Many companies not ready for tough demands of NIS2

By Jacob Mareen, Director Business Risk Services at Grant Thornton

In 2024, the Belgian government was one of the first European countries to approve the Directive on the security of Network & Information Security (NIS2). This means that essential and important organizations must take measures to improve the security of their IT systems. A specific interpretation by the Belgian government means that even relatively small companies that produce their own energy must also comply with these strict rules. 

What is NIS2?

NIS2 is an EU directive in the field of cybersecurity for essential and important organizations. The European Commission's goal is to increase the cyber resilience of organizations whose service outages have a disruptive impact on society. It is a directive that has yet to be transposed into local legislation by the member states. Belgium is the first European country to fully implement NIS2. More than half of the other European countries are not ready at the moment (early May 2025).  

The organisations involved must comply with a duty of care and a duty to report. 

• Duty. The organizations must implement ten cybersecurity measures, including a cyber incident response plan and a policy aimed at the conscious cyber security of employees.

• Hailing. The organisations involved are also obliged to report incidents that have significant consequences for the service provision to the Computer Security Incident Response Team (CSIRT) or the sector-specific regulator.

This regulator - in Belgium the Centre for Cybersecurity Belgium (CCB) - monitors whether the duty of care and reporting is met. This is done proactively for essential organizations. Important organizations are subject to reactive monitoring after there has been an incident.

Essential and important

The difference between those essential and important organizations has to do with the possible impact on society that an outage during or after a cyber incident can have. The European Commission had already foreseen in NIS1 that sectors such as healthcare, transport, energy, digital services, banks and financial market infrastructure, digital infrastructure and water companies are seen as essential. 

NIS2 has added sectors that the European Commission classifies as important: food, space, government, postal and courier services, suppliers of electronic communications networks and services, wastewater treatment, digital services such as social networks and manufacturers of critical products.

NIS2 has an important restriction: the smallest organisations are not subject to this obligation. In doing so, the government applies the European rules for SMEs: less than 50 employees and less than 9 million euros in turnover. 

In any case, this means that many companies do have to comply with those rules. An analysis by Grant Thornton makes it clear that at least between 5,000 and 10,000 companies in Belgium must comply with the regulations. 

With solar panels you become an energy company

However, the specific Belgian interpretation of the European directive significantly increases that number. Organizations that generate their own energy – with solar panels, for example, or their own wind turbine – also fall into the category of essential companies that must meet the strict requirements. For example: a construction company with a warehouse for the storage of equipment and materials does not initially fall under the rules. But as soon as there are solar panels on the roof under their own management, the contractor immediately becomes an energy supplier and therefore an essential company. 

As a result, thousands of additional companies will have to comply with the rules of NIS, which has far-reaching consequences for these organizations. It is also all hands-on deck for the service providers who can help them and the control authorities. 

These companies are then obliged to purchase suitable hardware and software to achieve security. But they also need a lot of people with the right expertise. In an environment where cyber experts are thin on the ground and where cybersecurity tools are becoming increasingly expensive, it is inevitable that the costs of complying with these rules will skyrocket. Small organizations in particular will have to significantly increase their budgets for IT and security. Grant Thornton assumes that it will often be more than a doubling.

What is needed? 

As mentioned, the government's main objective is to safeguard and improve the resilience of companies, protecting IT systems is a means to that end. It is important to have a duty to report incidents quickly and, in this way, to warn society that something is going on, so that people can be vigilant themselves. But organizations must first and foremost focus on prevention within the framework of the duty of care. This includes a list of ten things to achieve.

1. Policy for appropriate measures against cyber threats

2. Cyber Incident Management

3. Cyber Incident Response Plan

4. Cybersecurity measures at suppliers

5. Cybersecurity requirements for all network-connected equipment

6. Reduction of cyber risk level

7. Conscious cyber security actions of employees

8. Using cryptographic techniques

9. Identity & Access Management and Asset Management

10. Additional measures for the protection of confidential data or communications.

For consultancy firm Grant Thornton, this means an ongoing program that makes the entire organisation and all employees permanently aware of the potential risks of cyber attacks and data theft. An important objective is that staff members change their behavior in function of the resilience of the organisation. 

However, a large part of the work is also administrative: monitoring the activities on the network and developing the necessary measures, both internally and externally, including at the suppliers. In practice, many organisations will use a spreadsheet made available by the Centre for Cybersecurity Belgium. It is important that the company itself must take responsibility for the security of its technology (IT and OT) and must therefore exercise control over itself and cannot outsource it. 

Fortunately, the larger organizations are certainly well advanced with their preparations. They have traditionally achieved a number of things, so they don't have to start from scratch. But the big challenge is the speed with which everything has to be done. The government imposes strict deadlines. As early as April 18, 2026, the companies involved must make a declaration that they comply with the most important rules. They have one more year to meet even the most stringent requirements. In 2027, they must then submit a certificate from an external inspection body.

How do companies tackle this?

The larger organizations that have been working on their cybersecurity for some time usually use the existing ISO27001 standard as a reference. It is a framework with rules for the implementation of an information security management system. ISO27001 contains requirements for policies and procedures, but also the use of technology and physical measures that an organization can use to protect its data.

The CCB has also developed the 'CyberFundamentals' framework, which provides organisations with clear and pragmatic guidance to comply with the rules of NIS2. CyFun is a combination of various international standards and frameworks around cyber.

This standard also forms the basis of solutions offered by external parties to help companies implement NIS2. Grant Thornton's cybersecurity tool CyberHunter, among others, uses the standard as a framework.

Penalties and fines

An important stick is that the regulator can impose very strict sanctions on organizations that do not take action. Essential organizations risk a maximum fine of at least 10 million euros or 2% of the worldwide annual turnover in the previous financial year, whichever is higher. For important organizations, a maximum fine of at least 7 million euros or 1.4% of the global annual turnover applies, also depending on which amount is higher.

In addition, for essential organisations, a certification or licence may be temporarily suspended or an executive at the level of the managing director or legal representative may be temporarily suspended.

Conclusion

For Grant Thornton, it is clear that the latter provisions on the responsibility of the company top will certainly have an impact. As a result, the management will hopefully take those obligations very seriously.

It is now up to the companies to prepare for the introduction of these drastic measures. Time is running out.