by Gorik Van den Bergh and Güney Yalcin
NIS2: ready for the April 18, 2026 deadline?
Digital threats are increasing exponentially. This means that cybersecurity is no longer a purely technical matter for companies today, but a strategic priority. With the NIS2 legislation, Europe has also legally enshrined this reality. And time is running out: although Belgium's NIS2 law has been in effect since Oct. 18, 2024, April 18, 2026 represents a crucial milestone for many organizations. After all, by that date, it is no longer enough to plan or partially implement measures. Organizations must be able to effectively demonstrate compliance.
Summary:
By April 18, 2026, you must be able to demonstrate NIS2 compliance
Check if your organization falls under an essential or significant entity
Prove compliance via CyFun or ISO 27001
Count on 3-6 months of preparation for audit/certification
Not compliant? Risk of fines, liability and reputational damage
Who does NIS2 apply to?
Not every organization has the same obligations. NIS2 distinguishes between two categories:
Essential entities.
Larger organizations operating in critical sectors such as energy, healthcare, transportation or digital infrastructure.
Key entities
Medium-sized organizations or service providers in relevant sectors.
This classification determines what measures you need to take as well as how to demonstrate compliance.
From effort to proof: what will change after the April 18, 2026 deadline?
The April 18, 2026 deadline marks a clear shift: organizations must not only make efforts, they must also be able to formally substantiate compliance. In other words, "We are working" is no longer enough; you have to provide proof.
For essential entities, this means demonstrating compliance through an external audit.
Significant entities should not undergo a mandatory audit, but should be demonstrably compliant. Audits can be conducted (e.g., after an incident).
This makes cybersecurity measurable, verifiable and enforceable.
How do you demonstrate compliance? Two recognized routes
In Belgium, there are two common ways to demonstrate NIS2 compliance:
1. CyberFundamentals (CyFun).
The Belgian CyberFundamentals framework, developed by the Center for Cybersecurity Belgium (CCB), is the most widely used approach today.
Characteristics:
Three levels: Basic, Important, Essential
Focus on concrete and operational security measures
Phased approach possible
2. ISO/IEC 27001
ISO 27001 is an internationally recognized standard that is committed to building a complete Information Security Management System (ISMS).
Characteristics:
Strategic and structural approach.
Extensive scope
International recognition
Although April 18, 2026 is the key milestone by which organizations must be able to demonstrate compliance, both the CyberFundamentals framework and ISO 27001 pathways allow for further rollout or certification (depending on the pathway chosen and the level of assurance required) until no later than April 18, 2027.
Specifically, what does a compliance assessment entail?
A common misconception is that compliance amounts to ticking off a checklist. In reality, it involves a thorough evaluation of your organization.
Self-assessment of your cybersecurity level
External audit by a recognized party
Verification of documentation and effective implementation
This process takes an average of three to six months, depending on the maturity of your organization.
What if you miss the deadline?
The consequences are not minus:
Fines of up to €10 million or 2% of your global turnover
Potential personal liability of directors
Reputational damage and loss of trust
Cybersecurity thus becomes explicitly a board-level responsibility.
How do you get started with NIS2?
For many organizations, NIS2 seems complex at first, but the first steps are often clearer than you think. It starts with correctly assessing your position: do you fall under an essential or important entity? From there, you map your current cybersecurity level and identify the biggest risks and gaps.
Based on that analysis, you choose an appropriate course, such as CyberFundamentals or ISO 27001, and work towards demonstrable compliance. Crucial to this is starting on time. Not only because the process takes several months, but especially because NIS2 goes beyond IT alone. It also affects your governance, risk management and strategic decision-making. Therefore, management involvement is not a nice-to-have, but an absolute prerequisite for success.
NIS2: more than an obligation
NIS2 is often seen as a pure compliance exercise, but in reality it mainly offers an opportunity to strengthen your organization. You get a better grip on risks, increase your operational resilience and actively build trust with customers, partners and stakeholders. The April 18, 2026 deadline is therefore not an end point, but an important step toward a sustainable digital strategy.
This form can only be sent with the use of technical cookies. You can accept these cookies here.
These cookies are used to distinguish people from bots. Certain data, such as your IP address or language preference, can be sent to Google. More information in our cookie policy.
Gorik Van den Bergh
Team Lead IT audit gorik.vandenbergh@vdl.be
Güney Yalcin
IT Risk Advisor guney.yalcin@vdl.be
Disclaimer
In our opinions, we rely on current legislation, interpretations and legal doctrine. This does not prevent the administration from disputing them or from changing existing interpretations.
News and insights
Read our latest insights and news releases to stay abreast of changes in your industry.
