NIS2 and local Belgian public authorities : who falls under the scope?
In its latest Threat Landscape Report, the European Union Agency for Cybersecurity (ENISA) highlights that cyber threats are continuously growing, with increasingly sophisticated attacks.According to this report, the public sector accounts for nearly 20% of all cyberattacks1. Cybersecurity has therefore become a priority for public services. To strengthen the common cybersecurity framework in Europe, the European Union adopted a directive on this matter in 20222, known as NIS2 – for Network and Information Security.
Although local public authorities (such as municipalities, social welfare centers (CPAS / OCMW), inter-municipal bodies) are not all directly targeted, some of their activities may bring them under the scope of NIS2.
Are you subject to NIS2? Application criteria
Critical activities and size thresholds : the two main criteria
An entity is subject to NIS2 if it :
- Carries out an activity listed in Annex I or II of the directive or of the Belgian transposition law3 (e.g. water, healthcare, transport, research…);
- Reaches a certain size threshold:
- At least 50 full-time equivalents (FTEs). All employees under the same legal entity must be counted. For instance, for a municipality, the staff working in schools is included.
- An annual turnover or balance sheet exceeding 10 million euros.
However, an entity can also be designated as essential or important regardless of its size, if it provides a unique critical service or if its disruption could have an impact on public security or the economy 4.
Local public authorities: which activities may fall under NIS2?
Local entities are not automatically subject to the NIS2 legislation. However, certain sector-specific activities they perform may lead to their inclusion.
This can happen automatically (due to activity and size) or be the result of a decision by the Belgian Centre for Cybersecurity 5 (CCB).
Here are a few examples where a local entity falls under NIS2 due to its activities and because it exceeds the size threshold mentioned above:
- Drinking Water supply to Citizens
Local authorities that operate their own water distribution and wastewater networks fall under the service categories subject to NIS2.
- Care and Nursing Homes
Some CPAS / OCMW may operate a nursing home in their territory. Given that healthcare services are provided in these places, the activity is included in the annexes to NIS2 and the entity (the CPAS / OCMW as a whole) may be subject to the legislation.
- Photovoltaic Parks / Renewable Energy
If a local entity operates a renewable energy facility (solar panels, wind turbines), it is considered an electricity producer and may be subject to NIS2.
What are the obligations for entities concerned by NIS2?
The law distinguishes between two categories of regulated entities: essential entities and important entities.
This classification is based on the nature of the activities carried out and the size of the organisation. The distinction affects the level of maturity expected, as well as the applicable supervision regime:
Essential entities are subject to proactive oversight by the competent authority and must undergo certification by a designated supervisory body.
Important entities are subject to reactive oversight, typically following an incident or in the event of a report, and are not required to be certified.
Nonetheless, this categorisation influences the monitoring procedures, evaluation methods, and formal compliance requirements (such as attestation or certification).
In both cases, the requirements for risk management, information system security and incident reporting are similar.
Entities subject to the directive must maintain a compliance file that must contain certain mandatory documents, including but not limited to6 :
- Appoint a cyber security officer;
- conduct a risk analysis;
- establish an information systems security policy;
- implement technical and organisational measures;
- Training of all personnel in cybersecurity;
- Report significant incidents to the CCB.
CyFun : the recommended framework for public administrations
The CyberFundamentals Framework (referred to as “CyFun”), developed by the CCB, is the officially recommended method7 for structuring compliance with the requirements of the NIS2 directive within public administrations.
It offers a progressive and proportionate approach, adapted to the diversity of public and private organisations.
The framework is structured into four levels:
- Small: Designed for very small structures or those with limited resources, it provides a minimum set of easy-to-implement measures.
- Basic: A foundational level applicable to all organisations, covering essential security measures to guard against common threats.
- Important: this level applies to entities that play a significant role in the society or economy. They must implement enhanced cybersecurity measures. Entities classified as “important” under the directive must reach this level.
- Essential: Intended for the most critical entities—those whose compromise would have a major impact on essential services for society or the economy. These organisations are subject to the strictest requirements regarding risk management, governance, incident detection, business continuity, and formal certification. Entities classified as “essential” under NIS2 must reach this level of maturity.
CyFun is aligned with internationally recognised standards (ISO 27001, NIST, CIS Controls) and serves as a reference point for evaluation, self-assessment, audit, or certification in cybersecurity—for both entities subject to NIS2 and those choosing to structure their cybersecurity proactively.
Key steps to a successful NIS2 compliance
The following initial measures enable entities to begin their NIS2 compliance journey. They serve as a foundation, upon which more formal obligations can later be built. These are the priority actions to implement:
- Identify critical assets and processes: establish an inventory of systems, equipment, services and information flows essential to the organisation’s operations.
- Perform a risk analysis: assess threats, vulnerabilities and potential impacts for each critical asset.
- Choose a suitable reference: international standards (ISO 27001, NIST…) or appropriate level of CyFun.
- Implement initial technical measures: such as multi-factor authentication (MFA), regular backups, network segmentation and access management.
- Develop a clear and documented information systems security policy.
- Train and raise awareness among staff: Integrate cybersecurity into the organisation’s culture.
- Establish procedures for incident monitoring and response: Set up mechanisms for alerting, analysis, and remediation.
These initial actions lay the groundwork for concrete progress toward NIS2 compliance. They provide a strong base for securing systems, structuring cybersecurity governance, and gradually meeting the expectations of the CCB. Their implementation is important for building a coherent, sustainable and field-based strategy.
Not (yet) subject to NIS2? Here's why you should still take action
Even without a formal legal obligation, every public or private organisation—regardless of size or sector—has an interest in strengthening the security of its information systems. CyFun is therefore a relevant, nationally recommended basis that allows any entity to implement gradual cybersecurity measures tailored to its capabilities.
Adopting a maturity-based approach to cybersecurity means:
- Gaining trust—a potential strategic advantage in public partnerships, funding calls, or inter-institutional relations;
- Strengthening digital resilience—ensuring the organisation is prepared to face the most common threats;
- protect its assets (personal data, financial data…), whether they are information related to citizens, partners or critical internal processes;
- Reducing costs related to cyber incidents—including operational losses, reputational damage, or legal disputes;
- Anticipating future obligations—by already applying principles likely to become mandatory under other regulatory frameworks.
The Basic level is designed as an entry point: it requires neither disproportionate investments nor advanced technical expertise but offers a solid foundation for any structure that wishes to approach cybersecurity with seriousness, method, and common sense.
More than a legal obligation—A strategic opportunity
NIS 2 applies to certain public or private entities based on their activity and size. But beyond these objective criteria, it is the critical nature of the services rendered that can cause an entity to fall within the scope.
In Belgium, the CCB has a designation power: it can identify a subject entity even if it does not meet the usual threshold conditions.
In this context, we recommend that every organisation view cybersecurity not as a technical constraint, but as a strategic governance issue.
The CyFun framework allows organisations to increase their maturity progressively, realistically, and in alignment with best practices.
Finally, it is worth noting that registration with the CCB was mandatory before 18 March 2025 for subject entities.
But beyond this obligation, it is also an opportunity: entities that register voluntarily can benefit from tools, guidance, and valuable support—regardless of their compliance status.
Cybersecurity should not be endured—it should be anticipated.
Not sure where to start? We can help.
CTI Consulting supports organisations in understanding NIS2 requirements, implementing the CyFun framework, and deploying cybersecurity policies tailored to their operational context. Whether it’s an initial assessment, a prioritised action plan, or long-term support, our approach is pragmatic, multidisciplinary, and field-oriented.
1 ENISA, Threat Landscape 2024, September 2024, p. 16. Available at: https://www.enisa.europa.eu/sites/default/files/2024-11/ENISA%20Threat%20Landscape%202024_0.pdf#page=17
2 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS2 Directive), OJ L333, 27/12/2022, pp. 80–152.
3 Law of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public safety (hereinafter “NIS2 Law”).
4 Article 11 of the NIS2 Law.
5 The Centre for Cybersecurity Belgium (CCB) is the authority responsible for ensuring the proper application of the NIS2 directive in Belgium.
6 Articles 30–38 of the NIS2 Law.
7 CCB Guidance 01/2024 of 24 January 2024, “Directive for the Information Systems of Public Administrations and Institutions”.
Ensure your organisation and your services are NIS2 compliant
Our NIS2 compliance consultants can help you.
Explore more articles
About us
CTI CONSULTING helps organisations use digital with impact, integrity and efficiency.
Our multidisciplinary team of consultants supports you to design, acquire, integrate and use digital tools in an effective and responsible manner.
Want to know more ?
Ensure your organisation and your services are NIS2 compliant
Our NIS2 compliance consultants can help you.