The official threshold
Belgium transposed NIS2 into national law via the NIS2-wet (wet van 26 april 2024). Under this law, two categories of entities are in scope:
| Category | Threshold | Obligations |
|---|---|---|
| Essential entities | 250+ employees or €50M+ revenue | Stricter supervision, proactive audits |
| Important entities | 50+ employees or €10M+ revenue | Reactive supervision, self-assessment |
Both categories must implement the same security measures — the difference is mainly in how the CCN (Centre for Cybersecurity Belgium) supervises you.
The 18 critical sectors
Size alone doesn't trigger NIS2. You also need to operate in one of the designated sectors. The most common ones Belgian KMOs fall into:
- Energy (electricity, gas, oil, district heating)
- Transport (road, rail, air, water)
- Banking and financial market infrastructure
- Health (hospitals, labs, pharma, medical devices)
- Drinking water and wastewater
- Digital infrastructure (DNS, cloud, datacentres, CDNs)
- ICT service management (managed service providers, managed security providers)
- Public administration
- Food production and distribution
- Manufacturing (medical devices, electronics, machinery, vehicles)
- Postal and courier services
- Waste management
Where it gets complicated
The nuance most guides skip: if you supply services to an essential or important entity, you may fall under NIS2 indirectly. Large companies in scope are required to assess the security of their supply chain — meaning they'll push NIS2-equivalent requirements down to their suppliers regardless of the supplier's size.
A 30-person IT services firm supplying a hospital network, a logistics provider servicing a food manufacturer, or a software company whose product is used by a bank — all of these could face NIS2-style obligations from their clients even if the law doesn't directly apply to them.
The other complication: companies can self-register voluntarily. Some Belgian KMOs are choosing to register and get ahead of requirements because it differentiates them with larger clients who need to demonstrate supply chain compliance.
What to do if you're not sure
The CCN has a self-assessment tool, but it's designed for companies that already know they're in scope. If you're genuinely unsure, the practical approach is:
- Map your sector against the 18 listed in the law
- Check your headcount and revenue against both thresholds
- Review your three largest clients — are any of them in scope?
- If any answer is "yes" or "maybe", treat yourself as in scope
The cost of being prepared and not required is far lower than the cost of being required and unprepared. The CCN can impose fines of up to €10M or 2% of global turnover for essential entities, and €7M or 1.4% for important entities.