NIS2 Compliance in Practice: Lessons from Belgium’s First Year
NIS2 compliance has long felt like an approaching deadline rather than a lived reality for many organisations across Europe. That is beginning to change. As member states move from transposition to enforcement, the directive is shifting from policy language to operational impact — altering reporting practices, governance expectations, and supply chain dynamics.
Belgium offers one of the earliest practical case studies. It was the first EU member state to transpose NIS2 into national law. That early implementation provides observable signals from which to draw wider lessons. For German and DACH organisations preparing for sustained NIS2 oversight, Belgium’s experience is worth examining closely.

Lesson One: Mandatory Reporting Changes the Culture
One of the clearest early signals from Belgium’s implementation is the increase in incident notifications. According to analysis of Belgium’s first year of NIS2 enforcement, monthly reports rose from an average of around 25 to more than 45.
Mandatory reporting thresholds compel organisations to formalise internal detection and escalation processes. Incidents that may previously have been handled quietly or classified as minor disruptions are now assessed against regulatory criteria and reported accordingly. At the same time, Belgium’s Cybersecurity Centre (CCB) has positioned itself as a support partner in incident containment. That framing appears to have strengthened trust and reduced hesitation around disclosure.
NIS2 will almost certainly lead to visible increases in reported incidents across other member states. Boards and senior management should not interpret this as a sudden collapse in resilience. Rather, it reflects a maturing reporting culture and clearer accountability structures. Under-reporting in the early stages of implementation may in fact become a greater red flag than rising numbers.
The broader lesson is that NIS2 goes beyond controls — it is also about transparency. Organisations that treat incident reporting as a cooperative risk-management process rather than a reputational liability will adapt more smoothly as regulatory oversight intensifies.

Lesson Two: Regulatory Complexity Is Becoming the Real Burden
If increased reporting is the visible impact of NIS2, regulatory fragmentation may be the quieter strain underneath it. Belgian organisations have pointed to overlapping obligations across NIS2, DORA, CER, GDPR, and sector-specific frameworks as one of their primary challenges. The technical requirements are often comparable, but reporting deadlines, terminology, and supervisory expectations can differ significantly.
For organisations operating across multiple sectors or multiple member states, this creates governance complexity rather than purely technical difficulty. An incident might trigger parallel notification obligations under different frameworks, each with distinct timelines and documentation requirements. Without a centralised governance structure, compliance can become reactive and inconsistent.
This is particularly relevant for Germany and the wider DACH region, where many companies operate internationally or fall under multiple regulatory umbrellas. Organisations that treat NIS2 compliance in isolation — rather than as part of a broader compliance ecosystem — may find themselves duplicating effort or missing cross-framework dependencies.
Belgium’s experience suggests that maturity under NIS2 will increasingly depend on governance alignment. Technical teams may implement controls, but executive leadership must ensure regulatory obligations are mapped, harmonised, and embedded into operational workflows.

Lesson Three: Supply Chain Pressure Is Falling on Less Mature SMEs
Supply chain management was always going to be a key implementation challenge. SMEs providing services to large NIS2 entities are being asked to meet stringent security expectations, often without the maturity or resources to do so comfortably.
Essential and important entities must assess and manage supply chain risk under NIS2. That inevitably places new expectations on their vendors. For smaller organisations that have not previously prioritised cybersecurity, this can feel abrupt.
The lesson is not that SMEs are being unfairly burdened. Rather, NIS2 changes the security baseline of entire ecosystems. Even organisations that are not themselves directly designated may find that customers begin requesting evidence of risk management, documentation, and incident processes.
Belgium’s experience suggests that supply chain expectations will likely become one of the most practical pressure points of NIS2 compliance — and that the organisations best positioned to respond will be those that have already taken steps to assess and document their own security posture.

Lesson Four: Sector Maturity Shapes NIS2 Compliance in Practice
Belgium’s experience highlights a clear divide between sectors that were already heavily regulated and those that were less so. Banking and energy operators entered the NIS2 era with relatively high levels of cybersecurity maturity due to long-standing regulatory pressure. For them, NIS2 represents an extension and alignment of existing practices rather than a fundamental transformation.
By contrast, newly covered sectors — such as parts of waste management and segments of the water sector — had not historically needed to prioritise cybersecurity to the same degree. For these organisations, NIS2 is less about incremental adjustment and more about structural catch-up.
Belgium also noted that public and healthcare sectors remain particularly attractive to cybercriminals, adding additional urgency to compliance efforts. The combination of lower historical maturity in some sectors and high threat attractiveness in others creates uneven starting points across the economy.
NIS2 compliance will not feel uniform in practice. Organisations in sectors with limited prior regulatory oversight should anticipate steeper governance and documentation adjustments. Those in already mature sectors may instead face refinement and harmonisation challenges. Belgium’s early rollout shows that implementation outcomes vary significantly depending on where an organisation began, not on how the directive is written.

Lesson Five: Implementation Tone Matters as Much as Legal Authority
Belgium’s final lesson is perhaps the most instructive. While the directive grants inspection and sanction powers, the CCB has deliberately taken a pragmatic, support-oriented approach. No sanctions were issued within the first year of implementation. Entities are encouraged to report incidents early and treat inspections as part of a learning process rather than an adversarial audit.
That tone appears to be influencing behaviour. Increased incident reporting has coincided with an emphasis on cooperation rather than punishment. Even classification disputes — such as those involving companies initially designated as “essential” — have been resolved through dialogue and practical reassessment.
The lesson is that early-stage implementation benefits from engagement. This works both ways: companies that approach NIS2 as a collaborative resilience framework rather than a compliance threat are more likely to benefit from constructive regulatory relationships.
Belgium’s experience suggests that regulators can shape culture through posture. Where authorities emphasise clarity, tools, and gradual improvement, organisations are more inclined to participate actively rather than defensively. For businesses elsewhere in Europe, that dynamic is worth watching closely as national implementations continue to mature.
From Lessons to Action
Belgium’s experience shows that organisations treating NIS2 compliance as a structured governance transformation — rather than a documentation exercise — will be better positioned as enforcement matures across Europe.
DIESEC’s NIS2 services are designed to support exactly that transition. From conducting targeted risk assessments of your digital infrastructure, to developing tailored incident response plans, to implementing reporting and documentation mechanisms aligned with regulatory expectations, DIESEC helps organisations move from interpretation to implementation.
Contact us to learn more.

