NIS2 · Compliance

NIS2 Compliance Checklist for Belgian Mid-Market Organizations (2026)

Updated April 2026 · ~6 min read · For organizations registered under NIS2 with the CCB

With 2,410 Belgian organizations registered under NIS2 and the 18 April 2026 CyberFundamentals / ISO evidence deadline from the Centre for Cybersecurity Belgium (CCB), mid-market teams (50–400 users) are racing to evidence baseline cybersecurity controls. This checklist condenses the 12 control areas most likely to be examined.

NIS2 doesn't ask whether your controls exist. It asks whether you can prove they exist, were applied consistently, and survived contact with reality.

The 12-point checklist

1. Governance & accountability — named cybersecurity owner at executive level, board-level reporting cadence.
2. Risk register — current, dated, mapped to assets and to NIS2 Article 21 measures.
3. Asset inventory — endpoints, identities, cloud workloads, third-party services, with owner and criticality tags.
4. Access control — MFA on all admin accounts, joiner/mover/leaver workflow, quarterly access reviews.
5. Vulnerability management — patching SLAs by severity, evidence of monthly scans, exception register.
6. Backup & recovery — air-gapped or immutable backups, tested restore at least annually, documented RPO/RTO.
7. Incident detection — log retention ≥ 6 months across endpoints, identity, and perimeter; alerting tied to a response process.
8. Incident response plan — written, exercised at least once per year, with named roles and external contacts (legal, CCB, insurer).
9. Notification readiness — ability to report a significant incident to the CCB within 24 hours of awareness, full report within 72 hours.
10. Supply-chain assurance — security clauses in contracts, criticality tiering of vendors, evidence of due diligence.
11. Cryptography & secure communications — encryption at rest and in transit, key management policy.
12. Awareness training — role-specific training for staff and leadership, completion records retained.

Mapping CyberFundamentals to NIS2

CyberFundamentals (CyFun) is the CCB's tiered framework — Small, Basic, Important, Essential. For most mid-market organizations classified as Important entities under NIS2, the CyFun Important tier is the practical evidence target. CyFun maps cleanly to ISO 27001:2022 Annex A and to the NIST CSF, so existing ISO work is rarely wasted.

Common evidence gaps we see

• Backups exist but no tested restore in the last 12 months.
• An IR plan exists on paper but no tabletop exercise has been run.
• Logs are collected but cannot survive a ransomware event (not air-gapped).
• Vendor list exists but no security clauses in the actual contracts.

How CyberXDefend helps

CyberXDefend supports the evidentiary side of NIS2 — chain-of-custody-aware logging, air-gapped evidence preservation, ransomware response playbooks, and reporting templates aligned to the CCB's notification flow. Combined with your existing GRC stack, it closes the gap between "we have controls" and "we can prove the controls held."