Belgium, a European model according to ANSSI. A “source of inspiration”
7,380 entities registered. This is far more than the eligible “important” and “essential” entities. A great success, comments Phedra Clouner, a few days before the first anniversary.
October 18, 2024, the date on which the NIS2 law came into force in Belgium. As a reminder, Belgium was the first European Union member state to fully implement the new rules of the European directive on cybersecurity. “The aim of this major step forward is to significantly strengthen the level of cyber resilience of a large number of organizations operating in our country,” explains Phedra Clouner, Deputy Director General, CCB (Centre for Cybersecurity Belgium). A few days before the anniversary, we can already call it a success. In mid-September, there were some 7,380 registered organizations, including 2,475 “important” entities and 1,472 “essential” entities.
Although the NIS2 law applies to a wider range of entities than the NIS1 directive, covering services that are essential for socio-economic activities or public safety, the CCB did not expect to register so many organizations. “This means that NIS2 is not seen as a burden, but rather as a major strategic opportunity in the sense that it encourages the strengthening of cybersecurity and digital resilience,” continues Phedra Clouner.
Belgium, a source of inspiration
By implementing the security measures required by the directive and, subsequently, by law, companies can effectively reduce their cyber risks, improve their digital maturity, strengthen their brand image with their customers and partners, and, finally, structure their cybersecurity governance.
“The NIS2 message has been well received. In Belgium, in particular, we have understood that we are not here to punish, but to help! For , proof of this is the use of our Cyberfundamentals resources: guides, fact sheets, webinars… even network scanning!”
Better still: the Executive Director of ANSSI, the European Union Agency for Cybersecurity, praised Belgium during a hearing before the Special Committee on Resilience and Cybersecurity: “Belgium,” he said, “is a source of inspiration for all of us, and not just in the transposition of NIS2. My colleagues and comrades at the CCB are particularly inspiring, innovative, and pragmatic in a number of initiatives they have been able to carry out, well before the transposition of NIS2. So we are looking closely at what they are doing and consulting with them on a fairly regular basis…”
An opportunity for lasting growth
The CCB did its job. And the market followed suit. Firstly, NIS2 strengthens brand image and confidence: better cybersecurity and compliance with European standards boost the confidence of partners, customers, and other stakeholders, thereby improving the company’s reputation. Second, it is an opportunity to structure governance: the directive encourages organizations to structure and improve their overall cybersecurity governance, which is essential for proactive risk management. Third, and finally, there is the competitive advantage: companies that take a proactive approach to NIS2 compliance can stand out from their competitors, who may be lagging behind in their implementation.
It remains to be seen how much weight has been given to the individual accountability of executives. The text is clear: management is now responsible for decisions related to cybersecurity. “A wake-up call?” asks Phédra Clouner. In fact, responsibilities are no longer limited to the CISO alone. Executives must understand, steer, and take ownership of strategic cybersecurity choices.
Nevertheless, Phédra Clouner concludes, “NIS2 provides a framework for improving cybersecurity posture, while also representing an opportunity for organizations to strengthen themselves in the long term, gain maturity, and consolidate their position in the market.”
