First EU-wide legislation on cybersecurity has been implemented in Belgian law

NIS is here, but what does it mean?

Belgium did not previously have a complete arsenal of legislation on the security of network and information systems. The new law aims to fill this gap. While the implementation process has been somewhat overshadowed by the coming into force of the General Data Protection Regulation (“GDPR”), the NIS Directive itself will have a considerable impact on operators of essential services (e.g. operators in the energy, financial and health care sectors, water companies, transport providers, digital infrastructures) and digital service providers (e.g. cloud service providers, online search engines, and online market places). The implementation of the NIS Directive imposes a number of obligations on these actors to take technical and organizational security measures to prevent incidents or to limit their impact on and ensure the continuity of services. In the same vein, the law introduces certain notification requirements for incidents that have a significant impact on the services provided. This should not be confused with notifications of personal data breaches under the GDPR, which remain fully applicable. The NIS Act does require operators of essential services and providers of digital services to designate a Data Protection Officer (DPO).

Security measures

The law aims at stimulating the protection, security and reliability of the network and information systems relating to those services in the event of an incident that could significantly disrupt the provision of essential services in Belgium.

Operators of essential services and digital service providers must set out their security objectives and concrete security measures in an Information Security Policy (“ISP”). If the operators use recognized technical standards, such as ISO/IEC 27001, the ISP‘s content (not its implementation) will be presumed to conform if the requirements of this standard, or a national, foreign or international standard that is recognized as equivalent (by royal decree), are met.

Appropriate and proportionate technical and organizational security measures should then be implemented to manage the risks to the security of the operator’s network and information systems and, in the event of an incident, minimize the consequences.

Notification of incidents

The operators of essential services will have to notify without delay any incident significantly affecting the availability, confidentiality, integrity or authenticity of the network and information systems on which the essential service(s) it provides depend. This applies even if not all information is yet available.

A digital platform will need to be established for this notification that should be done simultaneously to the national CSIRT (i.e. Centre for Cyber Security Belgium), the sectoral authority or its sectoral CSIRT and the crisis centre (“ADCC” in Dutch, “DGCC” in French).

To determine the impact of a disruptive effect, the sectoral authority sets criteria, levels of return and thresholds.

Digital service providers shall notify without delay any incident which significantly affects the provision of a service offered by them in the EU, in accordance with implementing regulations of the European Commission. This notification can also be done via the digital platform that will be established.

Supervision and sanctions

The law introduces two types of audit for the operators of essential services:

  • a yearly internal audit of the network and information systems, at its own cost; and
  • an external audit every three years by an external auditor accredited by the Belgian accreditation body (BELAC), a conformity assessment body or an equivalent recognized organization, at its own cost;

Inspectorates may, at any time, carry out checks on the operator's compliance with essential services' security measures and incident reporting rules. The possibility to inspect regarding digital service providers will only apply after there is evidence that the requirements are not respected.

Breaches of the legal provisions are punishable with criminal or administrative sanctions.

Future actions

Within six months of the entry into force of the law, sectoral authorities will contact a first set of operators involved and, after a dialogue, officially designate them as providers of essential services. The sectoral authorities will inform them about their obligations and relevant deadlines. In particular:

  • The operators of essential services will have 12 months after their official designation to adapt their ISP.
  • The security measures set out in the ISP will have to be implemented within 24 months after its official designation.

Many companies that fall under the NIS have already invested in security of network and information systems and will not have to start from scratch, future actions will concern in particular:

  • adding extra layers of security measures and fine-tuning the ISP;
  • designating a contact point, which may be contacted directly by the competent authorities for any question relating to the security of the network and information systems on which the provision of essential services depends. This contact point should be available at all times (except in the case of digital service providers);
  • designating a DPO and notify the designation to the data protection authority;
  • a procedure for constantly monitoring and updating the ISP and security measures;
  • being aware of the new obligations and procedures under the NIS; and
  • fully incorporating a risk management culture in the DNA of the company.

Tom De Cordier, Partner, tom.decordier@cms-db.com

Deven Dobbelaere, Junior Associate, deven.dobbelaere@cms-db.com