 annual report closes this phase — it does not extend it.

Phase 3 — Active enforcement (April 2026 onward): The April 18, 2026 deadline was the functional transition point. Essential entities were required to have CyFun Basic or Important verification in place or a signed CAB agreement, ISO 27001 evidence submitted, or a direct inspection request lodged. The CCB offered operational flexibility for entities that had initiated the CyFun process but faced accreditation body availability constraints — but only for those who had demonstrably acted. Entities showing no compliance effort received no such latitude.

With the April 2026 deadline passed, enforcement has moved from advisory to operational. The January 2026 ransomware attack on AZ Monica hospital — which paralysed IT systems for three weeks, forced surgical cancellations, and required emergency patient transfers — illustrates the profile of an early enforcement case: an essential entity, a significant incident, and the open question of whether basic controls were absent. No public enforcement decision had been published as of mid-2026, consistent with the time required for regulatory investigation. The next compliance cycle will not extend the same cooperative latitude the CCB applied in 2025.

The CCB’s Supervisory Toolkit: Eight Escalating Measures

The enforcement narrative around NIS2 focuses on fines. The more immediate operational reality for most organisations is the CCB’s eight-measure supervisory toolkit, which escalates progressively and can impose significant operational disruption well before any financial penalty is calculated. These measures are detailed in the CCB’s supervisory measures framework.

Off-site monitoring (initial stage):

Remote monitoring and security scans — the CCB can assess an entity’s externally visible security posture without advance notice
Binding documentation demands — formal requests for access logs, configuration files, audit reports, internal policies, and CyFun compliance evidence; failure to respond to a documentation demand is itself an infraction

On-site supervision:

On-site inspections — CCB auditors may conduct physical inspections of facilities and systems where reasonable doubt about compliance exists
Ad-hoc audits — targeted assessments triggered by incident reports, third-party intelligence, or anomalies identified during remote monitoring

Corrective and remediation measures:

Binding corrective instructions with mandatory deadlines — specific remediation requirements with fixed timelines; non-compliance with a corrective order escalates the severity of all subsequent measures and is independently enforceable
CyFun certification suspension or withdrawal — for entities that have obtained verification, the CCB can suspend or withdraw that status pending remediation; this has contractual and reputational consequences beyond the regulatory relationship

Reputational and escalation measures:

Public naming — the CCB can order the entity to publish information about the identified breach and notify users of affected services; for banking or healthcare entities, public naming may trigger simultaneous scrutiny from sectoral regulators (FSMA, FANC)
Prosecutor referral — severe or repeated violations can be referred to public prosecutors for criminal enforcement; this measure has not been applied in Belgium’s first enforcement cycle but exists as a credible backstop

Essential-entity-only measures (two additional):

Monitoring officer designation — an external overseer installed for a defined period at the entity’s expense, reporting directly to the CCB on compliance progress; practically removes management’s autonomous decision-making on cybersecurity for the duration
Court-ordered management function prohibition — the CCB can petition a court to temporarily suspend named individuals from exercising management responsibilities (addressed in the next section)

The escalation logic in practice: most enforcement cycles begin at documentation demands, escalate to binding corrective orders if the response is inadequate, and reach financial penalties or management-level measures only in cases of persistent non-compliance or serious incidents combined with demonstrably absent basic controls.

Management Personal Liability: What “Personally Accountable” Actually Means

Article 20 of the NIS2 Directive is the source of management accountability. It requires management bodies — board members, directors, C-suite executives — to formally approve the cybersecurity risk-management measures in Article 21, oversee their implementation, and undergo cybersecurity training. The obligation is not delegable: if a CISO implements the measures but the management body never formally approved them, Article 20 is not met and the approval documentation gap is an independent compliance failure.

The Belgian Law of 26 April 2024 builds on Article 20 by allowing the CCB to hold management bodies personally liable when an entity breaches its risk-management obligations. The scope of this liability is broad: it covers not only deliberate inaction but also negligent failure to approve, oversee, or maintain cybersecurity measures. As Eubelius noted in its analysis of the Belgian transposition, “the extent to which the legislator intended to impose liability is not always clear from the legal text” — an acknowledgement that some aspects of management personal liability will be tested and refined in enforcement practice.

The two formal mechanisms for essential entities:

First, if the CCB determines that an essential entity’s management has failed to respond adequately to compliance requirements or a corrective order, it can designate a monitoring officer for a defined period. This officer operates at the entity’s expense and reports directly to the CCB on compliance progress. The practical consequence is the removal of management’s autonomous control over cybersecurity decision-making for that period.

Second, and most significantly: the CCB can petition a court to temporarily prohibit named individuals from exercising management functions. Two aspects of this mechanism are routinely mischaracterised. The CCB does not have unilateral power to remove a director — a court order is required. And the measure targets repeated non-compliance, not a single incident. As of mid-2026, no public case of this measure being applied has been reported, consistent with the 2025 cooperative phase. The mechanism is live, and the conditions for its use are met once repeated violations are documented.

The three documentation gaps that create the clearest path to management liability:

Absent board approval records — the CCB looks for formal evidence that the management body approved Article 21 risk-management measures; board resolution templates and sign-off logs are the primary evidence layer, not optional formalities
No management training records — Article 20(2) explicitly requires management bodies to “undergo training” on cybersecurity risks; absent records mean absent evidence of compliance with a directly stated obligation
Failure to escalate significant incidents — management bodies that were not informed of a significant incident in time to meet Article 23’s 24-hour early warning requirement may face personal liability exposure for the escalation failure, not only the entity-level reporting delay

Management bodies under Belgium’s NIS2 Law must formally approve Article 21 risk-management measures — and the CCB uses the absence of that approval documentation as grounds for establishing personal liability when enforcement begins.

8 Policies That Document the Art. 20 Management Approval Belgian CCB Auditors Check When Establishing Personal Liability

Information Security Policy (doc 04) — formal Art. 21(2)(a) policy document structured with management sign-off provisions, the first document CCB inspectors request as evidence of board-level cybersecurity governance
Role Matrix (doc 00d) — pre-built RACI table assigning cybersecurity oversight across six organisational roles, satisfying the Art. 20 requirement to demonstrate management body involvement in implementation

18 files (8 core + 10 guides). Instant DOCX download. 1 year of updates included. Stripe-secured checkout.

€249
See how this fits →

How to Demonstrate Compliance: Three Pathways to CCB Verification

The CCB has defined three acceptable routes to demonstrating compliance with Article 21 obligations. They differ significantly in risk profile, and the choice has enforcement consequences.

Pathway 1 — CyberFundamentals (CyFun®): CyFun is Belgium’s national cybersecurity framework, developed by the CCB and aligned with ISO 27001, IEC 62443, and the NIST CSF. Essential entities must achieve at least CyFun Basic or Important level verification conducted by an accredited Conformity Assessment Body (CAB). Important entities can also demonstrate compliance through CyFun Basic. By the April 18, 2026 deadline, essential entities needed verification in place or a signed CAB agreement. The CCB offered operational flexibility for entities with CAB availability constraints — but only for those who had demonstrably initiated the process, not for those with no compliance action on record.

Pathway 2 — ISO 27001:2022: Organisations with existing ISO 27001 infrastructure can use this as a compliance pathway. By April 2026, they needed to submit: the certification scope, the Statement of Applicability (SoA), and a recent internal audit report. Full ISO 27001 certification is required by April 2027. This pathway avoids a separate CyFun process, but the ISO 27001–NIS2 mapping is non-trivial: certain Article 21 requirements — particularly Article 21(2)(b) incident handling and Article 21(2)(d) supply chain security — require supplementary documentation beyond standard ISO controls.

Pathway 3 — Direct CCB inspection: Entities that have chosen neither CyFun nor ISO 27001 can submit self-assessment documentation and request a CCB inspection directly. The CCB’s official guidance states explicitly that this approach “may lead directly to supervisory measures.” It places the organisation under immediate CCB scrutiny rather than structured third-party assessment and should be treated as the option of last resort. The NIS2 compliance checklist covers the Article 21 requirements that any pathway must evidence.

For organisations that have not yet selected a pathway, the practical enforcement position is now weakest. The April 18, 2026 deadline has passed; the minimum defensible posture is demonstrating retroactive initiation of a pathway, not stating an intention to begin.

Frequently Asked Questions

Does Belgium’s NIS2 Law apply to non-Belgian organisations?
Yes, where those organisations offer services or conduct activities in Belgium and meet the sector and size thresholds, regardless of where they are incorporated. A German cloud provider serving Belgian financial institutions may fall within scope. The CCB’s scope test at safeonweb.be covers cross-border scenarios.

Can the CCB fine an organisation that has not had a cybersecurity incident?
Yes. The obligation is to implement Article 21 risk-management measures and follow a recognised compliance pathway. Both are independently enforceable regardless of whether a breach or incident has occurred. NIS2 compliance is a proactive obligation, not an incident-triggered one.

What is the practical difference in penalties between essential and important entities?
The fine ceiling is higher for essential entities (€10M/2% vs €7M/1.4%). More significantly, essential entities face two additional enforcement measures — monitoring officer designation and court-ordered management suspension — that do not apply to important entities. Essential entities are also subject to more intensive ex-ante supervision, including a higher CyFun verification level (Important, not only Basic) as a longer-term compliance target.

Does management liability apply to SME owner-directors?
The Article 20 approval and training obligations apply to the management body regardless of company size. An owner-director of a 55-person logistics company classified as an important entity carries these obligations. However, the court-ordered management suspension measure is reserved for essential entities only — important entities are not subject to that specific mechanism, though personal liability for entity-level breaches remains possible.

How does Belgium’s penalty structure compare to other EU member states?
Belgium has implemented the Directive’s penalty floors without exceeding them. Germany has set its essential-entity ceiling at €20 million — double the Directive minimum. The Netherlands and France have also initiated NIS2 enforcement. Belgium’s distinguishing feature is its CyFun national framework, which provides a nationally standardised compliance assessment route unavailable in most member states, and its phased approach: a documented 2025 cooperative cycle followed by active 2026 enforcement.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

NIS2 Directive (EU) 2022/2555, Article 34 — General conditions for imposing administrative fines: nis-2-directive.com/NIS_2_Directive_Article_34.html
Centre for Cybersecurity Belgium — Administrative Measures and Fines under NIS2: ccb.belgium.be/recent-news-tips-and-warning/administrative-measures-and-fines-under-nis2-0
Centre for Cybersecurity Belgium — NIS2: 18 April 2026 deadline – What essential entities must have in place: ccb.belgium.be
Centre for Cybersecurity Belgium — One year of NIS2 in Belgium: leading the way and moving forward: ccb.belgium.be
Eubelius — Entry into force of Belgian acts transposing NIS2: what you need to know: eubelius.com
Jimber — NIS2 fines in Belgium: what enforcement looks like (2026): jimber.io

Belgium’s NIS2 Fines: Up to €10M or 2% of Revenue — and the CCB Can Hold Management Personally Liable

Who Is In Scope? Belgium’s Essential and Important Entity Categories

The Belgian Penalty Tiers: How the Fine Structure Works

Belgium’s Enforcement Timeline: From Law to Active Supervision

The CCB’s Supervisory Toolkit: Eight Escalating Measures

Management Personal Liability: What “Personally Accountable” Actually Means

How to Demonstrate Compliance: Three Pathways to CCB Verification

Frequently Asked Questions

Sources

Your Online Marketplace Is an NIS2 Important Entity: 7 Security Requirements Platform Operators Must Document Before an Audit

NIS2 Penalties: Fines, Sanctions, and Management Liability Explained

How Estonia Built the EU’s Most Battle-Tested NIS2 Framework: RIA, CCDCOE, and 18 Years of Cyber Defence

What NIS2 Art. 21(2)(d) Requires in Every Supplier Contract — A Procurement Team Checklist

NIS2 and the EU AI Act: The Dual Compliance Obligations High-Risk AI Deployers Face in 2026

NIS2 Latvia Compliance: Mandatory Cybersecurity Manager, CERT.LV Reporting, and Entity Registration

Information

Legal

Who Is In Scope? Belgium’s Essential and Important Entity Categories

The Belgian Penalty Tiers: How the Fine Structure Works

Belgium’s Enforcement Timeline: From Law to Active Supervision

The CCB’s Supervisory Toolkit: Eight Escalating Measures

Management Personal Liability: What “Personally Accountable” Actually Means

How to Demonstrate Compliance: Three Pathways to CCB Verification

Frequently Asked Questions

Sources

Don't miss:

Information

Legal