Cybersecurity is a hot topic. The recent US sanctions against Huawei, one of the world's largest network infrastructure providers, are but one example. Cyberattacks are becoming increasingly common in the business, essential services and governmental sectors. These attacks are often thought to be co-organised by countries such as Russia, Syria and North Korea. There is also a fear that terrorist organisations could attack sensitive infrastructure and paralyse the economy.
Solutions to these issues can be found, at least in part, in the Network and Information Security (NIS) Directive (2016/1148). The NIS Directive was transposed into Belgian law by the NIS Act of 7 April 2019 which entered into force on 3 May 2019.
Scope of the NIS Act
The NIS Act applies to essential service providers and digital service providers.
Essential service providers are providers of services in the energy, transport, finance, healthcare, drinking water and digital infrastructure sectors. Such providers must be designated as essential service providers by the competent sector authorities in order to be (fully) subject to the NIS Act.
Digital service providers are organisations that run online marketplaces, search engines or cloud services. They include, for example, providers of software-as-a-service. Digital service providers are automatically subject to the NIS Act. It should be noted that certain provisions of the NIS Act do not apply to small and micro-enterprises.
Measures to be taken
The four most important measures to be taken are:
- Technical and organisational measuresAn essential services provider shall take the technical and organisational measures necessary (state of the art) and proportionate to manage the risks that threaten the security of the network and IT systems on which the essential service(s) depend.
- Appointment of a data protection officer
- Establishment of a point of contact for IT security
- Notification of incidents. Both categories of service providers must notify incidents. The conditions at which and manner in which the notification must be made varies depending on the category. This notification obligation is separate from the obligation to notify data breaches under the GDPR.
Noncompliance with the NIS Act can result in the imposition of administrative and criminal sanctions, which can be substantially multiplied and are independent of any sanction that may be applied in the context of the GDPR.
Numerous aspects, requirements and bodies provided for by the NIS Act must still be specified by means of royal decrees. Until these decrees enter into force, the NIS Act cannot apply in its totality.
Relationship with the GDPR
Although there may be some overlap between the NIS Act and the GDPR, these two pieces of legislation have different objectives and must be applied separately. For instance, the NIS Act extends beyond personal data while the GDPR applies to all undertakings, not just digital and essential service providers.
Despite the substantial efforts made by businesses to ensure GDPR compliance, it is highly likely that companies directly subject to the NIS Act as well as their providers will have to make additional efforts in order to ensure full compliance. This is obviously a source of frustration for these companies.
The NIS Act is important to ensure the protection of essential and digital services against cyberattacks. It is unfortunate that the Belgian government waited so long to implement this legislation rather than introducing it at the same time as the GDPR. Moreover, to date, the necessary royal decrees have yet to be enacted. Let us hope that a new government will soon be in place to move things forward.