The Centre for Cybersecurity Belgium (CCB) has authorized Brand Compliance to certify essential and important entities according to ISO 27001 in the context of NIS2. With ISO 27001 certification, an organization can demonstrate a presumption of NIS2 conformity. Would you like to know what this means for your organization?
NIS2 conformity
The NIS2 legislation imposes cybersecurity requirements on European organizations, with the aim of strengthening resilience against digital threats. Belgian organizations have had to comply with these obligations since October 2024. ISO 27001 certification is one of the ways to meet these requirements.
With ISO 27001 certification, organizations demonstrate that their information security is structured systematically. Within the CyberFundamentals programme, this can lead to a presumption of conformity with the NIS2 obligations.
Would you like to know whether your organization falls within the scope of NIS2? Visit nis2certification.eu.
Essential entities
For essential entities, such as hospitals, energy companies and other organizations with critical infrastructure, there are three possible routes to meet the requirements of this legislation:
- CyberFundamentals certification
This certification is issued by a Certifying Body. - ISO 27001 certification
This certification can be granted by an accredited Certifying Body, such as Brand Compliance. - Inspection
The inspection is carried out by the CCB’s inspection service or by a sectoral inspection service.
Discuss which NIS2 route is suitable for your organization.
When an essential entity successfully meets one of these three options, it receives the CyberFundamentals label. The following requirements arising from the CyberFundamentals programme must be met:
The scope must cover the entire organization, unless IT and OT environments are demonstrably physically or technically separated. In that case, this separation must be documented and the organization itself must demonstrate that the excluded environments have no impact on the risks of the environment that is within scope.
Important entities
Important entities that may fall under supervision can voluntarily choose to follow the same mechanisms as essential entities to demonstrate their conformity.
ISO 27001 certification
Organizations that wish to obtain the CyberFundamentals label through ISO/IEC 27001 certification must complete the following steps:
- Level of assurance: The applicable level is determined based on the entity’s risk assessment, preferably using the CyFun® Selection Tool.
- Scope: Check whether the ISO 27001 certificate covers the full scope of the organization. This includes verifying whether IT and OT environments are documented as separate and have no risk impact when they are outside the scope.
- Controls: The SoA must demonstrate that the implemented controls are demonstrably equivalent to the controls within the CyFun levels Basic, Important or Essential.
- Application: Upload the ISO 27001 certificate and the Statement of Applicability via CyberFundamentals Framework | CCB Safeonweb.
- Verification: The CCB checks whether the Statement of Applicability meets the requirements of the selected level.
- Receipt of the label: If all requirements are met, the organization receives the CyberFundamentals label.
ISO 27001 in relation to NIS2 often raises questions about scope, controls and levels of assurance. Our experts will be pleased to explain this.
Want to know more?
Would you like to discuss how Brand Compliance can support you in achieving NIS2 conformity? Contact us below for a personal consultation.
