CRA Compliance in Belgium
National competent authority, Article 14 CSIRT contacts, and enforcement guidance for Belgium manufacturers.
Belgium's Centre for Cybersecurity Belgium (CCB) is a lean but capable national cybersecurity authority that serves as the CRA national competent authority and coordinates CERT.be as the national CSIRT. Belgium hosts numerous EU institutions and multinational headquarters, creating a unique regulatory environment where CCB must balance domestic manufacturer needs with its role as a host-country authority for pan-European entities. Belgian manufacturers in the chemical, pharmaceutical, and industrial sectors have significant CRA obligations.
National Competent Authority (CRA)
CCB
Centre for Cybersecurity Belgium
CCB is Belgium's national cybersecurity authority under the authority of the Prime Minister. It serves as the CRA national competent authority, coordinates CERT.be as the national CSIRT, and leads Belgium's national cybersecurity strategy implementation.
https://ccb.belgium.be →CRA Enforcement in Belgium
CCB serves as Belgium's national competent authority for the CRA, with market surveillance functions coordinated with the Federal Public Service Economy (FPS Economy), which oversees consumer product safety and CE marking enforcement in Belgium. Belgium's federal structure means that regional authorities (Flanders, Wallonia, and Brussels Capital) are involved in implementation for regionally-competent matters. CCB has been expanding its regulatory capacity through Belgium's national cybersecurity strategy phases, and CRA enforcement is expected to build on the NIS2 implementation framework. CCB coordinates with ENISA and peer NCAs through established working groups.
Article 14 Incident Reporting for Belgian Manufacturers
Belgian manufacturers submit Article 14 notifications to CERT.be through its secure online reporting portal at cert.be/en/report. CERT.be operates 24/7 incident response capability and is accessible in French, Dutch, and English. The Article 14 obligation requires an early warning within 24 hours of detecting active exploitation and a full notification within 72 hours. Belgium's NIS2 transposition through the NIS2-wet (Wet van 26 april 2024) created an incident reporting framework that CERT.be administers, and CRA Article 14 notifications will follow the same channel. CERT.be participates in the EU CSIRTs network and relays reports to ENISA as required.
Market Surveillance & Penalties
Market surveillance in Belgium for CRA products is coordinated between CCB and the FPS Economy's Quality and Safety directorate, with customs involvement for imports. The full CRA penalty regime applies: up to €15 million or 2.5% of global annual turnover for violations of essential cybersecurity requirements. Belgium's consumer product safety enforcement through FPS Economy has been active under the General Product Safety Directive, providing a foundation for CRA market surveillance. Belgian manufacturers should note that CCB may collaborate with the Data Protection Authority (APD/GBA) where CRA incidents also involve personal data breaches.
Support for Belgian Manufacturers
CCB operates the Cyber Fundamentals Framework (CyFun), which provides a structured cybersecurity baseline aligned with international standards including ISO 27001 and NIST CSF. CyFun certification provides a strong foundation for CRA Annex I compliance and is recognised by Belgian public authorities in procurement. The CCB SafeOnWeb programme provides free cybersecurity guidance for businesses. Agoria (Belgian technology industry federation) provides CRA implementation guidance for its manufacturing members. BELSPO-funded research institutions and Sirris (manufacturing technology institute) provide technical expertise for conformity assessment activities.
CVD Portal automates your Article 14 notification obligations.
Pre-built notification workflows for CERT.be, deadline tracking, CSAF advisory generation, and a public CVD submission portal. Free forever.
Start your free portalFrequently asked
How do I contact CCB as a manufacturer with a CRA compliance question?+
CCB can be contacted through ccb.belgium.be. CCB operates a Centre for Cybersecurity helpdesk accessible in French, Dutch, and English. For CERT.be incident notifications, use cert.be/en/report. CCB engages industry through the Cyber Security Coalition Belgium and hosts the annual Cybersecurity Convention. Manufacturers seeking practical compliance guidance can also access the SafeOnWeb for Business portal, which provides free resources.
Does Belgium have national-level CRA implementing legislation?+
Belgium transposed NIS2 through the Wet van 26 april 2024 betreffende de beveiliging van netwerk- en informatiesystemen. CRA implementing measures are expected through a combination of royal decrees amending product safety legislation and CCB regulatory guidance documents. The FPS Economy is leading the product safety aspects of CRA implementation. National implementing measures are expected ahead of the CRA's December 2027 application date.
How does the CRA interact with Belgium's NIS2 implementation and the Cyber Fundamentals Framework?+
Belgium's Cyber Fundamentals (CyFun) Framework provides four assurance levels aligned with the cyber risk profile of an organisation. For manufacturers, Basic and Important level CyFun certification maps closely to CRA Annex I essential requirements, and CCB is expected to publish guidance on how CyFun certification supports CRA conformity. Manufacturers already pursuing CyFun certification should conduct a gap analysis to identify CRA-specific requirements not covered by their current CyFun scope.
CRA guides for neighbouring countries
Need a CRA compliance checklist for your product?
Browse free niche-specific checklists covering classification, Annex I obligations, and CVD requirements.