The Act of 7 April 2019 establishing a framework for the security of network and information systems of general interest for public security ("the Act") (finally) transposes the European NIS directive (Directive (EU) 2016/1148) into Belgian legislation. Thus, Belgium has updated its cybersecurity policy.
A higher level of cybersecurity in Belgium
Our society and economy are increasingly dependent on well-functioning and secure network and information systems. The purpose of the Act is therefore to ensure that public and private companies, organisations, institutions and governments offering "essential services" and "digital services" are highly committed to cybersecurity and endeavour to prevent the disruption or abuse of their networks and systems.
To which sectors does the Act apply?
The Act applies to:
Even if you are not an OES or a DSP, the new provisions could have a major impact on your organisation if you supply goods or services to an OES or a DSP. After all, OESs and DSPs will also contractually impose their security obligations on their suppliers.
Does the Act apply to your organisation?
As a digital service provider, you must assess yourself whether the Act applies to your organisation. This is the case if you provide one of the digital services listed above, unless you are an SME employing fewer than 250 persons and which have an annual turnover not exceeding EUR 50 million and/or an annual balance sheet total not exceeding EUR 43 million.
If you operate essential services, your sectoral authority must first identify you as an OES. The sectoral authority is to be designated per sector through a royal decree and identifies all organisations that are potential operators of essential services.
When identifying an OES, the sectoral authority takes into account (i) whether the service is essential for the maintenance of critical social and/or economic activities, (ii) the extent to which the service depends on network and information systems, and (iii) the significant disruptive effect that an incident could have on the provision of those services. In order to assess the disruptive effect, the sectoral authority takes into account incidence levels or thresholds, based on the number of users, the dependence of other sectors on this service, the consequences of the incident, the market share of the entity, the geographic spread with regard to the area that could be affected, and the availability of alternative means.
What should you do if you do qualify as an OES or a DSP?
Appropriate and proportionate security measures
Stricter cybersecurity measures apply to operators of essential services and digital service providers. They must take appropriate and proportionate technical and organisational measures.
At the technical level, the organisation must put in place appropriate measures to protect the network and IT system against incidents. What is appropriate depends on the size, importance and nature of your organisation and the state of technical knowledge. For example, the household version of the antivirus software will not be sufficient to protect the IT system used for air traffic controllers or the cooling processes in nuclear reactors.
At the organisational level, the provider must set up internal procedures, measures and training regarding the use of the IT system to prevent incidents (cyber hygiene) and an action plan to be implemented in the event of incidents.
Drawing up a security policy for the network and information systems
Operators of essential services must describe these measures in their "security policy for the network and information systems". Security policies that meet the ISO 270001 standards are considered to comply with the Act in the absence of evidence to the contrary. The security policy must be drawn up by the organisation within 12 months after its designation by the sectoral authority as an OES and must be implemented within 24 months.
Notification of incidents
The Act introduces a notification obligation for OESs and DSPs in case of incidents. Incidents are events with considerable effects on the availability, confidentiality, integrity or authenticity of the information systems on which the services are dependent. Potential OESs may, but are not obliged to, notify incidents.
Incidents must be immediately notified to the Computer Security Incident Response Team ("CSIRT"), the sectoral authority or its sectoral CSIRT, and the national authority that coordinates the identification of OESs, through a notification platform that will be put in place. Providers in the financial sector notify to the National Bank, trading platforms to the FSMA. It should be noted that this notification obligation is distinct from the notification obligation under the General Data Protection Regulation in the event of a personal data breach.
What is the risk?
The legislator has established firm sanctions and has provided far-reaching enforcement powers to ensure compliance with the obligations in the new Act. Violations of the Act, in particular with regard to the notification obligation, can be punished with administrative sanctions of up to EUR 200,000, and criminal sanctions with imprisonment of up to 3 years and fines of up to EUR 1,200,000.
When does the Act come into effect?
The Act entered into force on 3 May 2019, the day of its publication in the Belgian Official Gazette. A number of important royal decrees still have to be adopted for its implementation, inter alia to designate the sectoral authorities.
Cyber incidents occur every day. Investing in good cybersecurity and follow-up pays off. Eubelius is happy to assist you with advice, preparation of security policies, training for your staff, audits, and your preparation for and approach to cyber incidents.
Anneleen Van de Meulebroucke
Catherine Van de Heyning