Skip to content
Secundra
NIS2ComplianceKMO

Does NIS2 apply to your SME? A no-nonsense checklist

When does NIS2 actually apply to a Belgian SME? A straightforward read on the criteria, the cascade risk through your clients, and a checklist you can run yourself.

Ian

Ian

Co-Founder & CEO

22 April 20266 min read

One of the most common questions Belgian SMEs ask since NIS2 came into force: "Are we covered or not?" Organisations with a few dozen staff and a few million in turnover often sit in the grey zone, and the legislation itself does little to help them.

Belgium's NIS2 law (of 26 April 2024) entered into force on 18 October 2024. Below is a straightforward read on who falls under it, where the cascade risk sits, and a checklist you can run yourself.

When does NIS2 apply?

There are two conditions. Both must apply at the same time.

  1. Your organisation operates in a listed sector (Annexes I and II of the directive).
  2. You are a 'medium' or 'large' enterprise. In practice: at least 50 employees OR more than 10 million euros in turnover (or balance sheet).

Sectors that often get forgotten:

  • Drinking water and waste water companies, including small inter-municipalities
  • Postal services, including couriers above a certain threshold
  • Manufacture of chemicals, food, medical devices
  • ICT providers such as managed service providers and data centres
  • Research institutions, universities and some non-profits

If you fall under NIS2, you had to register with the CCB via Safeonweb@Work by 18 March 2025. Essential entities have until 18 April 2026 to fully implement the baseline measures, important entities get more lead time in practice.

What if you sit just below the threshold?

This is where it gets tricky. A common scenario: an SME assumes it is out of scope based on size, but sits in the supply chain of a NIS2-covered client. That client is required by law to manage its own cybersecurity risk, and passes the requirements down through supplier reviews. Those reviews routinely include lines like: "supplier must demonstrate equivalent cybersecurity measures."

That is not a legal obligation on you. It is a commercial one. And commercial pressure tends to weigh heavier.

Five questions that determine your scope

  1. Sector and size: both criteria met? Five minutes of work to check.
  2. Client portfolio: at least one NIS2-covered client in there? Cascade risk.
  3. Active contracts: any security clause you could not honestly tick today?
  4. Insurance: does your cyber policy already carry evidence requirements in the questionnaire?
  5. Management: does the owner-manager know what counts as a 'reportable incident'?

Anyone who answers "I don't know" to questions two through five has an exposure that goes beyond the legal obligation. That is where the real work starts.

Concrete first steps

If you have done nothing yet:

  1. Run a sector check on safeonweb.be. Ten minutes.
  2. Inventory your critical systems. One tab in Excel: application, owner, how many hours the business survives without it. No tooling needed.
  3. Talk to your insurer. Ask explicitly which evidence requirements in the policy are tacit today, and what changes at renewal.
  4. Book a call with a provider. Not for a quote, for a second opinion. One hour costs nothing and sharpens your blind spot.

NIS2 is not a reason to panic, but it is a reason to figure out where you stand. If you are not covered, you want to know that too. Preferably before a client or an insurer asks you.

Other articles

Back to all articles
CyFUNCase study

How far does CyFUN Basic get you? A straight look at the baseline

34 controls for the typical Belgian SME. What Basic covers, what it deliberately leaves out, and when Important is actually worth the step up.

Read more
by Brian
CyberverzekeringCompliance

The cyber insurer wants evidence, and your SME does not have it

Cyber policies are scrutinised harder, questionnaires get longer, and evidence requirements tighter. The three blocks where it usually breaks, and how to prepare.

Read more
by Ian