As part of our commitment to safeguard the Group’s operations and to comply with evolving regulations, we draw your attention to the requirements of the European NIS2 Directive.
What is the NIS2 Directive?
The NIS2 Directive addresses the growing threats posed by cyberattacks across Europe. In today’s interconnected world, essential services such as energy, healthcare, transport, and financial systems rely on secure digital infrastructure to function effectively.
This directive is designed to strengthen cybersecurity resilience across EU member states by ensuring that organisations providing essential services can better prevent, detect, and respond to cyber threats. Given the current geopolitical climate, including hybrid warfare, this EU-wide framework plays a crucial role in protecting key infrastructure and services critical to European interests.
Where is it applicable?
While the NIS2 Directive is EU-wide, its implementation into local law necessarily varies by country. Belgium has already implemented the directive through its "NIS2 Law" of 26 April 2024, establishing compliance requirements. Other EU countries where we operate, such as France and the Netherlands, are in the process of implementing the directive into their national legislation, with deadlines approaching quickly.
This means compliance is, or will soon be, a legal requirement in the jurisdictions where we operate in Europe. We must act now to ensure all relevant operations meet these obligations.
Who does NIS2 apply to?
The NIS2 Directive applies to medium and large enterprises considered essential or important to the functioning of society and the economy. These include ‘essential enterprises’, such as providers of essential services such as energy, transport, healthcare, and financial services; and ‘important enterprises’, i.e. organisations significant for societal or economic stability, such as postal services, food supply chains, and digital infrastructure providers.
Notably, some of our clients—such as Aquafin, SNCB/NMBS, or Elia in Belgium, Rijkswaterstaat in The Netherlands or Vejdirektoratet in Denmark—are directly within the scope of this directive.
Within BESIX Group, BESIX Unitec Automation would also be within the scope of the directive.
What does compliance entail?
To comply with NIS2, organisations must strengthen efforts in the field of cybersecurity risk management (f.i. by adopting robust protocols to manage and mitigate risks effectively) and cybersecurity incidents reporting.
Going forward
As some of our clients fall within the scope of the directive, it is crucial to treat any NIS2-related requests from these clients as changes in law and address them appropriately from a contractual perspective. In principle, the costs associated with changes in law should typically be borne by the clients.
If you have immediate questions, please reach out to the Legal Business Enabler of your entity, and/or to Werner for clarification or further information.
Hans Beerlandt
CFO BESIX Group
Werner Godaert
CIO BESIX Group
