The Belgian NIS2 law (Wet van 26 april 2024) sets maximum administrative fines at EUR 10 million or 2% of worldwide annual turnover for essential entities, and EUR 7 million or 1.4% for important entities, whichever amount is higher. The Centre for Cybersecurity Belgium (CCB) enforces these through a structured procedure that includes on-site inspections, ad-hoc audits, and binding instructions. With the CyberFundamentals (CyFun) verification deadline of 18 April 2026 now passed, enforcement has moved from theory to operational reality.
Belgium was among the first EU member states to transpose the NIS2 directive into national law, and the CCB has shifted from an advisory role into active supervision. Yet most public information about NIS2 fines comes from law firms like Stibbe, Eubelius, and Lydian interpreting the statute text, leaving a gap between the regulatory framework and what a CISO at a 200-person Belgian manufacturer needs to know. This post covers what the fines are, who imposes them, how the enforcement procedure works, and where the CCB is likely to focus first.
What fines can Belgian organisations face under NIS2?
The Belgian NIS2 law uses a dual-tier structure. Essential entities face the highest penalties, while important entities face lower but still substantial maximums. In both cases, the applicable fine is the higher of the fixed amount or the turnover-based percentage.
| Entity type | Fixed maximum | Turnover-based maximum | Applicable fine |
|---|---|---|---|
| Essential entity | EUR 10,000,000 | 2% of worldwide annual turnover | Whichever is higher |
| Important entity | EUR 7,000,000 | 1.4% of worldwide annual turnover | Whichever is higher |
Source: Law of 26 April 2024, Title 4, Chapter 2
For context: a Belgian mid-market company with EUR 150 million annual turnover faces a maximum of EUR 3 million under the 2% rule for essential entities, or EUR 2.1 million under the 1.4% rule for important entities. Both figures exceed the annual IT security budget of most organisations in that size range.
These are administrative fines, not criminal penalties. They are imposed by the CCB, not by a court. However, the law also allows the CCB to refer cases to the public prosecutor when criminal conduct is suspected.
Belgium made a deliberate choice to exclude public administrations in the “public administration sector” from financial penalties. Instead, the CCB issues binding instructions. But a public entity that falls under NIS2 through another sector, such as a municipal hospital classified as a healthcare entity, can still be fined like any private organisation.
Banking and financial market entities are also excluded from the Belgian NIS2 law. They fall under the Digital Operational Resilience Act (DORA), with the National Bank of Belgium (NBB) and FSMA as the relevant supervisors.
Who actually enforces NIS2 in Belgium?
The CCB is the single national competent authority for NIS2 in Belgium. The Royal Decree of 9 June 2024 formalised this designation and established the conformity assessment procedures.
In practice, enforcement involves three layers.
The CCB’s inspection service conducts direct supervision. For essential entities, this means proactive (ex-ante) audits and mandatory regular conformity assessments. For important entities, supervision is primarily reactive (ex-post), meaning inspections are triggered by incidents or evidence of non-compliance.
Conformity Assessment Bodies (CABs) perform the actual CyFun verification audits. These are private organisations accredited by BELAC and authorised by the CCB specifically for NIS2 audits. Not every BELAC-accredited body is approved for all CyFun levels. The Big Four (Deloitte Belgium, KPMG Belgium, PwC Belgium, EY Belgium) handle large multinationals, while specialised firms like Bureau Veritas Belgium and Vincotte serve mid-market organisations.
Sectoral inspection services collaborate with the CCB in specific industries. BIPT (Belgian Institute for Postal Services and Telecommunications) covers digital infrastructure providers. The NBB liaises on financial sector matters, even though banks themselves fall under DORA rather than NIS2.
What CCB does when verification fails or incidents occur
The enforcement process follows a defined procedural sequence. The CCB cannot impose fines without first giving the organisation a chance to respond.
The process starts with detection. The CCB’s inspection service, a CAB during a mandatory audit, or an incident report can trigger an investigation. The CCB has the legal authority to perform on-site inspections, conduct remote monitoring and security scans, demand documentation (access logs, configuration files, audit reports, internal policies), and order ad-hoc audits when there is reasonable doubt about compliance.
All NIS2 entities are legally required to cooperate with these investigations. Refusal to cooperate is itself an offence that can trigger immediate sanctions.
When the CCB decides to pursue enforcement, it must notify the entity in writing of its intention to impose a sanction, with a detailed justification. The entity then has the opportunity to present its defence, either in writing or during a hearing. Only after considering this response does the CCB issue a final decision.
Title 4, Chapter 2 of the law requires the CCB to weigh several factors when setting the sanction level: the nature and severity of the breach, its duration, whether it was negligent or deliberate, what measures the entity took to limit damage, previous violations, and the degree of cooperation with the investigation.
Appeals go to the Raad van State (Council of State). Filing an appeal does not automatically suspend the sanction unless the entity obtains a specific suspension order.
Beyond fines, the CCB has a range of administrative tools. It can issue corrective instructions with mandatory deadlines. It can suspend or withdraw CyFun certifications, which can disqualify organisations from public procurement. It can publish the name and nature of the breach publicly. And in severe cases of repeated non-compliance by essential entities, the CCB can request a court to temporarily suspend individuals from exercising management functions.
How Belgian NIS2 fines compare across the EU
Belgium’s maximum fine levels follow the NIS2 directive’s minimum requirements. Several EU member states adopted similar caps, though enforcement approaches differ.
| Country | Authority | Max fine (essential) | Max fine (important) | Notable approach |
|---|---|---|---|---|
| Belgium | CCB | EUR 10M / 2% | EUR 7M / 1.4% | CyFun audits via accredited CABs; proactive supervision of essential entities |
| Netherlands | RDI / NCSC | EUR 10M / 2% | EUR 7M / 1.4% | Cyberbeveiligingswet activated Q1 2026; sector-specific supervisors |
| Germany | BSI | Up to EUR 20M / 2% | EUR 7M / 1.4% | Higher fixed maximums for certain offences; tiered classification |
| France | ANSSI | EUR 10M / 2% | EUR 7M / 1.4% | Strong state tradition via “Operators of Vital Importance” |
| Luxembourg | ILR | EUR 10M / 2% | EUR 7M / 1.4% | Smaller entity population; concentrated supervision |
Sources: ECSO NIS2 Transposition Tracker (2026), national transposition texts
Belgium stands out not for its fine levels, which are standard, but for the structured CyFun framework that ties enforcement to a concrete, auditable baseline. Where other member states leave compliance proof abstract, Belgium’s CAB-based verification creates a clear pass/fail mechanism that gives both organisations and regulators a shared reference point.
For Belgian organisations wondering how NIS2 fines relate to GDPR: a single data breach at a NIS2 entity can trigger dual notification requirements. You must report to the Gegevensbeschermingsautoriteit (GBA) for the personal data impact and to the CCB for the network security impact. Both authorities can impose fines for the same incident, though the law requires that sanctions remain proportionate and do not stack unreasonably.
First NIS2 enforcement signals in 2026
Belgian NIS2 enforcement is in its first year. The CCB has not published individual sanctions as of mid-2026, consistent with the cooperative approach it adopted during initial implementation. The 2025 annual report confirmed that the CCB focused on education and support rather than punishment during the first cycle.
That cooperative tone has limits. The legal framework is fully operational. Several signals indicate that enforcement activity is building.
By late 2025, Belgium had registered approximately 1,500 essential entities and 2,500 important entities on the Safeonweb@Work portal. The CCB estimated the total in-scope population at roughly 4,000 entities. Registration compliance was nearly complete. The shift now moves to substantive compliance: proving that security controls actually work.
CAB audit capacity was strained throughout early 2026. The CCB acknowledged this bottleneck and indicated a degree of operational flexibility for entities that could demonstrate they had requested verification before the April 2026 deadline but were waiting for CAB availability. However, flexibility is not immunity. An entity that cannot show it initiated the process gains no such benefit.
Incident-triggered investigations are the most likely path to early enforcement. The CCB’s 2025 data showed incident reports rising by nearly 70% compared to 2024, partly driven by the stricter NIS2 reporting obligations. Every significant incident at a registered entity creates a potential enforcement event if the investigation reveals that basic measures were missing.
Where CCB will focus enforcement first
Three factors converge to determine where the CCB directs enforcement attention: sector risk, incident history, and compliance maturity.
Healthcare is the most visible priority. The ransomware attack on AZ Monica hospital in January 2026 paralysed IT systems for three weeks, forced the cancellation of surgeries, diverted emergency services, and required patient transfers across the province. Hospitals are classified as essential entities under the Belgian law. When an incident of this scale occurs and the subsequent inspection reveals that basic CyFun controls like offline backups, network segmentation, or multi-factor authentication were absent, the path from inspection to sanction is short.
Local government faces a nuanced picture. Municipalities and provinces do not always qualify as essential entities by default, but many fall under NIS2 through sector-specific activities like waste management, transport, or drinking water provision. The Flemish Centre for Digital Security (VCDV) set a target for local governments to reach CyFun Basic by end of 2025, with full verification by April 2027. Entities that missed these milestones face increased exposure to ex-post sanctions after incidents.
Manufacturing and industrial entities represent a growing segment. Many qualify as important entities through sectors like chemical production, food manufacturing, or critical product manufacturing. Organisations with OT environments face particular scrutiny because agentless devices on flat network segments remain a common audit finding and a direct target of NIS2 network segmentation requirements.
Supply chain enforcement is the least visible but potentially most impactful channel. Article 21.2(d) of the Belgian law requires NIS2 entities to secure their supply chain. Large essential entities are increasingly embedding CyFun compliance requirements in supplier contracts. A mid-market IT service provider without a CyFun attestation may lose contracts before the CCB ever sends an inspector.
What an audit trail looks like that prevents enforcement
The CCB’s enforcement capacity is real, but so is its stated preference for cooperative compliance. Organisations that can demonstrate a documented, good-faith compliance effort stand on fundamentally different ground than those that cannot produce evidence at all.
The evidence a CAB auditor or CCB inspector expects to see maps directly to the 11 minimum measures in Article 21 of the Belgian NIS2 law. Key areas include access control logs showing least-privilege enforcement per user and device, incident detection and response records with timestamps that support the 24-hour early warning and 72-hour notification windows, device posture checks for NIS2 demonstrating that only compliant endpoints gain access, network segmentation evidence including per-device isolation for agentless equipment, encryption documentation covering data in transit across all external connections, and supply chain risk assessments with documented security requirements for service partners.
The common thread is demonstrability. A policy document that describes what should happen is weaker evidence than a platform log that shows what did happen. This is where a consolidated security architecture makes a measurable difference to enforcement risk.
Jimber’s SASE platform generates this evidence from a single console. Access logs, policy enforcement records, device posture results, encryption status, and segmentation configurations are all captured in one audit trail. For mid-market teams preparing for their first NIS2 compliance checklist review, this consolidation turns evidence collection from a multi-week project into a standard operational output. Organisations that have already completed their CyFun self-assessment can use the same platform data to close any gaps that auditors flag.
Frequently asked questions
What is the maximum NIS2 fine for a Belgian essential entity?
The maximum is EUR 10 million or 2% of worldwide annual turnover, whichever is higher. For an essential entity with EUR 500 million in global revenue, the turnover-based calculation yields EUR 10 million, matching the fixed cap. The law applies the higher of the two amounts in every case. These amounts are set in Title 4, Chapter 2 of the Law of 26 April 2024.
Can CCB fine individual directors personally?
The CCB itself imposes fines on the entity, not on individuals directly. However, the law establishes personal liability for board members who fail to approve and oversee cybersecurity measures. In cases of repeated non-compliance by essential entities, the CCB can request a court to temporarily suspend individuals from management functions. Civil liability claims from shareholders or third parties can also follow if a board member’s negligence led to damages, as detailed in the analysis of NIS2 boardroom liability in Belgium.
How often does CCB perform proactive audits?
Essential entities face mandatory regular conformity assessments. The law does not specify a fixed frequency, but the CyFun framework implies a three-year audit cycle for essential entities. Important entities are supervised reactively and are not subject to proactive audits unless incidents or evidence of non-compliance trigger an investigation. Important entities can voluntarily undergo verification to gain a legal “presumption of conformity.”
What happens if my organisation missed the CyFun verification deadline?
The April 2026 deadline required entities to submit their CyFun self-assessment or ISO 27001 documentation to the CCB. Missing this deadline is itself a compliance failure. However, the CCB has indicated operational flexibility for entities that initiated the process on time but face CAB capacity constraints. Organisations that took no action and cannot demonstrate any compliance effort face the highest enforcement risk. The priority action is to document good-faith progress immediately and schedule a CAB engagement.
Can NIS2 fines be appealed in Belgium?
Yes. Every CCB sanction decision can be appealed before the Raad van State (Council of State). Filing an appeal does not automatically suspend the sanction. The entity must file a separate motion for suspension, which the Raad van State may or may not grant based on the urgency and merits of the case.
Are NIS2 fines covered by cyber insurance in Belgium?
This is an evolving area. Most standard cyber insurance policies cover incident response costs and business interruption. Coverage for administrative fines is legally problematic under Belgian law, particularly when the fine results from negligence. Director & Officer (D&O) policies may provide partial protection for personal liability, but coverage varies between insurers. Consult your broker and legal counsel for a definitive answer based on your policy.
How do NIS2 fines compare to GDPR fines for the same incident?
A data breach at a NIS2 entity triggers dual reporting: to the Gegevensbeschermingsautoriteit (GBA) under GDPR and to the CCB under NIS2. Both authorities can impose fines. GDPR fines for severe violations can reach EUR 20 million or 4% of worldwide turnover. NIS2 fines cap at EUR 10 million or 2%. The law states that sanctions must remain proportionate, but receiving two separate fines for the same incident is a real possibility. The NIS2 incident reporting timelines add a parallel set of deadlines alongside the GDPR 72-hour notification.
The enforcement phase of NIS2 in Belgium is no longer hypothetical, but it is not a cliff edge. The CCB has built a procedurally sound framework that rewards demonstrable compliance effort and penalises inaction. For organisations that have not yet started, the gap between “working towards compliance” and “doing nothing” matters more than anything else. Book a demo with Jimber to see how a single SASE console produces the audit evidence your CyFun verification requires, or start with the NIS2 compliance checklist to map your current position.
