Belgium’s NIS2 Transposition: A Practical Model for other EU States

Belgium officially implemented (“transposed” in EU parlance) the EU’s NIS2 Directive into national law last year, becoming one of the first member states to do so. Now, to help with implementation, Belgium’s Centre for Cybersecurity (CCB) has launched a public NIS2 Quick Start Guide, an interactive webpage that walks any organization through its obligations under NIS2. The guide incorporates the Cyber Fundamentals Framework (CyFun) as a key tool for implementation. 

Developed by Belgium’s Centre for Cybersecurity (CCB), CyFun breaks down cybersecurity maturity into levels and offers specific guidance on how to achieve compliance. CyFun directly deals with the requirement in NIS2 for strong vulnerability management and disclosure practices.

And this isn’t just a Belgian model anymore. Ireland and Romania have now adopted Cyber Fundamentals as their own NIS2 compliance baseline—and other Member States are expected to follow. That’s good news for anyone navigating Europe’s evolving regulatory landscape, especially because it helps drive consistency across jurisdictions and simplifies cross-border compliance.

For the first time in EU law, NIS2 makes coordinated vulnerability disclosure (CVD) a formal requirement. Member States must support national CVD policies, and regulated entities are expected to implement internal processes for discovering, receiving, and responding to vulnerabilities. Vulnerability disclosure programs (VDPs) that help operationalize CVD for organizations - like those powered by HackerOne - are now a key part of the compliance toolkit.

This is a moment of alignment: clear regulation, a common baseline framework, and practical tools that make compliance easier. HackerOne’s VDP solutions can help organizations meet both the spirit and the letter of these new obligations - quickly, efficiently, and with confidence.

Key Takeaways

• NIS2 is now law in Belgium and the Quick Start Guide makes it easier to comply
  • It’s accessible, step-by-step, and tailored to help all types of entities understand their obligations.
• Cyber Fundamentals is a cornerstone of NIS2 compliance
  • It’s structured, accessible, and already adopted by Ireland and Romania too.
• Consistency is spreading across the EU
  • With more countries aligning to CyFun, cross-border compliance is getting simpler.
• VDPs are no longer optional
  • NIS2 explicitly calls for vulnerability disclosure programs. VDPs are now a recognized and expected best practice under EU law.
• Cyber Fundamentals builds VDPs into two key tiers: “Important” and “Essential”
  • A broad set of organizations need a VDP as part of their CyFun compliance, so now’s the time to build buy-in internally and to secure a budget for implementation.

Ready to align your security program with NIS2 and Cyber Fundamentals? Get started with HackerOne VDP or reach out to our team to talk about how we can help.