A new cybersecurity law alongside the GDPR
The NIS2 directive (Network and Information Security Directive 2) is a European law requiring businesses to get their cybersecurity in order. While the GDPR focuses on personal data, NIS2 takes a broader look at the security of your networks, systems, and services.
The directive has been in effect since October 2024 and is being transposed into national legislation by EU member states. For businesses already working under the GDPR, the good news is that there is considerable overlap.
Who falls under NIS2?
Under the Belgian NIS2 law you fall directly within scope when you meet three criteria at the same time:
- You provide a service listed in Annex I or Annex II of the NIS2 law (see sectors below)
- You are at least a medium-sized enterprise: 50+ full-time staff, or annual turnover and balance sheet total above 10 million euros
- You have an establishment in Belgium
Sectors
Annex I - highly critical sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space.
Annex II - other critical sectors: postal and courier services, waste management, manufacture of chemicals, food production and distribution, manufacturing, digital providers, research.
Within these sectors, the law splits entities into essential (regular supervision) and important (supervision after incident or complaint). The cybersecurity requirements are identical for both.
Regardless of size
Some providers fall under NIS2 automatically, even below the 50-FTE threshold: qualified trust service providers, DNS service providers, providers of public electronic communications networks, and organisations formally designated as critical entities.
The supply chain - why smaller SMEs should pay attention too
Not directly in scope but a supplier to an NIS2 entity? Your customer can contractually require you to implement appropriate cybersecurity measures. The CCB explicitly recommends that non-NIS2 suppliers meet at least the Basic level of the CyberFundamentals framework - exactly what GDPRWise helps you with.
How to check whether NIS2 applies to you
The CCB publishes a NIS2 Scope Assessment Tool and Quickstart Guide. Registration was due by 18 March 2025 (18 December 2024 for digital providers). A conformity assessment via the CyberFundamentals framework is required by 18 April 2026.
What does NIS2 require?
The core obligations:
- Risk assessment - identify and assess risks to your network and information systems
- Security measures - take appropriate measures based on that risk assessment
- Incident reporting - report significant incidents within 24 hours (early warning) and submit a full report within 72 hours
- Business continuity - ensure backups, recovery plans, and crisis management
- Supply chain security - assess the security risks of your suppliers
- Management accountability - management is personally responsible for cybersecurity
The overlap with GDPR
If your GDPR compliance is in order, you already have a solid foundation:
| Requirement | GDPR | NIS2 |
|---|---|---|
| Risk assessment | Yes (DPIA) | Yes |
| Security measures | Yes (Art. 32) | Yes |
| Incident reporting | 72 hours (data breach) | 24 hours (early warning) |
| Documentation | Processing register | Security policy |
| Supplier management | Data processing agreements | Supply chain review |
How does GDPRWise help?
GDPRWise Enterprise has a full NIS2 action list and templates built in. You do not start from scratch: every GDPR action you have already completed counts automatically toward NIS2.
Based on the Belgian CyberFundamentals framework
Our NIS2 action list follows the CyberFundamentals framework published by the Centre for Cybersecurity Belgium (CCB). The framework defines four assurance levels - Small, Basic, Important, and Essential - and our action list aligns with the Basic level.
The Basic level is designed for any organisation that wants to protect itself against common cyber risks using generally available technology. In practice, this fits most SMEs. You do not need to be formally in scope of NIS2 to benefit: every SME that takes cyber and privacy seriously should at least be working toward this baseline.
The framework is internationally grounded and maps onto NIST CSF, ISO 27001/27002, IEC 62443, and CIS Critical Security Controls.
Your GDPR work, reused
No duplicate effort. GDPRWise shows exactly which controls already count twice:
- Your third-party file documents your suppliers and their security measures - directly usable for the NIS2 supply chain security requirement
- Your security checklist shows which technical and organisational measures you have taken
- Your data breach procedure forms the basis for your NIS2 incident reporting process
- Your processing register contains the inventory of systems and data flows
NIS2-specific actions and templates
Where NIS2 goes beyond GDPR, we add the actions and templates:
- Risk assessment template - a structured document to map out network and information system risks
- Information security policy - a formal policy that meets NIS2 requirements
- Business continuity plan - template for backup, recovery, and crisis management
- Incident reporting procedure - aligned with the NIS2 timelines (24h early warning, 72h report)
- Management accountability - documentation for executive approval and training
- Periodic controls - 2FA reviews, access management, data retention, tuned for NIS2
Visible progression
Your compliance score grows from Basic to Advanced to NIS2 - Robust. You see at a glance where you stand and what still needs to happen.
Where does NIS2 sit in GDPRWise?
NIS2 capabilities are in the Enterprise plan, or available separately as an add-on to Peace of Mind. Get in touch if you want to know whether NIS2 applies to your organisation.
Start with the free scan to get your GDPR foundation in order. Upgrade to Enterprise for the full NIS2 action list and templates.