The NIS2 directive mandates cybersecurity measures for critical infrastructure operators across Europe. In Belgium, the CCB enforces compliance with proactive audits, management liability, and fines up to EUR 10 million.
The Network and Information Security Directive 2 (EU 2022/2555) is the EU's comprehensive cybersecurity legislation for critical infrastructure. It replaces the original NIS Directive with significantly expanded scope, stronger enforcement, and personal management liability.
NIS2 classifies operators into "essential" and "important" entities. Essential entities face proactive supervision. Both face mandatory incident reporting within 24 hours and risk-management obligations under Article 21.
NIS2 covers 18 sectors across two annexes. Annex I (essential) sectors include:
In Belgium, the Centre for Cybersecurity Belgium (CCB) is the competent authority for NIS2 enforcement. Essential entities are subject to proactive supervision — the CCB can request evidence of compliance at any time, not just after a breach or incident.
Comprehensive policies on risk analysis including identification and assessment of risks to network and information systems.
RX-OS: Automated OT asset inventory with risk scoring per device, firmware vulnerability mapping, and continuous risk reassessment based on behavioral changes.Procedures for prevention, detection, and response to cyber incidents including notification obligations within 24 hours.
RX-OS: Real-time anomaly detection with timestamped, hash-chained event logs. Provides the evidence needed for mandatory incident reporting to the CCB.Measures including backup management, disaster recovery, and crisis management.
RX-OS: Continuous topology monitoring detects single points of failure, provides asset registers for disaster recovery planning, and monitors backup system availability.Security measures relating to the relationship with direct suppliers and service providers.
RX-OS: Detects third-party remote access sessions, VPN connections from vendor IPs, and unauthorized devices introduced during maintenance windows.Security in acquisition, development, and maintenance of network and information systems including vulnerability handling.
RX-OS: Firmware version tracking, configuration change detection, and protocol-level vulnerability identification across all discovered OT/IT assets.Policies and procedures to assess the effectiveness of cybersecurity risk management measures.
RX-OS: Continuous monitoring validates that security controls remain effective. Hash-chained evidence trail proves compliance posture over time, not just at audit checkpoints.Policies on information and asset management including classification of assets by criticality.
RX-OS: Continuous passive OT asset discovery and classification. Auto-maintained register with device type, manufacturer, firmware version, network behavior, and risk score.Use of logging and monitoring solutions to detect and record security-relevant events.
RX-OS: Hash-chained evidence logs. Every observation is timestamped and cryptographically linked to prevent post-hoc modification. Verifiable by any third party.Every observation RX-OS records — device discovery, anomaly detection, configuration change — is stored as a hash-chained evidence block. Each block includes a SHA-256 hash of the previous block, creating a tamper-evident chain.
If any block in the chain is modified after the fact, all subsequent hashes break. This provides cryptographic proof that evidence was not altered between observation and audit.
When the CCB requests proof of your security posture at a specific point in time, you can provide the chain and they can independently verify its integrity. This is your management liability defense.
NIS2 Article 20 explicitly holds management bodies personally accountable for approving and supervising the implementation of cybersecurity risk management measures. Failure to ensure compliance can result in personal liability for board members and senior management — including temporary bans from exercising managerial functions.
This is not hypothetical. The directive mandates that management bodies undergo cybersecurity training and that they personally approve and oversee the measures required under Article 21.
Reference: NIS2 Directive (EU) 2022/2555, Article 20 — GovernanceUp to EUR 10 million or 2% of global annual turnover, whichever is higher. Proactive supervision by CCB.
Up to EUR 7 million or 1.4% of global annual turnover. Reactive supervision (post-incident).
The compliance deadline has passed. Every day without auditable OT visibility is a day of exposure. Start a two-week pilot and receive your first NIS2 gap report.
Request a Demo →