What NIS2 means for strict cybersecurity and how Combell is compliant

The new European directive NIS2 (Network and Information Systems) introduces stricter requirements for cybersecurity. This directive aims to strengthen the digital resilience of essential and important entities. At Combell, cybersecurity is a top priority, and we are fully NIS2-compliant. But what does NIS2 mean for your organization?

Table of contents
  1. What is NIS2?
  2. NIS2: Essential vs. Important Entities
  3. What does NIS2 mean for your organization?
  4. Combell fully NIS2-compliant

What is NIS2?

NIS2 is an initiative by the European Union, launched by the European Commission, to improve cybersecurity across Europe. Read more on the VLAIO website.

Objective: Strengthen the digital resilience of critical infrastructures and services and ensure they meet fundamental requirements.
Reason: Increasing cyber threats and the need to better protect essential services.
Goal: Establish a uniform approach to cybersecurity across all EU member states.

Technology, people, and processes

Entrepreneurs are understandably concerned about the impact of NIS2. The stricter regulations require investments in technology, personnel, and processes. This new framework goes far beyond its predecessor, NIS1.

Failing to comply with the NIS2 directive could result in hefty fines, reputational damage, and increased vulnerability to cyberattacks.

Cyber fundamentals as a strong foundation

In Belgium, NIS2 is closely linked to the so-called Cyber Fundamentals (CyFun®). These fundamentals are essential for building a robust cybersecurity strategy. This framework helps you:

  1. Identify Risks: Understand the threats to your organization.
  2. Enhance Security: Implement measures tailored to your sector.
  3. Demonstrate Compliance: Prove NIS2 compliance through certification.

The appropriate level (Important or Basic) is determined through a risk analysis.

Regardless of the NIS2 guidelines, investing in a strong cybersecurity strategy now can save you significant headaches later.

Veerle Van Hecke – CISO at Combell

NIS2: Essential vs. Important Entities

NIS2 distinguishes between:

Essential Entities: Organizations like energy companies, hospitals, and water suppliers. These entities face stricter requirements and more rigorous oversight.
Important Entities: Companies such as food producers and postal services. While they must meet specific requirements, the oversight is less intensive.

Investing in a strong cybersecurity strategy, regardless of NIS2

“Although NIS2 applies to businesses in critical and important sectors, the directive also impacts companies not directly covered by it,” says Veerle Van Hecke, Chief Information Security Officer at Combell.

Veerle: ‘Working with an NIS2-compliant organisation may mean that your security also has to meet the same conditions.

As a result, NIS2 indirectly becomes the standard for many Flemish businesses. For some clients, it is sufficient to partner with an NIS2-compliant host like Combell.

Investing in a robust cybersecurity strategy now is crucial. Regardless of NIS2 guidelines, it can save you significant headaches.”

Inadequate security increases the risk of cyberattacks and data breaches.
Inadequate security increases the risk of cyberattacks and data breaches.

How to determine your category

While the directive is a significant step forward, many uncertainties remain regarding its implementation. Here’s what you can do:

  1. Use the quick start guide: The Centre for Cybersecurity Belgium (CCB) provides documentation such as a quick start guide (‘Scope Test Tool’).
  2. Contact the CCB: Seek advice from CCB experts.
  3. Conduct a risk analysis: A Conformity Assessment Body (CAB) can help determine which rules apply to your organization.
  4. Review the list of critical sectors: Some sectors already have specific guidelines indicating whether your organization is considered essential or important.

DORA guideline for the financial sector

Do you work in the financial sector? If so, the Digital Operational Resilience Act (DORA ) directive applies. This directive emphasises operational resilience and specific security policies. Read more on the European Commission's website

What does NIS2 mean for your organization?

Organisations required to take mandatory action must comply with the following obligations:

Perform regular risk analyses.
Develop an information security policy.
Report incidents promptly.
Demonstrate compliance through certifications.

If you work with Combell as your hosting partner, you can be sure that all our systems and guidelines are NIS2-compliant.

Veerle Van Hecke - CISO at Combell

Consequences of ignoring NIS2 guidelines

High fines: You risk severe financial penalties, depending on the severity of the violation.
Reputational damage: Non-compliance can erode customer and partner trust.
Security risks: Inadequate security increases the likelihood of cyberattacks and data breaches.

How to become NIS2-compliant

Option Description
CyFun® Certification Independent assessment by a certified audit party.
ISO/IEC 27001 Certification Submit the scope and statement of applicability to the CCB.
CyFun® Self-Evaluation Submit a self-assessment after conducting a risk analysis.
Information Security Policy Assessment by the CCB inspection service.
Combell actively collaborates with designated authorities to effectively roll out NIS2 guidelines in Belgium.
Combell actively collaborates with designated authorities to effectively roll out NIS2 guidelines in Belgium.

Take action before April 18, 2026

  1. Conduct a Risk Analysis: Assess threats and vulnerabilities.
  2. Choose a Certification Path: Opt for CyFun® or ISO/IEC 27001.
  3. Develop a Security Policy: Implement a robust policy within your organization.
  4. Get Audited: A Conformity Assessment Body (CAB) conducts an independent audit.
  5. Certify Your Organization: Ensure full certification by 2027.

By April 18, 2026, you must have taken one of these steps. Certification must be completed by 2027.

Combell fully NIS2-compliant

“Cybersecurity is a top priority for Combell. If you partner with us as your cloud provider, you can rest assured that all our systems and guidelines are NIS2-compliant,” says Combell-CISO Veerle Van Hecke.

Combell holds several key certifications:

ISO 27001 Certification: Ensures secure information management and proper risk control. Your data is safe with Combell.
ISO 27701 Certification: Extends ISO 27001 with high-quality privacy management standards.

Also read

These are all Combell's ISO certificates.

Questions about Combell’s NIS2 compliance?

Do you have questions or want to learn more about how Combell meets all NIS2 requirements? Contact your account manager.

Veerle Van Hecke: “We understand that NIS2 can feel like a digital maze. Not everything is clear yet. Know that we actively collaborate with designated authorities to roll out NIS2 as effectively as possible in Belgium.”

Key resources on NIS2:

We will keep you updated on changes and developments.

Related posts

Cyberveiligheid interview Wesley

How right choice of hosting company has big impact on your cybersecurity

  • 24 January 2023
  • Reading time: 4 min

Do you already see the usefulness and necessity of investing in cyber security? And did you know that your hosting provider has an important role to play in this?
What is spoofing

When cybercriminals disguise themselves: what is spoofing and how to prevent it?

  • 22 December 2022
  • Reading time: 5 min

What is spoofing? Cybercriminals impersonating someone from a bank, the tax authorities or, even worse, your own company! So you better find out quickly how to prevent it.