NEWS in Belgium

NIS2 in Belgium: What does it mean for your organization – and how do you prepare?

 

Belgium has transposed the NIS2 directives through the Law of 26 April 2024 and the Royal Decree of 9 June 2024. This makes the European cybersecurity legislation directly applicable to Belgian organizations considered essential or important.

 

The Centre for Cybersecurity Belgium (CCB) acts as the national authority. CERT.be functions as the national CSIRT (Computer Security Incident Response Team).

 

A key element in the Belgian framework is the phased notification procedure according to the CCB reporting guidelines: 

  • Within 24 hours: Early warning
  • Within 72 hours: Incident notification with initial assessment
  • Within 1 month: Final report with analysis and corrective measures

 

This means that organizations must not only be technically prepared, but must also demonstrably have control over their governance, access management, and logging.

 

What do auditors specifically look at?
During NIS2 audits, we consistently see recurring focus areas:

 

1. Governance and accountability - Management is explicitly responsible for cybersecurity.
Auditors look at: 

  • Formal policy documents
  • Risk assessments
  • Demonstrable board involvement 

2. Suppliers and third-party remote access

The ICT supply chain poses an increased risk. Key questions include: 

  • How do suppliers gain access?
  • Is that access limited in time and scope?
  • Is there full traceability?

 3. IAM, MFA, and traceability

Identity & Access Management must be robust: 

  • Mandatory MFA
  • Role-Based Access Control (RBAC)
  • Audit trail per user and session

4. Log registration, monitoring, and evidence

Logs must:

  • Be complete and tamper-proof
  • Be stored centrally
  • Be quickly available in case of incident notification

 

5. Incident reporting within legal deadlines 
The 24h / 72h / 1 month rule requires: 

  • Clear internal escalation procedures
  • A tested incident response plan
  • Documented communication procedures

How does Netop Remote Access help with NIS2 compliance?

Organizations often struggle with one core issue: overly broad access through traditional VPN solutions.
Netop approaches this fundamentally differently.

1. Controlled, task-based remote access 

  • Instead of broad network access via VPN, Netop provides point-to-point access:
  • Access only to specific systems
  • No lateral movement within the network
  • Minimal attack surface 

2. Strong identity and access control 

  • SSO and mandatory MFA
  • Role-Based Access Rights (RBAC)
  • Time-bound and approved access
  • Supports the principle of least privilege. 

3. Full evidence through logging and video 

  • Detailed session logs
  • Video recordings of remote sessions
  • Retention policies aligned with compliance requirements

4. Secure storage and encryption 

  • End-to-end encrypted sessions
  • Secure storage of evidence in AWS
  • Integration with central logging systems 

 

 

5. Audit file on demand 

 

Exportable reports make it possible to quickly compile a complete audit file.

During a NIS2 audit, concrete evidence is often requested, such as:

  • Remote access policy and approval procedures
  • Supplier register
  • MFA configuration and role/user overviews
  • Logs and video recordings
  • Integration with central logging (e.g., CloudTrail)
  • Incident response and reporting procedures (24h / 72h / 1 month)

 


Organizations that can present these elements in a structured manner significantly reduce their compliance risk.

 Conclusion

 

NIS2 is not purely a technical obligation. It is a governance responsibility with legal implications.

 

Organizations that cannot demonstrably prove control over governance, access management, logging, and incident reporting risk sanctions as well as damage to their reputation. A controlled remote access strategy with full traceability is therefore not a luxury, but a necessity within the new Belgian NIS2 framework.

Disclaimer: This document is provided for informational purposes only and does not constitute legal advice.

With more than 30 years of experience in remote control software, Netop enables reliable connections between all types of devices, operating systems, and networks. These devices may be either attended or unattended.

Netop provides organizations with secure remote access and control to perform maintenance, deliver support, and enable monitoring, both within and outside their managed environment, with the highest level of security.

 

Netop is mission-critical for some of the world’s largest organizations in retail, government, financial services, manufacturing, healthcare, logistics, and ICT, where business continuity is essential.

More information about Netop?