The gap nobody wants to admit
Most organisations in scope for NIS2 or DORA have a compliance project. Steering committee, gap assessment, roadmap, status update that says “on track.”
What most of them cannot do is open a folder and show a supervisor the proof.
That distinction is what enforcement actually tests. Belgium’s CCB has been active since the transposition law came into force. The first administrative penalties landed across the EU in Q1 2026. DORA supervisors are no longer asking whether financial entities have a plan. They are asking for records. The question has shifted from “are you compliant?” to “prove it.”
What supervisors are actually looking for
Policy documents are table stakes. What structured supervisory reviews are now targeting is evidence of operation.
Under NIS2, that means incident response plans with test results attached. Not the plan itself, but what happened when you ran the scenario and what you fixed afterward. It means supply chain security backed by contract reviews, audit findings, follow-up actions, and documented evidence of closure. It means named board-level accountability with records showing how that person is kept informed. And for Belgian entities specifically: the CCB required self-assessment completion by June 2026. If that is not done, the conversation with a supervisor starts from a bad position.
Under DORA, supervisors want the Register of Information: ICT third-party dependencies mapped, submitted, and defensible. First submissions were due Q1 2026. They want resilience testing results with documented remediation, not a testing schedule. They want to see how you manage critical ICT provider dependencies, and the paper trail behind it. And they want confidence that your detection and escalation chain can hit DORA’s 4-hour initial notification window for significant incidents. Not just that the process is written down somewhere.
Where Belgian organisations are getting caught
The policies exist. The problems show up when you try to run them in front of someone who knows what to look for.
Third-party risk reduced to an annual questionnaire. Sent, filed, forgotten. NIS2 expects ongoing supply chain security with documented evidence. DORA expects active oversight of critical ICT providers, contractual controls, and documented exit strategies. A questionnaire is not oversight and supervisors can tell the difference immediately.
Incident response that has never left the document. The plan is written. Nobody has run a tabletop exercise in the past 12 months. Without test results there is nothing to show and “we planned to test it” is not an answer that holds up.
Board accountability that exists on an org chart and nowhere else. Both frameworks require management bodies to approve security measures and demonstrate they understand them. In many organisations the board signed off on a security policy two years ago and has not been meaningfully involved since. Supervisors are probing this specifically in 2026 reviews.
DORA Register of Information gaps. Many financial entities underestimated what the RoI actually requires. Granular mapping of which services depend on which providers, including concentration risk analysis, is the baseline, not a list of your main vendors. Firms that treated it as an administrative exercise are finding out it is a governance one, after the submission deadline has passed.
October is 16 weeks away
NIS2’s operational compliance deadline is October 2026. That is not a distant target for Belgian organisations in scope. It is the next strategic milestone, and it is close.
The organisations that will be in the strongest position did not rush their gap assessments at the end. They built operational evidence along the way: tested plans, board engagement on file, active third-party oversight, records that hold up when someone who knows the frameworks reads them carefully. The ones still working from a PowerPoint roadmap are going to have a difficult conversation.
A mature posture in mid-2026 is not about having more documentation. It is about documentation that reflects what you actually do. Policies backed by test results. Board minutes that show real engagement. Vendor oversight that is continuous, not annual. Incident logs that demonstrate the process works. Senior management that can speak to the risk posture in a supervisory review. Not because they were briefed the day before, but because they have been involved throughout.
Curios works with Belgian organisations navigating NIS2 and DORA implementation, from gap assessment through to audit-ready evidence. If you are looking at October and wondering whether your current posture will hold up, get in touch.