NIS2 in Belgium: why doing nothing is the most expensive option
Not acting is not neutral
The biggest misconception around NIS2 is that delaying action is a neutral choice. It is not. In Belgium, in-scope entities are expected to understand whether they fall under the law, register via Safeonweb@Work, organise incident reporting, and be able to show that cybersecurity measures are not just written down, but actually in place. Belgium also gives this a very practical edge: significant incidents must be reported quickly, with an early warning within 24 hours and a fuller notification within 72 hours.
For medium-sized enterprises, that matters more than many expect. These businesses are often large enough to fall in scope, but still lean in how they organise risk, compliance, and IT. The result is a familiar pattern: cybersecurity sits across several people, decisions are partly informal, and key evidence is scattered across teams and tools. That may be manageable on an ordinary day. It becomes a problem the moment an incident happens or a regulator asks questions.
The cost is usually operational before it is regulatory
When companies think about NIS2, they often think first about fines. In practice, the first cost is usually internal. Time is lost recreating documentation, clarifying ownership, aligning finance and IT, and responding to issues in a rush. The organisation pays for delay through duplicated work, reactive decision-making, and management distraction long before any formal sanction enters the picture.
A typical example is a mid-sized Belgian business that believes it is “largely covered” because it has cyber insurance, some policies, and an external IT partner. On paper, that sounds reassuring. In reality, management may still not know who determines whether an incident is reportable, who contacts the CCB, what evidence must be produced, or how affected customers should be informed. Belgium’s guidance is clear that reporting should happen without undue delay, not at the last possible moment. That makes preparation a business necessity, not an administrative detail.
What companies should do now
For most mid-market businesses, the right response is not a massive transformation programme. It is a focused, practical review. Start with four questions. Are we in scope. Have we registered correctly. Who owns incident reporting. What evidence could we produce within 24 to 72 hours if something goes wrong.
That exercise alone often reveals the real gap. It is rarely a total absence of controls. More often, it is unclear accountability, incomplete documentation, and too much dependence on a few individuals. That is exactly where the cost of doing nothing accumulates.
At Grant Thornton Belgium, we see the same lesson across risk, compliance, and transactions: businesses that act early do not just reduce regulatory exposure. They make audits smoother, respond faster under pressure, and present a more credible profile to customers, investors, and lenders.
Leverage available support mechanisms
It is also important to note that organisations do not need to address this alone. In VLAIO’s cybersecurity improvement programme, companies can benefit from structured support tailored to their maturity level.
Grant Thornton Belgium is one of the selected service providers authorised to execute these cyber improvement trajectories.
Through this initiative:
- Small and medium-sized enterprises can obtain up to 50% subsidy
- Larger organisations in scope of NIS2 can obtain around 35% subsidy
This significantly lowers the barrier to initiate a structured NIS2 readiness or improvement programme, making early action not only operationally sound, but also financially accessible.
If your organisation is still treating NIS2 as something to address later, now is the right time to pressure-test that assumption. A short, pragmatic scoping and readiness review can already make a material difference.
