1. GOVERNING TEXTS
Prior to the implementation of the Directive on Security Network and Information Systems (Directive (EU) 2016/1148) ('the NIS Directive'), Belgium had limited sectoral cybersecurity frameworks in place.
The Law of 7 April 2019 Laying Down a Framework for the Security of Networks and of Information Systems of General Interest for Public Security (only available in French here and Dutch here) ('the NIS Law') implements the NIS Directive in Belgium. It introduces a set of rules for operators of essential services ('OESs') and digital service providers ('DSPs'). It also modifies existing cybersecurity frameworks. It requires that these entities adopt adequate security measures, to prevent cybersecurity incidents. Furthermore, should an incident occur, the NIS Law imposes some notification requirements to competent authorities.
In December 2020, the European Commission proposed a revised Directive on Security of Network and Information Systems ('Draft NIS 2 Directive') in order to expand the scope of the current NIS Directive. The Draft NIS 2 Directive will cover additional sectors considered as important for the economy and society, such as providers of public electronic communications networks or services, digital services, space, water waste and waste management, manufacturing of critical products, and postal and courier services. In its current available draft, it seeks to eliminate the distinction between OESs and DSPs (and by the same token apply to most entities active in the sectors in scope, without having to be designated by authorities of their Member States). Moreover, the Draft NIS 2 Directive will strengthen security requirements by imposing a risk management approach to entities and by providing a clearer and harmonised process for incident notification.
Please note that the Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555) ('NIS 2 Directive') was published in the Official Gazette of the European Union on 27 December 2022 and became effective as of 16 January 2023. Pursuant to Article 41 of the NIS 2 Directive, by 17 October 2024, Member States must transpose the NIS 2 Directive into their national legislation, and the transposition laws shall apply from 18 October 2024. On the same date, the NIS Directive will be repealed. For further information please see our Insight article on the NIS Directive here.
On top of the NIS Law, additional cybersecurity rules exist for given sectors, such as electronic communications, critical infrastructure, and national security.
The following paragraphs list the main regulations governing cybersecurity in Belgium and include a short summary on each of the key provisions. Work provided at EU level, such as the work of the European Union Agency for Cybersecurity ('ENISA'), should also be considered: according to the Commission's work programme for 2022, a proposal for a new Cyber Resilience Act will be published in the third quarter of 2022. The aim is to establish common standards for cybersecurity products. On 25 May 2022, the Commission closed its public consultation on the initiative. Please note, however, that this is a non-exhaustive list as this contribution focusses solely on Belgium.
Security of network and information systems
- Regulation (EU) 2019/881 of 17 April 2019 on ENISA and on Information and Communications Technology Cybersecurity Certification and Repealing Regulation (EU) No. 526/2013 ('the EU Cybersecurity Act'): As a regulation, the EU Cybersecurity Act is directly applicable in Belgium and sets out a framework that would allow the adoption of EU-wide cybersecurity certification schemes for ICT products, services, and processes.
- Royal Decree of 12 July 2019 implementing the NIS Law and the Critical Infrastructure Law (only available in French here and Dutch here) ('the NIS Decree'): The NIS Decree contains detailed provisions which enable the implementation of the NIS Law and of the basic laws governing critical infrastructure. The NIS Decree focuses on attributing responsibilities among relevant public authorities in Belgium, as well as on laying down the procedures to comply with the notification obligations in the event of a cybersecurity incident.
- Royal Decree of 10 October 2014 on the Creation of the Centre for Cybersecurity in Belgium (only available in French here and Dutch here) ('the CCB Decree'): The CCB Decree establishes the Centre for Cybersecurity in Belgium ('CCB') which is entrusted with key responsibilities under the NIS Law, including incident management and the coordination of the Belgian cybersecurity strategy. According to the CCB Decree, Belgium's Computer Emergency Response Team ('CERT-BE') is integrated within the CCB.
- Law of 1 July 2011 concerning the Security and Protection of Critical Infrastructure, as amended by the NIS Law (only available in French here and Dutch here) ('the Critical Infrastructure Law'): The Critical Infrastructure Law contains rules to identify operators of critical infrastructure, as well as requirements to adopt appropriate security measures. The NIS Decree lays down further provisions to implement the Critical Infrastructure Law.
- Law of 15 April 1994 on the Protection of the Population and the Environment Against the Dangers Arising from Ionising Radiation and on the Federal Nuclear Control Agency, as amended by the Law of 5 April 2019 (only available in French here and Dutch here) ('the Nuclear Energy Law'): The Nuclear Energy Law lays down the basic rules governing the protection against ionising radiation and security of nuclear power plants, as well as rules concerning the Federal Nuclear Control Agency ('FANC'). The Nuclear Energy Law was recently amended to tackle the cybersecurity risks posed by nuclear energy plants. While the changes introduced by the Nuclear Energy Law will only enter into force in a date laid down by a secondary act, it may already be taken into account to assess the cybersecurity framework in Belgium. Secondary acts may establish security levels for existing network and information systems, together with the security measures which should be adopted for each security level.
- Law of 21 December 2021 implementing the European Electronic Communications Code and amending various provisions relating to electronic communications (only available in French here and Dutch here) transposes Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code ('the Electronic Communications Code') and partially implements Directive 2014/61/EU of the European Parliament and of the Council of 15 May 2014 on measures to reduce the cost of deploying high-speed electronic communications networks. This transposition amends various laws, amongst others the Law of 13 June 2005 on Electronic Communications (only available in French here and Dutch here) ('the Electronic Communications Law').
- The Electronic Communications Code extends electronic communications rules to new providers of electronic communications services, such as 'over-the-top' players, which provide interpersonal communication services. Moreover, it requires these providers to notify their subscribers of security incidents.
- The Electronic Communications Law lays down certain obligations for providers of electronic communications services, including with regards to the security of electronic communications networks. Moreover, it contains provisions governing the implementation and enforcement of these obligations.
- Law of 17 January 2003 concerning the Status of the Regulator of the Belgian Postal and Telecommunications Sector, as amended by the NIS Law (only available in French here and Dutch here) ('the Telecommunications Regulator Law') lays down provisions which govern the Belgian Institute of Postal Services and Telecommunications ('BIPT'). The BIPT is the sectoral authority responsible for the implementation and enforcement of the Electronic Communications Law, the NIS Law, and the Critical Infrastructure Law in the telecommunications sector.
- In September 2020, the Commission proposed a new Regulation of the European Parliament and of the Council on Digital Operational Resilience for the Financial Sector ('DORA'). On 11 May 2022, the EU Council and the Parliament have reached a provisional agreement on DORA. Once formalised, the rules will apply within 24 months.
- The European Central Bank ('ECB') approved the Eurosystem's Cyber Resilience Strategy for Financial Market Infrastructures in March 2019. This followed the ECB's publication of the Cyber Resilience Oversight Expectations in December 2018, as well as the CCB's publication of the Baseline Principles (only available in French here and Dutch here) ('the Baseline Principles').
- Law of 19 July 2018 amending the Code of Economic Law to Transpose Directive (EU) 2015/2366 on Payment Services in the Internal Market (only available in French here and Dutch here) ('the Economic Law Code Law'): The Economic Law Code Law constitutes the partial transposition of Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on Payment Services in the Internal Market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No.1093/2010, and repealing Directive 2007/64/EC ('PSD2'). It contains certain security requirements for the provision of payment services, such as information requirements and the obligation to keep an internal registry of completed transactions.
- Law of 11 March 2018 Concerning the Status and Supervision of Payment Service Providers (only available in French here and Dutch here) ('the Payment Services Law'): The Payment Services Law also constitutes the partial transposition of the PSD2. It contains certain requirements on security measures to be adopted by payment service providers. In addition, it lays down a reporting obligation for major operational and security risk incidents affecting the provision of payment services.
- Law of 21 November 2017 Concerning the Infrastructures for Markets in Financial Instruments (only available in French here and Dutch here) ('the Financial Instruments Law'): The Financial Instruments Law constitutes the transposition of Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on Markets in Financial Instruments and amending Directive 2002/92/EC and Directive 2011/61/EU ('MiFID II'). It contains information security obligations for certain financial market operators, such as consolidated tape providers.
- Law of 22 February 1998 establishing the Organic Statute of the National Bank of Belgium (only available in French here and Dutch here) ('the NBB Statute'): The NBB Statute lays down certain provisions governing the role of the National Bank of Belgium ('NBB') within the financial sector. In particular, it indicates that the NBB is responsible for the implementation and enforcement of the NIS Law and the Critical Infrastructure Law within the financial sector, except with regards to trading platform operators (Article 3(6) of the Financial Instruments Law).
- Law of 10 July 2006 concerning Threat Analysis (only available in French here and Dutch here) ('the Threat Analysis Law'): The Threat Analysis Law establishes the Coordination Body for Threat Analysis ('OCAD'), which participates in the risk assessment of critical infrastructure.
- Organic Law of 30 November 1998 on Intelligence and Security Services (only available in French here and Dutch here) ('the Intelligence and Security Law'): The Intelligence and Security Law governs various governmental bodies, which are responsible for protecting state security. In particular, the Intelligence and Security Law indicates that the General Intelligence and Security Service is responsible for the response against cyber attacks targeting military equipment or infrastructure.
- Royal Decree of 2 June 2015 on the Strategic Committee and Coordination Committee for Intelligence and Security (only available in French here and Dutch here) ('the Intelligence and Security Decree'): The committees established by the Intelligence and Security Decree coordinate and prepare the decisions adopted by the National Security Council. The CCB, or other entities, may take part in committee meetings that deal with cybersecurity.
- Royal Decree of 28 January 2015 Concerning the Creation of the National Security Council (only available in French here and Dutch here) ('the National Security Council Decree'): The National Security Council is responsible for defining Belgium's intelligence and security policy which, if necessary, may include cybersecurity.
- Royal Decree of 18 April 1988 on the Creation of the Government's Crisis Coordination Centre (only available in French here and Dutch here) ('the GCCC Decree'): The GCCC Decree establishes the Government's Crisis Coordination Centre, now the Directorate-General Crisis Centre ('DGCC'). The DGCC is entrusted with several tasks under the Critical Infrastructure Law and the NIS Law, as developed by the NIS Decree.
Protection of personal data
- General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'): The GDPR is directly applicable in Belgium. It determines the conditions under which personal data may be processed and it grants rights concerning such data. The GDPR requires entities processing personal data to adopt appropriate technical and organisational measures to ensure the security of personal data (Article 32 of the GDPR).
- Act of 30 July 2018 on the Protection of Natural Persons with Regard to the Processing of Personal Data ('the Act'): The Act complements and develops the GDPR in certain fields. The Act equally requires entities processing personal data to ensure the security of such data.
1.2. Regulatory authority
The CCB is responsible for the supervision and coordination of cybersecurity policies in Belgium. According to the NIS Law, as developed by the NIS Decree and the CCB Decree, the CCB fulfils tasks on the domains listed below.
- supervising, coordinating, and updating Belgium's cybersecurity strategy;
- issuing regulatory proposals to update the applicable legal framework in Belgium; and
- raising awareness concerning cybersecurity-related issues.
- coordinating public authorities and stakeholders active on the field of cybersecurity; and
- serving as single contact point in Belgium for the Commission and other Member States of the EU.
Assistance to OESs and DSPs:
- coordinating the identification of OESs, together with the DGCC;
- adopting and enforcing standards, guidelines, and security measures;
- coordinating the evaluation and certification of ICT; and
- participating in the management of cybersecurity incidents, together with the DGCC and the CERT-BE.
The CCB is equally responsible for hosting the CERT-BE. According to the CCB Decree, the CERT-BE is responsible for detecting, observing, and analysing cybersecurity issues, as well as continuously informing users of such issues. The CERT-BE, as stated in the NIS Law, may intervene in the event of a cybersecurity incident and trigger emergency response plans. The CERT-BE is a member of the Computer Security Incident Response Teams Network ('CSIRTs Network') coordinated by ENISA.
According to the NIS Law, the CERT-BE is assisted by sectoral incident response teams. Sectoral teams are appointed by secondary acts.
The DGCC was originally established in 1988, as the body responsible for the coordination of the response to any incident which threatens vital national interests or basic needs of the population. Under the framework laid down by the Critical Infrastructure Law and the NIS Law, the DGCC participates in the identification of critical infrastructure operators and OESs, as well as in the coordination of the response in the event of a cybersecurity incident.
The implementation and enforcement of certain provisions laid down in the NIS Law and in the Critical Infrastructure Law are carried out by sectoral authorities, appointed for specific economic sectors or sub-sectors.
Within the framework of the NIS Law, sectoral authorities are entrusted with, among others, the following tasks:
- identifying and appointing OESs;
- requesting OESs to implement certain security measures;
- receiving information concerning the cybersecurity contact point for OESs and DSPs;
- receiving and processing incident notifications;
- receiving audit reports from OESs; and
- imposing administrative sanctions in the event of non-compliance with any obligation imposed by the NIS Law.
According to the Critical Infrastructure Law, sectoral authorities are responsible for tasks, such as identifying and appointing critical infrastructure operators and receiving information concerning the security contact point.
Sectoral authorities, under the NIS Law or the Critical Infrastructure Law, may be appointed by law or by secondary acts. In some cases, one sectoral authority may be responsible for the implementation of both the NIS Law and the Critical Infrastructure Law in the same sector. By way of example, the Federal Ministry of Energy is the sectoral authority for the energy sector under both the NIS Law, Annex I of the NIS Decree, and Article 3 of the Critical Infrastructure Law.
The BIPT is the sectoral authority responsible for the implementation and enforcement of the NIS Law and the Critical Infrastructure Law in the electronic communications sector.
The Electronic Communications Law grants the BIPT additional powers concerning cybersecurity in the electronic communications sector. In particular, the BIPT is allowed to issue compulsory measures addressed to specific electronic communications providers and set time limits for their implementation. Compulsory measures may concern the adoption of specific cybersecurity measures, in light of existing risks.
The NBB is the sectoral authority responsible for the implementation and enforcement of the NIS Law and the Critical Infrastructure Law in the financial sector, with the exception of trading platform operators. In addition, the Payment Services Law grants it additional powers to enforce cybersecurity rules in the financial sector. These include the capacity to impose deadlines for compliance with the Payment Services Law in the event that a payment service provider does not comply with applicable security measures.
Both the NIS Law and the Critical Infrastructure Law indicate that inspection services should be appointed for each sector or sub-sector. These inspection services may evaluate whether an entity complies with required security measures and other applicable requirements. To fulfil these tasks, inspection services may seek access to the premises of an entity and collect relevant information.
Inspection services, under the NIS Law or the Critical Infrastructure Law, may be appointed by law or by secondary acts. In some cases, inspection services may perform inspections under both the NIS Law and the Critical Infrastructure Law.
1.3. Regulatory authority guidance
The CCB, which is responsible for the supervision and coordination of cybersecurity policies in Belgium, has issued several cross-sectoral guidance documents. These include the following:
- the Belgian Cybersecurity Strategy 2.0 for the period 2021-2025 of May 2021 (only available in French here and Dutch here): The strategy outlines six strategic objectives and clarifies the roles and responsibilities of relevant public authorities in Belgium. The strategic objectives include the protection of organisations of vital interests against cyber threats, the response to cyber threats, and the strengthening of the digital environment. The strategy also provides for the adoption of a national certification framework, as required by the EU Cybersecurity Act;
- the Guidelines on Supply Chain Management (available here), which lay down recommendations on risk management, security management, and architecture, procurement, and operational management in order to ensure the security of supply chains;
- the Baseline Information Security Guidelines (only available in French here and Dutch here), which lay down recommendations addressed to entities in the public sector, in order to adopt and implement a cybersecurity strategy;
- the Centre for Cybersecurity Belgium Cyberguide (2017), which contains a list of recommendations to assess cybersecurity risks, prepare cybersecurity strategies, and adopt relevant security measures; and
- the Cyber Security Incident Management Guide ('the Incident Management Guide') laying down possible measures to prepare an incident response plan, to detect and monitor potential cybersecurity incidents, and to adequately respond in the event of a cybersecurity incident.
The CCB is seeking stakeholders' views in certain areas. As an example, the Incident Management Guide was prepared jointly with the Cyber Security Coalition, a public-private initiative which groups industry representatives and public authorities, such as the CCB.
Additionally, organisations representing the Belgian industry have issued the Belgian Cybersecurity Guide (only available in French here and Dutch here), which identifies ten key principles and ten key actions to ensure a high level of cybersecurity within an entity.
Finally, the Ministry of Economy dedicates a full section of its website to 'Cybersecurity and SMEs' (only available in French here and Dutch here) which provides guidelines, recommendations, and a 'cyberscan' tool which enables the assessment of the level of maturity of a small and medium-sized enterprise ('SME').
2. SCOPE OF APPLICATION
The following sections lay down an overview of the scope of application, requirements, and penalties of certain cybersecurity rules in Belgium, namely the NIS Law and the Critical Infrastructure Law. Other provisions governing cybersecurity aspects for different sectors (or changes introduced to other laws by the NIS Law) are not covered.
2.1. Network and Information Systems
The NIS Law establishes that any of the following would constitute a network and information system:
- electronic communications networks are defined by the Electronic Communications Law as transmission systems (including switching or routing equipment), which enable the conveyance of signals by wire, terrestrial, optical, or other electric and electromagnetic means. These systems are considered electronic communications networks to the extent that they are used for the transmission of signals other than those used for radio broadcasting and television (Article 2(3) of the Electronic Communications Law, as referred to by Article 6(8)(a) of the NIS Law). This definition closely follows the definition laid down by Directive 2002/21/EC of the European Parliament and of the Council on a common regulatory framework for electronic communications networks and services (Framework Directive);
- any device or group of interconnected or related devices, one or more of which perform, in execution of a program, automatic processing of digital data, including the digital, electronic, or mechanical components of such device, enabling, in particular, the automation of the operational process, remote control, or the obtaining of real-time operating data (Article 6(8)(b) of the NIS Law); and
- digital data, provided that it is stored, processed, retrieved, or transmitted by any of the two elements defined above, for the purposes of their operation, use, protection, and maintenance (Article 6(8)(c) of the NIS Law).
2.2. Critical Information Infrastructure Operators
According to the Critical Infrastructure Law, critical infrastructure is defined as a facility, system, or part thereof that is essential to the maintenance of vital functions of society, health, safety, security, and citizens' economic and social welfare, and where their interruption or destruction would severely impact such vital functions (Article 3(4) of the Critical Infrastructure Law).
Critical infrastructure operators must be identified and appointed by the sectoral authorities before the obligations laid down under the Critical Infrastructure Law may be applicable to them. Throughout this process, sectoral authorities should consult the DGCC and, where the security of network and information systems is concerned, the CCB.
Critical infrastructure operators must comply with the obligations arising from the Critical Infrastructure Law and, where applicable, with the obligations imposed by the NIS Law. This would be the case where a critical infrastructure is identified and appointed as an OES. However, the NIS Law prevents the simultaneous application of the NIS Law and the Critical Infrastructure Law (e.g. a critical infrastructure operator which is also an OES is not required to adopt two security policies to fulfil legal requirements arising both from the NIS Law and the Critical Infrastructure Law).
2.3. Operator of Essential Services
According to the NIS Law, an OES is an entity identified and appointed by the sectoral authority, which:
- belongs to one of the economic sectors laid down in Annex I of the NIS Law (e.g. energy, health, etc.); and
- fulfils the following criteria (Articles 6(11) and 12(1) of the NIS Law):
- the entity provides an essential service to maintain critical economic and/or social activities;
- the service provided by such entity is dependent on network and information systems, taking into account that such dependency is presumed if the entity has already been identified as a critical infrastructure; and
- an incident would be capable of having an important damaging effect over the provision of such service, taking into account sectoral and/or cross-sectoral criteria, impact levels, or thresholds laid down by the sectoral authority. When defining cross-sectoral criteria, the sectoral authority must take into account, amongst others, the number of users of the service, the potential consequences caused by a cyber attack affecting the OES, the dependence of other sectors on such service, etc.
OESs must be identified and appointed by the sectoral authorities before the obligations laid down under the NIS Directive may be applicable to them. The CCB and the DGCC should also take part in this process, together with sectoral authorities.
2.4. Cloud Computing Services
According to the NIS Law, cloud computing services are digital services which provide access to a scalable and variable set of computer resources that may be shared (Article 6(29) of the NIS Law).
2.5. Digital Service Providers
The NIS Law applies to DSPs, as defined by Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 Laying Down a Procedure for the Provision of Information in the Field of Technical Regulations and of Rules on Information Society Services ('the ISS Directive'). Digital services include any service, normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.
More specifically, DSPs fall within the scope of the NIS Law to the extent that the services they provide are listed in Annex II of the NIS Law (Article 6(20) of the NIS Law and Article 1(1)(b) of the ISS Directive).
Annex II of the NIS Law includes the following types of digital services:
- online marketplaces, which are defined as digital services enabling consumers and/or businesses to enter into online sales or services contracts with a business, provided that the contracts are entered into either at the website of the online marketplace, or at the website of the business which is operating at the online marketplace (Article 6(27) and Annex II of the NIS Law);
- online search engines, which are digital services enabling users to carry out searches covering, in principle, every internet site or every internet site in a specific language, whereby searches may concern any topic, may be initiated by a keyword, a sentence or any other entry, and may lead to a list of links from which information relevant to the entered topic could be retrieved (Article 6(28) and Annex II of the NIS Law); and
- cloud service providers, as defined in section 2.4. above.
DSPs should comply with the obligations laid down by the NIS Law, without having to be identified or appointed by the sectoral authorities. Nevertheless, DSPs which are SMEs are exempted from complying with the NIS Law.
3.1. Security measures
The NIS Law
The NIS Law requires both OESs (Articles 20 to 23 of the NIS Law) and DSPs (Articles 33 and 34 of the NIS Law) to adopt adequate security measures. OESs and DSPs should identify cybersecurity risks and adopt the technical and organisational measures which are necessary and proportionate to address cybersecurity threats, having regard to the state of the art. Moreover, OESs and DSPs should also adopt adequate security measures to prevent cybersecurity incidents and to minimise their potential impact.
Security measures adopted by DSPs should take into account the security of networks and facilities, incident management, business continuity in the event of an incident, monitoring and auditing requirements, and respect for international rules.
OESs should lay down technical and organisational measures in a security policy for network and information systems ('PSI'). When drafting a PSI, OESs should take the following points into account:
- the PSI should be drawn up within 12 months since the date of identification and appointment by the sectoral authority;
- the PSI should be fully implemented by OESs within 24 months since the date of identification and appointment by the sectoral authority; and
- the PSI will be presumed to be compliant with the NIS Law if it follows the rules laid down in standards, such as ISO/IEC 27001, as established by a certificate issued by a conformity assessment body (accredited by the national accreditation centre, under ISO/IEC 17021 or ISO/IEC 17065).
The Critical Infrastructure Law
According to the Critical Infrastructure Law, critical infrastructure operators must adopt an operator security plan ('PSE'), including permanent security measures and security measures to be adapted to the level of risk. The PSE should be drawn up within 12 months since the date of identification and appointment of a critical infrastructure operator. Full implementation of the PSE should take place within 24 months since the date of identification and appointment. Critical infrastructure operators should undergo the following actions when setting a PSE:
- an inventory of elements which have the potential of disrupting the functioning of the infrastructure;
- a risk assessment, taking into account any risks which may disrupt the functioning of the infrastructure; and
- a vulnerability assessment of the infrastructure, taking into account the risks which have been previously identified (Article 13 of the Critical Infrastructure Law).
3.2. Notification of cybersecurity incidents
The NIS Law
According to the NIS Law, both OESs (Article 24 of the NIS Law) and DSPs (Article 35 of the NIS Law) must notify any incident having a significant impact on their network and information systems, or on the services they provide. According to the NIS Decree, initial notifications, containing partial information, may be completed by subsequent notifications, as further information becomes available.
Concerning OESs, secondary acts may lay down thresholds, by sector or sub-sector, to determine when a notification would be needed. Voluntary notifications are, in any case, allowed even when a cybersecurity incident has not met the applicable thresholds. While the competent authorities may assess and respond to such voluntary notifications, they are not required to do so whenever the notification entails a disproportionate workload (Article 30 of the NIS Law).
According to the NIS Law, notifications should be sent simultaneously to the CERT-BE, the DGCC, and the sectoral authority or sectoral incident response team. Notifications should be sent to these bodies through a dedicated platform. In addition, if the CERT-BE deems it necessary, it may inform the public of cybersecurity incidents (Articles 25, 31, and 35 of the NIS Law).
The Critical Infrastructure Law
The Critical Infrastructure Law does not include a notification requirement to a competent authority. In effect, critical infrastructure operators may simply notify the district information and communication service of the General Inspectorate of the Federal Police, should such an incident occur.
3.3. Registration with a regulatory authority
Neither the NIS Law nor the Critical Infrastructure Law impose registration obligations for OESs, DSPs, or critical infrastructure operators.
3.4. Appointment of a 'security' officer
The NIS Law
The NIS Law does not require OESs and DPSs to appoint a dedicated security officer (i.e. one responsible for the supervision and implementation of security measures). However, it does require that OESs and digital service providers indicate a cybersecurity contact point, through which competent authorities may issue notifications and requirements to the OES or digital service provider concerned.
In the case of OESs, this obligation must be complied with within three months after their identification and appointment by the sectoral authority (Article 23 of the NIS Law).
In addition, DSPs which do not have an establishment in the EU are required to appoint a representative in an EU Member State, whenever they provide digital services in the EU (Article 34 of the NIS Law).
The Critical Infrastructure Law
Critical infrastructure operators are equally required to indicate a security contact point and to share its contact details with the sectoral authority, according to the Critical Infrastructure Law. This obligation should be complied with within six months after being identified and appointed as a critical infrastructure operator (Article 12 of the Critical Infrastructure Law).
3.5. Other requirements
The NIS Law requires OESs to conduct an internal audit on a yearly basis. Internal audits allow OESs to self-assess whether the security measures laid down in the PSI are observed. In addition, the NIS Law requires that an external audit is conducted, every three years, by a conformity assessment body, accredited by the national accreditation centre. The results found in internal and external audits should be shared with the sectoral authority (Article 38 of the NIS Law).
The NIS Law requires all OESs and DPs to appoint a data protection officer ('DPO') whenever they engage in activities which include the processing of personal data. The role and responsibilities of DPOs are laid down by the GDPR and the Act (Article 70 of the NIS Law).
4. SECTOR-SPECIFIC REQUIREMENTS
Cybersecurity in the health sector
OESs in the healthcare sector are subject to the NIS Law. The sector is included in Annex I of the NIS Law and covers healthcare settings (including hospitals and private clinics). It is addressed to healthcare providers as defined in Article 3(g) of Directive 2011/24/EU Of The European Parliament and of the Council of 9 March 2011 on the Application of Patients' Rights in Cross-Border Healthcare, i.e. any natural or legal person or any other entity legally providing healthcare on the territory of a Member State.
The Federal Public Service for Health, Food Chain Safety and Environment has been appointed as the sectoral authority for the health sector, as designated under Article 75 of the NIS Law. The designated authority has ex ante supervision of the health sector.
Cybersecurity in the financial sector
The NIS Law applies, inter alia, to OESs in the financial sector. Under the NIS Law, the banking sector is included in the wider financial sector, as indicated in its Annex I. However, as regards the banking sector, it is exempted from the security requirements that apply to all other sectors of NIS Law. The NIS Law indicates that equivalent obligations for OESs to ensure the security of their network and information systems are already imposed by the relevant competent authorities, namely the NBB at a national level and the ECB and the Eurosystem at a European level.
In March 2017, the ECB approved the Eurosystem's Cyber Resilience Strategy for Financial Market Infrastructures. This strategy is intended to operationalise the Committee on Payments and Market Infrastructures and the Board of the International Organization of Securities Commission's Guidance on Cyber Resilience for Financial Market Infrastructures. The ECB published the Cyber Resilience Oversight Expectations in December 2018, and the CCB the Baseline Principles.
The identified entities that are considered OES in the banking sector under the NIS Law are credit institutions which have an establishment in Belgium and are carrying out essential banking services on the Belgian territory. Credit institutions have the same meaning as the one in the NIS Directive, that is the definition of Regulation (EU) No. 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No. 648/2012. A credit institution is thus an undertaking the business of which is to take deposits or other repayable funds from the public and to grant credits for its own account.
Regarding the financial sector, the NIS Law includes central counterparties, as defined in Article 2(1) of Regulation (EU) No. 648/2012 of the European Parliament and of the Council on OTC Derivatives, Central Counterparties and Trade Repositories. The NIS Law applies also to other financial institutions, apart from credit institutions and central counterparties, that are subject to the supervision of the NBB pursuant to the NBB Statute. Moreover, under the financial sector fall the financial trading platform operators within the meaning of Article 3(6) of the Law of 21 November 2017 Relating to the Infrastructures of the Markets in Financial Instruments and transposing Directive 2014/65/EU (only available in French here and Dutch here).
The NBB has been appointed in the Critical Infrastructure Law as the sectoral authority for the financial and banking sector and remained also as such with the NIS Law. The Financial Services And Markets Authority ('FSMA') is also the national competent authority for the financial market infrastructure.
Furthermore, OESs in the financial sector, with the exception of trading platform operators, shall notify the NBB, the national CERT-BE, and the DGCC without delay of all incidents that have a significant impact on the availability, confidentiality, integrity, or authenticity of the networks and information systems on which the essential service(s) they provide depend. The NBB shall determine the significant impact. In the absence of incidence levels and/or thresholds, the OES shall notify all incidents affecting the availability, confidentiality, integrity, or authenticity of the networks and information systems on which the essential services depend. Regarding the determination of the significance of the disruptive effect that an incident might have in the provision of essential banking services, the NBB shall define the criteria, impact levels, or threshold values (Article 24 of the NIS Law).
OESs shall also consult the Baseline Principles for Managing Cybersecurity Risks ('the Baseline Principles'), issued by the FSMA in cooperation with the CCB on 2 October 2019, which give further recommendations to OESs in the financial sector on how to perform their cybersecurity management.
It should be noted that the NIS Law does not include any reference on the cybersecurity in FinTech. Neither the NBB nor the FSMA have issued any further guidance on the application of the NIS Law on blockchain and cryptocurrencies. Since cryptocurrencies are based on a decentralised system, it is hard to identify a specific OES or DSP on which to impose the security and notification requirements of the NIS Law. However, more details on the implementation of the NIS Law are still pending by the competent authorities.
Cybersecurity practices for employees
Cybersecurity in the education sector
The NIS Law indicates that breaching any of the following provisions may entail the imposition of a criminal penalty:
- the obligation to notify cybersecurity incidents;
- the obligation to adopt security measures;
- the obligation to comply with supervisory obligations (e.g. obligation to conduct an audit or to cooperate during an inspection);
- the obligation to provide information required by the sectoral authority; and
- the obligation not to prevent or hinder the execution of an inspection.
Sanctions range from an imprisonment of between eight days and one year and/or economic criminal penalties of up to €50,000. Preventing or hindering the execution of an inspection, as laid down above, is subject to more stringent penalties (i.e. imprisonment of between eight days and two years and/or economic criminal penalties of up to €75,000) (Article 51 of the NIS Law).
It is important to note that the actual amount of criminal fines should take into account a multiplier that is currently set at eight.
Additionally, the Critical Infrastructure Law lays down the following criminal penalties:
- imprisonment of between eight days and one year and/or economic criminal penalties of up to €10,000 for failure to comply with security obligations or with information-sharing obligations; and
- imprisonment of between eight days and one month and/or economic criminal penalties of up to €1,000 to be imposed in the event of a failure to comply with the duty to facilitate the execution of inspections (Article 26 of the Critical Infrastructure Law).
The NIS Law lays down the following monetary penalties of an administrative nature:
- €500 to €75,000 in the event of a failure to comply with the obligation to notify cybersecurity incidents;
- €500 to €100,000 in the event of a failure to comply with the obligation to adopt security measures;
- €500 to €125,000 in the event of a failure to comply with the obligation to provide information requested by the sectoral authority; and
- €500 to €200,000 in the event of a failure to comply with supervisory obligations (e.g. the obligation to conduct an audit or to cooperate during an inspection) or with the obligation not to cause damage to a person who is executing, on behalf of an OES or a DSP, a measure required by the NIS Law (Article 52 of the NIS Law).
6. OTHER AREAS OF INTEREST
Cybersecurity of 5G networks
The NIS Law does not make any specific reference to the 5G technology. However, this technology is included in the broader definition of the network and information systems that trigger the application of the NIS Law. OESs using 5G technology for their functions are required to take appropriate security measures to prevent any incident and should notify serious incidents to the competent authorities.
Belgian security services have taken a cautious position in the rollout of 5G networks. They have indicated that limits should be placed on 5G technologies coming from unreliable operators, so as to enhance the security of their use. In June 2020, the the Belgian Federal Government decided to restrict the access to national 5G infrastructures for equipment providers considered as being 'high risk'.