12 March 2026 Update - The transposition of the CER Directive in Belgium
The transposition of the Directive (EU) 2022/2557 in Belgium led to a significant evolution of the national legal framework governing the protection and resilience of critical infrastructures and essential services.
Member States were required to transpose the Directive into national legislation by 17 October 2024 and to ensure that the resulting legal framework entered into application from 18 October 2024. The Directive requires each Member State to adopt a national strategy for enhancing the resilience of critical entities, conduct periodic national risk assessments, identify and designate critical entities operating in specified sectors, and ensure that those entities comply with extensive resilience obligations relating to risk management, security measures, and incident reporting. In 2025, Belgium adopted a national law transposing the CER Directive, but the process was late and only finalized in 2026.
Before the adoption of the CER Directive, Belgian law already contained provisions concerning the protection of critical infrastructures, most notably the legislation adopted in 2011 concerning the security and protection of critical infrastructures. That framework primarily focused on the protection of specific physical assets deemed essential for national security or economic stability.
The CER Directive introduced a substantially broader coverage, shifting the focus toward systemic resilience and the continuity of essential services. The Belgian legislature needed to undertake a significant restructuring of the national legal framework in order to align it with the Directive’s conceptual model.
During 2024 and 2025, the Belgian government developed a draft legislative instrument designed to transpose the Directive and modernize the national system governing critical infrastructure protection. This legislative proposal was submitted to the Federal Parliament and gradually progressed through the parliamentary process, including examination by the relevant parliamentary committees responsible for internal security, crisis management, and infrastructure protection.
The proposed Belgian legislation establishes a comprehensive regulatory framework aimed at ensuring that entities providing essential services are capable of maintaining operational continuity under conditions of crisis or disruption. The draft law outlines a structured process for the identification and designation of critical entities within sectors considered essential for the functioning of society and the economy.
Once designated, these entities become subject to a series of legal obligations designed to enhance their resilience. These obligations include the performance of internal risk assessments, the implementation of appropriate technical, organizational, and security measures, and the reporting of incidents that significantly disrupt the provision of essential services. The legislative framework asks for resilience exercises and preparedness planning as instruments to ensure that both public authorities and private operators are capable of responding effectively to crises affecting critical infrastructure.
The Belgian approach reflects the Directive’s systemic perspective on resilience governance. The national framework emphasizes the continuity of essential services and the management of cross-sector dependencies. This is particularly important in modern infrastructure environments characterized by complex interconnections between energy systems, telecommunications networks, financial infrastructures, transportation systems, and digital platforms. By adopting a resilience based approach, the Belgian legislation seeks to ensure that disruptions affecting one sector do not propagate uncontrollably across other sectors of the national economy.
The legislative framework introduces supervisory and enforcement mechanisms designed to ensure effective compliance with resilience obligations. Competent national authorities are empowered to monitor the implementation of resilience measures by critical entities, conduct inspections, and require corrective actions where deficiencies are identified. The proposed legislation further establishes both administrative and criminal sanctions for violations of the resilience obligations imposed on designated entities.
Belgium’s implementation strategy is also closely linked to the broader European resilience architecture, particularly the regulatory framework established by the NIS 2 Directive concerning cybersecurity.
By early 2026, Belgium had completed the core legislative step required to transpose the Directive into its national legal order. The CER law was adopted in December 2025, and was published in January 2026.