Belgium’s NIS2 law has been in force since October 2024. In April 2026, essential entities reach their first verification milestone — and depending on the path they have chosen, that looks very different. Some organisations must have obtained a CyFun verification by then. Others submit their ISO 27001 scope and statement of applicability to the CCB. Others still undergo an inspection by the CCB or a sectoral inspection service.

Three routes, one deadline, and for most organisations the same question: are we ready?

But “ready” is a misleading word here. Because the real change NIS2 brings is not in that first milestone. It is in what comes after. Compliance becomes a continuous process — and that changes how organisations collect evidence, structure governance, and engage with supervisory authorities.

What exactly is changing?

Belgium’s NIS2 law replaces the earlier NIS1 framework and significantly expands its scope. The Centre for Cybersecurity Belgium (CCB) initially estimated that around 2,500 organisations would fall under NIS2. By February 2026, the CCB reported that over 2,600 entities had already registered.

What these organisations must now do breaks down into three obligations.

Implement risk management measures. Cybersecurity measures proportionate to the organisation’s risk profile. The CCB provides the CyberFundamentals Framework (CyFun) with three assurance levels — Basic, Important, Essential — though organisations may also choose ISO/IEC 27001 as their reference framework.

Report incidents. Significant incidents must be reported to the national CSIRT. Throughout 2025, the CCB handled 635 incidents at national level. For comparison: before NIS2, the monthly average was around 25 reports. The increase is not due to more attacks, but to organisations now knowing they must report — and doing so.

Demonstrate that measures work. This is where it gets difficult. Taking measures is not enough. Organisations must also prove those measures are functioning. For essential entities, this means a regular conformity assessment via one of three routes: CyFun certification or verification through a CCB-authorised conformity assessment body (CAB), ISO/IEC 27001 certification through an accredited and authorised CAB, or inspection by the CCB inspection service or a sectoral inspection service.

When the annual audit no longer suffices

Compliance has always had a rhythm of silence and haste. Months where nobody looked at documentation, followed by weeks where the entire team dug through folders to scrape together evidence for the auditor.

NIS2 breaks that rhythm.

The law requires organisations to demonstrate at any moment that their controls are functioning — not just when the auditor calls. For essential entities, the CCB can exercise proactive supervision: on-site inspections, ad-hoc audits, security scans, requests for evidence. Unplanned, unannounced. For important entities, supervision is in principle reactive, but they too must always be able to show they meet the requirements.

That means something very concrete. It means the evidence must exist before anyone asks for it. Not gathered in a two-week sprint, but continuously maintained as part of daily operations.

And there lies the tension. Because most organisations have treated compliance as a project until now — with a beginning, an end, and a great many spreadsheets in between. That approach no longer works when supervision is continuous.

What does continuous compliance look like in practice?

Three things need to change.

Evidence collection becomes automatic. Manually retrieving evidence from ten or twenty systems — ticketing tools, HR platforms, firewalls, identity providers — that does not scale. Organisations need tooling that automatically retrieves artefacts and maps them to the relevant regulatory requirements. Not once a quarter, but continuously.

Deviations become visible the moment they occur. A control that fails or an evidence source that is outdated: that must be visible today, not three months from now in an audit report. Continuous monitoring with clear alerting replaces the periodic spot check.

Every decision is traceable. Who identified a deviation? Who approved the corrective action? On what evidence? When a supervisory authority asks those questions, the answer must not be a search through mailboxes and shared drives. It must simply be there.

What AI can and cannot do

Artificial intelligence can help keep that complexity manageable. Analysing regulation, identifying evidence sources, detecting deviations faster than a human team — that is what software is good at.

But there is a boundary, and it is important to draw it clearly.

A compliance platform can determine that a control has insufficient evidence. It can propose a corrective action. But executing that action, and the responsibility for the outcome — that lies with the management team. Not with the software.

That is not a limitation. It is a design choice, and a deliberate one. It aligns with the European approach to trustworthy AI, in which human oversight and transparency are central.

And it aligns with the NIS2 law itself. The law places responsibility for cybersecurity measures explicitly with the management body. Board members approve the measures, oversee their implementation, and are liable in case of violations.

Software that promises to take over that responsibility? It misses the point. Or worse: it misleads.

Why it matters where your compliance software runs

Many compliance platforms were built from the American regulatory landscape — SOC 2, HIPAA, FedRAMP — and later adapted to European frameworks. Adapted, not redesigned. The difference is a mapping of controls, not a difference in architecture.

For organisations combining NIS2 and GDPR, that matters. They must not only demonstrate cybersecurity measures, but also consider where and how their compliance data is processed.

The GDPR permits transfers outside the EEA — via adequacy decisions, standard contractual clauses, or other Chapter V mechanisms. But every transfer requires an assessment and introduces governance overhead. For organisations in regulated sectors, the trade-off is concrete: manage additional transfer mechanisms, or choose a platform that avoids that complexity by running on your own infrastructure, within EU borders.

That is an architectural choice, not a legal obligation. But it is a choice that can make the difference between a governance process that is manageable and one that continuously demands attention for something entirely unrelated to your core mission.

Three things you can do today

Regardless of which tools you choose.

Map your evidence status. Which CyFun controls or ISO 27001 measures have you implemented — and where is the evidence? How current is it? A gap in your evidence is not a gap in your security. But it is the first thing a supervisory authority will notice.

Centralise. Evidence scattered across ten systems is, in practice, evidence that cannot be found. A single central location — a specialist platform or a well-structured document management system — makes the difference between weeks of audit preparation and an audit you can face at any moment.

Make compliance operational. Not a project owned by the CISO. Not an annual initiative from legal. An ongoing process, structured like incident management or change management. With assigned responsibilities, fixed frequencies, and an escalation path when the status changes.

How Euraika’s Aegis platform helps

Aegis is built for precisely this shift. The platform connects to an organisation’s existing IT systems, automatically collects evidence, and continuously monitors whether the compliance status is current.

When deviations are detected, Aegis proposes corrective actions — but the organisation decides. Every action has a traceable responsibility assignment. The AI component supports; it does not decide.

And the platform can run on the organisation’s own infrastructure. No shared databases, no data leaving the EU, no dependency on external APIs. NIS2, GDPR, DORA, ISO 27001 — these are not afterthought mappings onto an American framework. They are the architectural starting points of the software.

The first NIS2 verification milestone for essential entities is 18 April 2026. Would you like to explore how Aegis can support your organisation with continuous compliance? Get in touch at aegis@euraika.net or schedule a conversation at www.euraika.net.

European AI. European data. European regulation.