What does the NIS2 directive mean for your public sector organisation?

Copyright © Fokusiert

Since October 18, 2024, the European NIS2 directive has officially been in effect across all member states. The new cybersecurity rules are no longer a thing of the future, they’re reality. Governments, local authorities, and public organizations now fall under this directive and are legally required to take action on their cybersecurity.

What is NIS2?

NIS2 stands for Network and Information Security and is the successor to the original NIS directive from 2016. While NIS1 mainly targeted a small group of essential service providers, NIS2 greatly expands the scope and includes stricter requirements.

The NIS2 directive (Directive 2022/2555) requires hundreds of (semi-)public organizations to establish a cybersecurity policy. This includes measures such as secure passwords, regular backups, timely incident reporting, and greater involvement of leadership in IT decisions.

The goal? To make Europe—and Belgium—more resilient to cyberattacks.

Why is NIS2 important for your organization?

Under NIS2, the public sector is considered "critical infrastructure". That means not only federal agencies but also cities, municipalities, Public Centers for Social Welfare (OCMWs), and other local authorities are subject to the directive. Healthcare institutions, such as hospitals, medical labs, and pharmaceutical manufacturers, are also explicitly mentioned.

Do you fall under NIS2?

Your organisation falls under the NIS2 directive if it meets one or more of the following criteria:

• Sector: You operate in a sector classified as essential or important (such as government, healthcare, water, energy, transport, waste management, etc.)
• Size:
  • Medium-sized organizations (≥ 50 employees or ≥ €10 million turnover) are classified as "important entities."
  • Large organizations (≥ 250 employees or ≥ €50 million turnover) are considered "essential entities."
• Type of organisation: Some entities are covered regardless of size—such as central government agencies, telecom providers, or DNS service providers.

The Belgian implementation of the directive is still in progress and may include stricter requirements than the EU minimum standards. The final law is expected to be published in the course of 2025.

What exactly is expected of you?

Organisations that fall under NIS2 must, among other things:

• Develop a risk management policy: This includes access controls, backups, encryption, software updates, and other measures to prevent or limit cyber incidents.
• Report cyber incidents to the appropriate authorities, such as the Belgian CSIRT.
• Ensure governance: Cybersecurity must be addressed at the executive level. It becomes a strategic topic that belongs on management’s agenda.
• Collaborate on cross-border incidents or threats.

Sanctions are also foreseen in case of non-compliance, such as administrative fines, damage claims, and reputational harm.

Penalties for non-compliance with NIS2

The NIS2 directive provides for strict penalties for organisations that fail to meet their cybersecurity obligations.

• Essential entities may be fined up to €10 million or 2% of global annual turnover (whichever is higher).
• Important entities may face penalties up to €7 million or 1.4% of turnover.

Even for public institutions, the consequences are real: reputational damage, audits, or enforcement by national authorities like the Centre for Cybersecurity Belgium (CCB).

From obligation to opportunity

Although NIS2 imposes stricter rules, it also creates opportunities. Now is the time to invest in sustainable and secure digital infrastructure. Cybersecurity becomes a fundamental part of delivering quality public services.

Organisations that invest in digital resilience today don’t just reduce risk, they build trust with citizens, partners, and governments.

How Paddle.be approaches security

At Paddle.be, we build websites and platforms specifically for governments, hospitals, and the public sector. Security isn’t an add-on, it’s built into the foundation of our platform. In addition to general measures like secure hosting, access control, and logging, we also implement technical protections such as CSP and DMARC.

We offer:

1. Monthly central updates
   Our Paddle CMS platform is automatically and centrally updated. You’re always protected against known vulnerabilities—no action required from you or your IT team.
2. Secure infrastructure in Belgium
   Our servers are located in secure Belgian data centers. That means better performance, stricter oversight, and full GDPR compliance.
3. Monitoring, backups, and recovery
   We monitor your website 24/7, take daily backups, and can act quickly in the event of an incident. This helps keep your operations running, even in difficult times.
4. Support after audits
   Conducting an audit or received recommendations from a third party? We’ll help you strengthen your digital environment structurally. With experience from over 500 public sector projects, we know what works.

Also read: 

• How Paddle.be helps you become (even) more secure – and ready for NIS2
• What are CSP and DMARC – and why are they essential for your website?

Time for action

Is your organisation ready for NIS2? Have you had an audit and now have questions about your current website or CMS? Or would you like to avoid unpleasant surprises as a local authority?

We’re here to help.
At Paddle.be, we combine security with user-friendliness, accessibility, and efficient management. That way, you’re not just compliant, but prepared for the digital future.

📩 Interested in free advice or a demo?
Get in touch. Let’s make your organization digitally resilient—together.