NIS2, a real start… but uneven and often inadequate
Although many organizations have ‘embraced’ NIS2, the majority do not yet meet the expected level of robust and sustainable compliance, according to Fabrice Hecquet, CEO of CyberXpert. Taking stock after one year.
“Various studies and reports show that the work—inventories, governance, teams, and initial action plans—has indeed begun, but that a significant proportion of organizations are not yet ‘ready’ in the sense of full compliance.”
According to studies, the average level of preparation is around 50 to 60% for the most important controls, which represents a significant gap between the efforts made and the required level. For example, Aon has measured an average level of preparation of around 58% for a series of critical measures.
“After a year, we are still far from full compliance and also far from a sustainable approach in all areas – governance, incident management, testing, supply chain, documentary evidence,” says Fabrice Hecquet. The work that remains to be done is mainly organizational: governance, contracts, reporting. And human: skills, changelog.
The clock is ticking
NIS2 has clearly turned companies’ cybersecurity trajectories upside down: the activation of obligations has led to concrete projects and budgets, but progress remains uneven. The challenges are not only technical in nature, but mainly relate to governance, financing, skills, and coordination with third parties.
In Belgium, the presence of a pragmatic national reference framework (CyFun) and the active role of the CCB facilitate the start, but the clock ticking towards the 2026-2027 deadlines is forcing acceleration. “Companies that have not yet structured their governance and prioritization run a real risk of overload or non-compliance in the next 12-24 months,” warns Fabrice Hecquet.
The challenges for the future
As the deadlines approach, a large number of evaluations will take place, intensifying the audits. The robustness and quality of the audits will be crucial to ensuring the credibility of the approach. Regulatory pressure will only increase. The CCB and sectoral authorities could shift to a more repressive stance, particularly in cases of serious incidents or clear non-compliance with obligations.
“Beware of domino effects on value chains,” warns Fabrice Hecquet. Even “important” or non-important entities within the scope of application may face compliance requirements from their customers, often essential entities. This leads to a spread of the NIS2 approach to the entire ecosystem, or at least to the possibility of demonstrating the cyber robustness of the supply chain.
Deviation balances: “checked”
It is clear that reporting and supervision will be strengthened. Document control, auditability, traceability, and security standards will become full-fledged assessment criteria. Companies will have to strengthen their internal function (security officer, compliance team, ongoing training) to take on follow-up, evaluation, and continuous improvement.
Fortunately, many companies have already carried out a GAP analysis or deviation balance. This was done using the self-assessment tool set up by the CCB. Or by calling on specialized external companies.
A tight schedule and heavy measures
Many entities will reach the “Basic” or ‘Important’ level by 2026, but only the most mature entities will be able to reach the “Essential” level within the set deadline, predicts Fabrice Hecquet. “Essential entities could impose compliance requirements on their suppliers or partners—even if they were not initially subject to them—accelerating the spread of the NIS2 framework throughout the ecosystem.”
The reference frameworks (CyFun, ISO standards, NIST) will evolve to incorporate feedback from practice, technological advances (AI, IoT, OT), and emerging threats. In fact, an update to CyFun has just been published.
Companies will increasingly view cybersecurity as a strategic pillar linked to resilience, business continuity, data protection, and legal liability, rather than a technical silo.
NIS2, a policy of change
Some controls are complex to implement. The most complex and costly “Essential” controls in CyFun are those relating to governance, identity management, continuity, and the supply chain. They require multi-year projects, a significant investment, and interdepartmental mobilization (IT, HR, legal department, purchasing, management).
“When we take control of the supply chain in a company with hundreds of third parties, implementing these controls requires applying a real policy of change,” continues Fabrice Hecquet. We need to be able to classify them in terms of risk (which third parties pose the greatest risk to the company’s activities) and economic impact (if they do not meet the minimum guarantees)…” The players in a supply chain can range from Ali Express to Microsoft, via the telecom provider and the service companies that have access to the information system.
A clear pace
One year after the entry into force of the NIS2 framework in Belgium, progress is promising but still incomplete. Many companies have jumped on the bandwagon: registration, initial diagnoses, partial implementation of measures. However, few are already fully and verified compliant.
“There are numerous obstacles: resources, skills, governance, supply chain, sectoral technical constraints. The Belgian framework offers an advantage with the CyFun reference framework and the associated tools, but that does not exempt us from a real, structured, and sustained effort.”
For Fabrice Hecquet, the April 2026/2027 deadlines set a clear pace: organizations must now pick up speed, structure their approach, set priorities, and finally ensure that compliance is not seen as a superficial “checklist” but as a sustainable attitude of cyber resilience.