Major laws and regulations in the cybersecurity field include the following.
Basic Concepts or Principles
The National Risk Assessment 2018-23 of the Belgian National Crisis Centre (NCCN) considers cybercrime as one of the main risks the country will be facing in the coming years. Cybersecurity is described as the result of a set of security measures that minimise the risk of disruption or unauthorised access to information and communication systems.
Relevant Enforcement and Penalty Environment
For a long time, the main cybersecurity focus in Belgium was on prevention and raising awareness. However, the recently adopted Cybersecurity Strategy 2.0 (see also 10.1 Further Considerations regarding Cybersecurity Regulation) includes a strategic plan to support the development of an appropriate repressive capacity that is able to detect, investigate, prosecute and sanction cybercrime. One of the objectives is to build appropriate capacity and expertise at all levels of law enforcement so that the necessary investigation capacities can be effectively and quickly deployed in a digital environment. The intention is to ensure that the prosecutor’s office and the courts of all judicial districts have sufficient prosecutors and judges with experience in combatting cybercrime.
The Strategic Plan 2020–25 of the Belgian Data Protection Authority (DPA) highlights a number of sectors, key GDPR obligations and social matters as policy and enforcement priorities. Priority sectors include telecommunications and media, public authorities, direct marketing, and education. Key GDPR obligations on which the DPA will focus include the designation and role of data protection officers, the legitimacy of the processing of personal data, and the rights of data subjects. From a social perspective, the DPA is expected to concentrate on three topics that are high on the agenda:
The NIS Act authorises government entities at national and sectoral level to oversee compliance with the NIS Act.
The Belgian Centre for Cybersecurity (BCC), operating under the authority of the Prime Minister, is the central authority for cybersecurity, as well as Belgium’s national Computer Security Incident Response Team (CSIRT). The BCC is charged with the monitoring, co-ordination and supervision of the implementation of the government’s cybersecurity policy and strategy.
The Federal Computer Emergency Response Team (CERT.be) is the operational service of the BCC. The task of CERT.be is to detect, observe and analyse online security problems, and to provide continuous information about these problems. It helps the government, emergency services and companies to prevent, co-ordinate and provide assistance in the event of cyber incidents.
The Cyber Threat Research and Intelligence Sharing (CyTRIS) department within the BCC monitors the cyber threats and publishes regular reports.
In addition to the BCC, several sectoral authorities are charged with monitoring cyber-related matters for their respective sectors:
Some of these authorities are responsible for monitoring compliance by providers of essential services or digital service providers with the provisions of the NIS Act, and may conduct audits and compliance checks.
Together with the BCC, the National Crisis Centre (NCCN) ensures the organisation and co-ordination of the Cyber Emergency Plan at national level. The two authorities are jointly responsible for crisis management. The NCCN is also in charge of making national risk assessments and it is the (inter)national point of contact for critical infrastructures. Moreover, the NCCN prepares national emergency plans and provides local support. It operates 24/7, ensures the protection of people and institutions and monitors events.
The Belgian Institute for Postal Services and Telecommunications (BIPT) monitors the security of the electronic communications networks and services of telecoms operators. The BIPT is also the sectoral authority and inspection service for the digital infrastructure sector under the NIS Act and for the electronic communications and digital infrastructure sectors under the Critical Infrastructures Act.
The National Security Council is charged with the co-ordination and evaluation of general intelligence and security policy matters and the national security strategy, the prioritisation of intelligence and security services, the co-ordination of national security priorities, the co-ordination of a general policy on the protection of sensitive information, the co-ordination of the fight against terrorism and extremism, and the monitoring of its decisions.
The Coordination Unit for Threat Analysis (CUTA), operating under the Minister of Justice and the Minister of Interior Affairs, is an independent knowledge centre in charge of assessing terrorist and extremist threats in Belgium.
The Belgian Data Protection Authority (DPA) is an independent body that ensures that the fundamental principles of personal data protection are properly observed. This includes the GDPR’s requirements relating to data security and personal data breach notifications. The DPA was established by the DPA Act and is the successor to the former Privacy Commission. The DPA consists of different departments, each of which plays a specific role in enforcement cases. The Frontline Service performs a triage function to determine which complaints merit further investigation, the Inspection Body carries out investigations, and the Dispute Resolution Chamber issues enforcement decisions. Investigations are typically triggered by a complaint or request for information, but the DPA can also decide to open an investigation (eg, focusing on data security compliance in a particular industry or sector) at its own initiative.
The Information Security Committee (ISC) was created by the Act of 5 September 2018 to grant certain authorisations in relation to the processing and communication of specific categories of personal data (eg, national registry numbers).
A breach of the NIS Act can be sanctioned either:
Under the NIS Act, the relevant sectoral inspectorate may at any time verify the compliance of providers of essential services with the security obligations and incident reporting rules of the NIS Act. Providers of essential services in the scope of the NIS Act are obliged to co-operate fully with the sectoral authorities and, in particular, to inform them to the best of their ability of all existing security measures.
The DPA is in charge of monitoring and supervising compliance with the GDPR and the Data Protection Act. To that end, the DPA has diverse and far-reaching investigative powers, including the power to conduct on-site investigations and audits, to interview relevant individuals, to seize documents and IT systems, to request identification of relevant individuals, and any other investigation, verification and interrogation measures that are deemed necessary to ascertain that data protection law is complied with.
Cybercrimes are prosecuted by the Belgian justice system.
By Royal Decree dated 16 October 2022, Belgium has created a framework that enables companies to evaluate and certify the security of ICT products, services and processes, in line with the EU Cybersecurity Act (see 2.1 Key Laws). The BCC has been designated as the National Cybersecurity Certification Authority that will co-ordinate the necessary expertise in cybersecurity certification, authorise certificates with high security requirements, and establish close collaboration with the Belgian accreditation organisation.
As a member of the Council of Europe, Belgium has joined the Council’s Convention on Cybercrime (ETS No 185 of 23 November 2001). The Act of 28 November 2000 transposes the Convention’s requirements on cybercrime in the Criminal Code. The Act of 15 May 2006 implements the requirements of the Additional Protocol to the Convention on Cybercrime concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems (ETS No 189 of 28 January 2003).
The Council of Europe adopted the Second Additional Protocol on 17 November 2021. This Protocol aims to enhance co-operation between state parties, improving the disclosure of electronic evidence for the purpose of specific criminal investigations and proceedings, and increasing the ability of law enforcement authorities to counter cybercrime and other crime, while fully respecting human rights and fundamental freedoms. It was opened for signature on 12 May 2022, and more than 30 countries – including Belgium – have become signatories so far.
The BCC is Belgium’s national cybersecurity authority. In this role, it receives pertinent threat information from various partners and stakeholders. Within the BCC, the Cyber Threat Research and Intelligence Sharing department (CyTRIS) collects information on and monitors cyber threats, and publishes related reports on a regular basis. CyTRIS is also responsible for the BCC’s Early Warning System (EWS) and for the communication and information exchange with CSIRTs in other EU countries. CyTRIS is also in charge of the Spear Warning procedure, which provides organisations with warnings about specific infections or vulnerabilities (see also 7.2 Voluntary Information Sharing Opportunities).
Belgium advocates an open, free and secure cyberspace where citizens and businesses can fully develop, where they can engage internationally, and where fundamental rights are safeguarded and protected.
Cybersecurity Strategy 2.0 (2021–25), released by the BCC in May 2021, is an ambitious national cybersecurity strategy aiming to make Belgium one of the most cybersecure countries in Europe by 2025 (see 10.1 Further Considerations regarding Cybersecurity Regulation).
The Belgian National Risk Assessment 2018–23 of the NCCN considers cybercrime as one of the main risks the country will be facing in the coming years. In particular, cybercrime and “hacktivism” (ie, cyber-activism involving hacking) against businesses and critical infrastructures are identified as national priority risks.
Cybersecurity Strategy 2.0 sets out several strategic objectives that the BCC intends to pursue in co-operation with all relevant stakeholders in the cybersecurity sector in the upcoming years. Its objectives include:
The DPA’s Strategic Plan 2020–25 identifies telecommunications, media, public authorities, direct marketing and education as priority sectors. The designation and role of data protection officers, the legitimacy of the processing, and the rights of data subjects are considered as key GDPR obligations. It is expected that these priorities will be further reflected in the DPA’s policies and enforcement actions in the coming years.
In addition to the laws and regulations listed in 1.1 Laws, the following pieces of EU and Belgian legislation are relevant in the area of cybersecurity.
See 1.2 Regulators.
Cybersecurity Strategy 2.0 emphasises that Belgium supports the legislative and diplomatic roles of the EU, NATO and other relevant international organisations in their contribution to an open, free and secure cyber-environment, and in particular the European Union Agency for Cybersecurity (ENISA).
ENISA is the EU centre of expertise for cybersecurity in Europe. It helps the EU and the EU member states to be better equipped and prepared to prevent, detect and respond to information security issues. ENISA provides practical advice and solutions to the public and private sector as well as to EU institutions, including on cross-Europe cyber crisis exercises, the development of national cybersecurity strategies, and the co-operation between CERTS. The BCC, in its capacity of national cybersecurity authority, represents Belgium in ENISA’s various working groups and platforms.
See 1.2 Regulators.
For the financial sector, various authorities in Belgium have monitoring duties and powers. For example, credit institutions, operators of trading venues and certain financial institutions that are subject to the supervision of the National Bank of Belgium may qualify as operators of essential services (OES) under the NIS Act.
The National Bank of Belgium (NBB) and the Financial Services and Markets Authority (FSMA) are the primary financial services regulators in Belgium. They are also in charge of monitoring of cybersecurity risks in the Belgian financial sector. OES in the financial sector must notify the NBB of all incidents that substantially affect the availability, confidentiality, integrity or authenticity of the network and information systems on which the essential service or services they provide depend.
See 1.2 Regulators.
There is a wide variety of cybersecurity-related guidance issued by regulators in Belgium. General guidance, such as the Cyber Security Guide for SMEs (2017) and the Cyber Security Incident Management Guide (2016) are frequently used guidelines from the BCC. The BCC also maintains an Online Cybersecurity Reference Guide to assist organisations in developing bespoke cybersecurity strategies. The guide offers recommendations in terms of planning, risk management, security measures and evaluations in the use of computers and computer networks.
The BCC frequently collaborates with sectoral authorities to adopt sector-specific guidance. The Baseline Principles for Managing Cyber Security Risk in the Financial Sector (2018), for example, is the result of such a collaboration with the FSMA.
Other commonly deployed guidance and standards in Belgium include ENISA standards for cybersecurity, the NIST Cyber Security Framework, the ISO/IEC 27000 series standards, and the guidance of the European Cyber Security Organization (ECSO).
The GDPR requires that personal data is protected by appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state-of-the-art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. To date, the Belgian DPA has not issued any post-GDPR guidance on this subject. There is no standard applied framework in Belgium to meet the (Article 32) GDPR requirements. In general, the ISO/IEC 27000 series standards are widely applied in Belgium.
Operators of essential services (OES) must take appropriate and proportionate technical and organisational measures to detect, prevent and mitigate the risks to the security of their network and information systems in accordance with the NIS Act. These measures should take account of the state-of-the-art and the risk of likelihood and severity of the risks. The BCC and other authorities have published guidelines and best practices in this regard, both on national and sectoral levels.
The NIS Act establishes a framework for the security of networks and information systems of general interest for public security, imposing duties on operators of essential services (OES) and digital service providers (DSP) that are in scope of the NIS Act. The relevant sectoral authorities are in charge of identifying OES in the following sectors:
OES are required to take technical and organisational security measures, draw up a security policy for network and information systems, appoint a contact person for security of network and information systems, communicate the contact details to the sectoral authority, notify incidents, conduct an annual internal audit of the network and information systems, and conduct an external audit of their network and information systems every three years.
DSP, including online marketplaces, online search engines and cloud computing services are required to take technical and organisational security measures, appoint a contact person for security of network and information systems, and communicate the contact details to the sectoral authority.
The Critical Infrastructures Act imposes several duties on operators of critical infrastructures in the following sectors:
Such operators are required to take internal and external security measures in order to protect their critical infrastructures. They need to appoint a contact point and communicate the contact details of the contact point to the sectoral authority. They need to draw up a security plan aiming to prevent, reduce and neutralise the risks of disruption of the operation or destruction of the critical infrastructure by putting in place internal physical and organisational measures.
The Telecom Act requires telecoms operators (ie, providers of telecommunications and internet service providers) to take appropriate and proportionate technical and organisational measures, including encryption where appropriate, to properly manage these risks, as well as to minimise the impact of security incidents on users and on other networks and services. These measures need to ensure a level of security appropriate to the risks encountered, taking into account the state of the art. Such measures include, at least, that only authorised personnel have access to personal data, stored or transmitted personal data is protected against data breach incidents, and a security policy is implemented with respect to the processing of personal data.
The BIPT (sectoral authority) can monitor the measures taken by telecoms operators and make recommendations on best practices regarding the level of security to be achieved by the measures. At the request of the BIPT, telecoms operators need to participate in or organise an exercise related to the security of their networks or services. Also, at the request of the BIPT, telecoms operators may be asked to communicate a contact person who can be reached at all times in the context of managing security incidents.
The GDPR requires the designation of a data protection officer (DPO) where the processing is carried out by a public authority or body, the core activities of the controller or processor consist of processing operations which, by virtue of their nature, their scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale, or the core activities of the controller or processor consist of processing on a large scale of special categories of data or data relating to criminal convictions and offences. The function of the DPO is different from the role of an information security officer. While the DPO may fulfil other tasks and duties, such combination may not result in a conflict of interests, including conflicts from combining data protection and cybersecurity functions.
In addition, the GDPR requires that data protection impact assessments are conducted for data processing activities that are likely to result in a high risk to the rights and freedoms of natural persons. Where the assessment shows a high residual risk that cannot be mitigated by specific measures, the controller is required to consult the DPA.
Belgium is a member of the Global Forum on Cyber Expertise (GFCE). The GFCE is a global platform for countries, international organisations and private companies to exchange best practices and expertise on cyber capacity building by connecting needs, resources and expertise, and by making practical knowledge available to the global community.
Belgium is also a member of the Permanent Structured Cooperation on security and defence (PESCO). PESCO is an initiative of the European Defense Agency established by a Council Decision (CFSP) 017/2315 of 11 December 2017. The goal of the initiative is to collaboratively develop a coherent full spectrum force package and make these capabilities available to the participating EU member states.
The GDPR requires that personal data is protected by appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
In assessing the appropriate level of security, the focus should be on those risks that stem from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
Additional requirements may be imposed on a sectoral level. For example, the Telecom Act imposes specific security duties relating to the protection of personal data on telecoms operators (see 3.3 Legal Requirements).
There are currently no specific legal requirements regarding the security and protection of material business data.
The Critical Infrastructures Act imposes several duties on operators of critical infrastructures (OCI) in the following sectors:
OCI are required to implement internal and external security measures in order to protect their critical infrastructures. They must appoint a contact point and communicate the contact details to the sectoral authority. They are also required to draw up a security plan aiming to prevent, reduce and neutralise the risks of disruption of the operation or destruction of the critical infrastructure by putting in place internal physical and organisational measures. They may also need to notify incidents relating to their critical infrastructure (see 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event).
Despite the massive DDoS attack on Belnet in May 2021, which took down several Belgian government websites, there are no specific legal requirements aimed at preventing such attacks, or similar attacks.
Cybersecurity certification will play an important role in increasing trust and security in IoT-related products, services and processes, and the Cybersecurity Act has therefore introduced a European cybersecurity certification framework (see also 5.6 Security Requirements for IoT).
For the time being, cybersecurity certification is voluntary, unless otherwise specified by EU or member state law.
There are currently no special requirements applicable to ransomware attacks. However, both the Belgian Police and the BCC advise against the payment of ransomware. The BCC considers that, even if ransomware is paid, the targeted company may still experience difficulties in restoring its data files. For instance, the decryption software provided by the attacker has often received much less attention than the encryption software, which means that it may not be possible to recover (all of) the data. Also, according to the BCC, once a company has paid ransomware, it is at high risk of being targeted again in the future.
Although the current (online) form for notifying personal data breaches to the Belgian DPA requires the notifying party to indicate whether not the breach involves a ransomware attack, the form does not explicitly ask if the responsible controller has complied (or plans to comply) with the attacker’s ransomware demands.
Under the GDPR, controllers whose processing of personal data is subject to Belgian law are required to notify personal data breaches to the Belgian Data Protection Authority (DPA) and, in some cases, to the individuals whose personal data is affected. A personal data breach is a type of data security incident. While all personal data breaches are data security incidents, not all data security incidents are necessarily personal data breaches. The GDPR, and hence the notification duties to the DPA and affected individuals, only apply where there is a personal data breach.
The GDPR defines the concept “personal data breach” broadly as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. There is “destruction” of personal data, where the data no longer exists, or no longer exists in a form that is of any use to the controller. “Damage” means that personal data has been altered, corrupted or is no longer complete. In terms of “loss” of personal data, this should be interpreted in the sense that the data may still exist, but the controller has lost control or access to it, or no longer has it in its possession. Finally, “unauthorised” or “unlawful” processing may include disclosure of personal data to (or access by) recipients who are not authorised to receive (or access) the data, or any other form of processing which violates the GDPR.
Under the NIS Act, operators of essential services (OES) must report incidents that affect the availability, confidentiality, integrity or authenticity of the network and information systems on which the essential service or services they provide depend. Digital service providers (DSP) under the NIS Act must notify incidents having a substantial impact on the provision of the services they offer within the European Union. Reporting is done via a centralised NIS platform to the BCC, the relevant sectoral authority, and the Ministry of Interior Affairs' crisis centre (ADCC). In this context, the term “incident” refers to “any event having an actual adverse effect on the security of network and information systems”. “Security of network and information systems” refers to “the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems”. Note that these reporting obligations are likely to change in light of the recent NIS 2 Directive.
Under the Critical Infrastructures Act, operators of critical infrastructures in scope of the Act are required to notify the Federal Police, the relevant sectoral authority, as well as the ADCC in case of an event that can compromise the security of the critical infrastructures for which they are responsible. The Act does not further define what constitutes a reportable “event”. Note that these reporting obligations are likely to change in light of the recent RCE Directive.
The Telecom Act (transposing the e-Privacy Directive and the EECC) defines the security measures that providers of publicly available electronic communications services and networks in Belgium must take, both to guarantee the continuity of the operation of their networks and services and to protect the (personal) data that is processed in the context of the provision of those networks and services. The Telecom Act requires telecoms operators to notify the Belgian Institute for Postal Services and Telecommunications (BIPT) in the following circumstances.
In this context, a “security incident” is defined as “an event having an actual adverse effect on the security of electronic communications networks or services”. Telecom operators are also required to notify the DPA if there has been a breach relating to personal data that is transmitted, stored or otherwise processed in connection with their services. The DPA will subsequently have to inform the BIPT of the breach.
Under DORA – which is still to be transposed into Belgian law – covered financial entities will be required to report “major ICT-related incidents” to the relevant competent authority. “Major ICT-related incident” means an ICT-related incident with a potentially high adverse impact on the network and information systems that support critical functions of the financial entity.
The notification duties in the GDPR apply only to the extent that there has been a personal data breach, which means that the breach must involve personal data, as that concept is defined in the GDPR. The GDPR refers to personal data as “any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Pseudonymised data – ie, information that has been processed in such a manner that it can no longer be attributed to a specific individual without the use of additional information – is still considered personal data under the GDPR.
The type and sensitivity of personal data involved in a personal data breach will play an important role in the risk assessment that the controller must conduct in the immediate wake of the breach. The more sensitive the personal data, the higher the risk of harm to affected individuals and the more likely the breach will have to be reported.
The Telecoms Act
The provisions in the Telecom Act regarding regulator and user notifications refer to the concept of “breaches relating to personal data”, which the Act defines as a security breach resulting in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed in connection with the provision of electronic communications services in the European Union.
Under the NIS Act, there are reporting duties when an incident has (adversely) affected the security of network and information systems. The concept “network and information system” refers to:
Under the Critical Infrastructures Act, the reporting duty applies to operators of critical infrastructures in the scope of the Act (ie, in the areas of transportation, energy, finances, trade platforms, electronic communications and digital infrastructures, healthcare, and potable water supplies). The Critical Infrastructures Act defines the concept “critical infrastructure” as an installation, system or part thereof, of federal importance, which is critical to the preservation of vital societal functions, health, safety, security, economic prosperity, or societal well-being, whose functioning or destruction would have a significant repercussion by disrupting those functions.
The Medical Devices Regulation requires that, for devices that incorporate software or for software that are medical devices in themselves, the software must be developed and manufactured in accordance with the state-of-the-art, including in regard to information security and verification invalidation. Manufacturers of such medical devices must set out minimum requirements concerning hardware, IT networks characteristics and IT security measures, including any protection against unauthorised access.
Incidents involving the security of medical devices that include or constitute software may require notification to the national competent authority, if certain conditions are met. This will be the case, for example, where the medical device is suspected to be a contributory cause of the incident and the incident has (or might have) led to the death or serious deterioration in the state of health of a patient or other person. For incidents that occur on the Belgian territory, the national competent authority is the Federal Agency for Pharmaceuticals and Health Products (FAGG).
The timing for notifying medical device-related incidents varies depending on the outcome of the incident. For instance, in the case of a public health threat, incidents must be notified immediately and, in any event, no later than two calendar days after the manufacturer has become aware of the threat. In the case of death or serious deterioration in an individual’s state of health, the FAGG must be notified immediately after the manufacturer has established a link between the device and the event, but not later than ten calendar days following the date of awareness of the event. For other types of reportable events, manufacturers may have up to 30 calendar days (following the date of awareness of the event) to notify the FAGG.
Reportable incidents involving the security of medical devices must be notified to the FAGG using a standardised form that the European Commission has made available online (Manufacturer Incident Report – MIR).
Industrial Control Systems (ICS) are command and control networks and systems designed to support industrial processes. The largest subgroup of ICS is formed by Supervisory Control and Data Acquisition (SCADA) systems. Critical infrastructures, such as electricity generation plants, transportation systems, oil refineries, chemical factories and manufacturing facilities are increasingly making use of ICS to monitor their facilities and ensure their proper operation.
If an event has occurred affecting ICS or SCADA systems, as a result of which the security of a critical infrastructure could be compromised, the operator of the critical infrastructure may be required to notify the relevant authorities pursuant to the Critical Infrastructure Act, or if the event adversely affects the provision of essential services, the relevant authorities pursuant to the NIS Act (see 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event).
The Cybersecurity Act recognises that digitisation and connectivity are becoming core features in a growing number of products and services, and with the advent of the internet of things (IoT) a high number of connected digital devices are expected to be deployed across the EU. The digital single market, and in particular the IoT, can thrive only if there is general public trust that IoT-based products, services and processes provide a certain level of cybersecurity. Cybersecurity certification will play an important role in increasing trust and security in IoT-related products, services and processes, and the Cybersecurity Act has therefore introduced a European cybersecurity certification framework.
For the time being, cybersecurity certification is voluntary, unless otherwise specified by EU or member state law.
The Belgian government is still to designate a National Cybersecurity Certification Authority (NCCA), which will be tasked with monitoring compliance with and enforcing the obligations of manufacturers or providers of ICT products, services or processes that are established in Belgium and have joined a particular cybersecurity certification scheme.
Although the Cybersecurity Act does not provide for a reporting duty in the case of an incident involving “certified” products, services or processes, the NCCA will have the power to carry out compliance investigations, in the form of audits, of Belgian-based cybersecurity certificates’ holders. The NCCA will also be entitled to access to the premises of holders of cybersecurity certificates in Belgium, for the purpose of carrying out investigations in accordance with Belgian procedural law. If its investigation reveals (substantial) non-compliance, the NCCA will be able to impose penalties in accordance with national law, and to require the immediate cessation of infringements.
In September 2022, the European Commission published a draft proposal for a Cybersecurity Resilience Act (CRA), which aims to impose specific cyber-resilience obligations on companies that manufacture or distribute products that connect to a device or network.
The Cybersecurity Act has introduced a regime of cybersecurity certifications (see also 5.6 Security Requirements for IoT), participation in which is still voluntary at this point. The regime is designed to achieve a number of security objectives, including ensuring that ICT products, services and processes are provided with up-to-date software (and hardware) not containing publicly-known vulnerabilities, and are provided with mechanisms for secure updates. Organisations, manufacturers or providers involved in the design and development of software should therefore implement measures at the earliest stages of design and development to protect the software to the highest possible degree (“security-by-design”). Also, software should be designed in a way that ensures a higher level of security which should enable the first user to receive a default configuration with the most secure settings possible (“security by default”).
In addition, cybersecurity certification schemes for software will need to take into account current software development methods and, in particular, the impact of frequent software or firmware updates on cybersecurity certificates. They should also specify the conditions under which an update may require that a software product be recertified or that the scope of a specific European cybersecurity certificate be reduced. This may be necessary if an update could adversely affect compliance with the security requirements of that certificate.
The Artificial Intelligence (AI) Act proposed by the European Commission in 2021 requires users of high-risk AI systems – ie, software that is developed with the techniques and approaches listed in the AI Act – to inform the provider or distributor of the AI system when they have identified any serious incident or any malfunctioning within the meaning of the AI Act.
Although the GDPR imposes an obligation on controllers to notify personal data breaches, in practice notification is not always required:
When controllers have engaged processors, those processors must notify the controllers, without undue delay, if they have suffered a personal data breach involving personal data that is being processed on the controllers’ behalf.
Under the NIS Act, operators of essential services (OES) must notify all incidents that affect the availability, confidentiality, integrity or authenticity of the network and information systems on which the essential service or services they provide depend. The NIS Act provides for the possibility to determine, by royal decree, impact levels and/or thresholds for the reporting of incidents, or different reporting categories according to the degree of impact of the incident. However, to date no such royal decree has been passed.
Digital service providers (DSP) under the NIS Act must notify/report all incidents that have significant consequences for the provision of the digital service(s) that they offer in the European Union. The European Commission has identified examples of cases where an incident has a significant impact on the provision of a digital service (Implementing Regulation 2018/151 of 30 January 2018). Apart from the aforementioned thresholds and parameters, the BCC encourages DSP to voluntarily report any incident with previously unknown characteristics, such as new attack vectors, threats, dangers or weaknesses.
Telecoms operators subject to the Telecom Act must report to the BIPT security incidents that reach one or more of the following thresholds:
Under the GDPR, controllers that have become aware of a personal data breach are expected to assess the risk that could result from the breach. According to regulatory guidance on this topic, there are two main reasons for this:
A personal data breach must be notified to the DPA, unless it is unlikely to result in a risk to the rights and freedoms of individuals. However, the key trigger requiring communication of a personal data breach to affected individuals is the likeliness that the breach may result in a high risk to the rights and freedoms of those individuals. That risk exists when the breach may lead to physical, material or non-material damage for the affected individuals. Examples of such damage include discrimination, identity theft or fraud, financial loss and damage to reputation.
When the breach involves personal data that reveals special or “sensitive” categories of personal data (eg, data revealing racial or ethnic origin, health data, or data concerning sex life), the DPA considers that such damage is likely to occur.
Also, if the controller is aware that personal data that has been breached is in the hands of individuals or organisations whose intentions are unknown or possibly malicious, this can have a bearing on the potential risk of harm.
The GDPR provides explicitly that controllers have a legitimate interest in processing personal data to the extent that such processing is strictly necessary and proportionate for the purposes of ensuring network and information security. This includes ensuring the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data.
The legitimate interest justification would also apply to the security of related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), or by providers of electronic communications networks and services and by providers of security technologies and services. The GDPR further specifies that permitted practices and tools for network and information security could include those that focus on:
Whether monitoring practices and tools meet the necessity and proportionality test under the GDPR will require a careful balancing of the interests of the controller and the rights of the individuals whose personal data are at stake.
The Belgian Data Protection Authority (DPA) has issued extensive guidance on workplace privacy and employers’ monitoring of network and information systems. In addition, in 2002, employer and employee organisations in Belgium reached a consensus on a Collective Bargaining Agreement (CBA No 81) that allows employers – subject to strict conditions – to monitor their workers’ use of electronic/online communication means (eg, email and internet). CBA No 81 sets out general principles of privacy and data protection that employers must follow, and creates a framework that allows employers to engage in certain monitoring activities, including for purposes of preserving the security and/or functioning of their organisation’s IT systems.
There are three main reasons why the intersection of cybersecurity, privacy and data protection presents severe compliance challenges.
There is currently no required or formally authorised sharing of cybersecurity information with the Belgian government. See, however, 7.2 Voluntary Information Sharing Opportunities for an overview of voluntary data sharing initiatives.
Both the Cybersecurity Act and the NIS Directive promote the creation of Information Sharing and Analysis Centres (ISACs). ISACs are stakeholder-driven private-public partnerships (PPPs) that collect, analyse and disseminate actionable threat information and provide their members with tools to mitigate risks and enhance resilience.
In Belgium, ISACs are facilitated by the Belgian Cybersecurity Centre (BCC). Some of the ISAC initiatives that the BCC has fostered include the Cyber Threat Intelligence Research Project (CTISRP), the Cyber Security Coalition, and Belgian Network and Information Security (BELNIS). This last initiative acts as a co-ordinating workgroup comprising representatives from various government agencies engaged in cybersecurity. It provides advice to the Belgian government on cybersecurity incidents and cybersecurity in general. The Cyber Security Coalition Belgium acts as a platform for cyber experts from private, academic and public sectors.
In addition, the BCC has a specific department (Cyber Threat Research and Intelligence Sharing – CyTRIS) that collects relevant information, monitors cyber threats and publishes related reports on a regular basis. CyTRIS is also responsible for the BCC’s Early Warning System (EWS) and for the communication and information exchange with CSIRTs in other EU countries. CyTRIS is also in charge of the Spear Warning procedure, which provides organisations with warnings about specific infections or vulnerabilities.
Other information-sharing initiatives include:
In the past four years, there has been a steep increase in the number of personal data breaches that have been notified to the DPA. The majority of personal data breaches that are notified to the Belgian DPA relate to incidents caused by human error, as well as hacking, phishing or malware. However, thus far, the DPA has issued few enforcement decisions that involve lack of compliance with the GDPR’s requirements relating to data security and personal data breaches.
In one decision, dated 28 April 2020, the DPA emphasised that it is essential that controllers document every personal data breach that they have suffered, even if the breach did not result in a (high) risk to the rights and freedoms of individuals. In addition, the DPA reminded controllers that if they have designated a data protection officer (DPO), they should sufficiently involve their DPO in the risk assessment that must be performed in the event of a personal data breach.
To date, there have been no significant audits, investigations or penalties imposed for alleged cybersecurity violations or data security incidents or breaches.
The main legal standards under the GDPR can be summarised as follows:
The GDPR provides each individual in Belgium with the right to an effective judicial remedy against a controller or processor where they consider that their rights under the GDPR have been infringed as a result of personal data processing in non-compliance with the GDPR. This includes non-compliance with the GDPR’s in terms of personal data breaches and data security more generally.
Proceedings against the controller or processor responsible for the GDPR infringement must be brought before the courts of the EU member state where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of Belgium, if that is where the individual has their habitual residence.
Despite the fact that the GDPR introduced this specific right to judicial remedy into the Belgian legal system almost five years ago, to date there has been no noteworthy private litigation involving cybersecurity allegations, or data security incidents or breaches. See, however, the collective redress case highlighted in 8.5 Class Actions.
Under the GDPR, individuals in Belgium have the right to mandate a non-profit organisation or association (that meets certain conditions) to exercise, on the individual’s behalf, the right to an effective judicial remedy where the individual considers that their data protection rights have been infringed. This infringement could relate to any processing of personal data in non-compliance with the GDPR, including requirements on security of (data) processing. Non-profit organisations and associations can also exercise individuals’ rights to receive compensation under the GDPR.
The possibility to file an action for collective redress (or class action) already existed before the GDPR became applicable, since the adoption of the Class Action Act of 28 March 2014. The procedures for class actions under this Act are restricted to specific types of claims, including claims relating to data protection. However, pursuant to this Act, only a group of consumers or small and medium-sized enterprises (SMEs) may initiate an action for collective address if they have suffered damage as a result of a common course. The group must also decide whether the action should be based on an opt-in or opt-out system for potential claimants. In order to initiate an action for collective address, the group of consumers or SMEs must be represented by a “group representative” – typically a non-profit association – that meets a number of conditions set out in the Class Action Act.
So far, relatively few actions for collective redress have been launched in connection with data protection claims. In 2018, Belgian consumer protection organisation Test Aankoop/Test Achats initiated a class-action before the Brussels courts on behalf of approximately 44,000 individuals against Facebook, in the wake of the Cambridge Analytica matter. Test Aankoop/Test Achat initially claimed per capita damages of EUR200, but ultimately decided to terminate its legal action against Facebook, following a settlement between the parties.
Under the NIS 2 Directive, management bodies of essential and important entities will have to approve the cybersecurity risk-management measures taken by those entities in order to comply with the requirements of the NIS 2 Directive. They will also have to oversee the implementation of these measures and can be held liable for infringements by the entities. In addition, management members will be required to follow cyber training and encourage essential and important entities to offer similar training to their employees on a regular basis.
The RCE Directive imposes an obligation on critical entities to carry out a risk assessment within nine months of receiving notification from the Belgian authorities that they are in scope of the RCE Directive, and subsequently at least every four years, on the basis of EU member state risk assessments and other relevant sources of information.
DORA requires financial entities to have in place mechanisms to promptly detect anomalous ICT activities, including ICT network performance issues and ICT-related incidents, and to identify all potential material single points of failure. All detection mechanisms will have to be regularly tested.
In corporate transactions where the buyer assumes legal responsibility for the target’s data processing systems and operations (eg, as a result of a share acquisition), it is important to ensure that the buyer has obtained all relevant information about the target’s compliance with network, information system and data security requirements.
In particular, the buyer will want to receive reassurance from the seller – by means of representations and warranties, and after having conducted thorough due diligence – that the target has carried on its business at all times substantially in compliance with applicable cybersecurity and data protection laws and regulations. This should include confirmation that the target has, for instance:
One possible issue is that sellers sometimes fail to provide the prospective buyer with copies of all of the target’s policies, procedures, certifications, reports, or test results prepared internally or by a third party relating to the security of the target’s IT and data processing systems, including risk assessments, security audits, vulnerability reports, user awareness reports, or the results of any penetration (“pen”) testing. Another issue is the seller’s representations and warranties around compliance with applicable cybersecurity and data protection rules may be of limited value if the buyer’s due diligence has identified broad non-compliance. In those cases, buyers may want to secure cybersecurity and data protection related indemnities from the seller.
There are currently no laws mandating public disclosure of an organisation’s cybersecurity risk profile or experience. However, if there is a personal data breach that must be notified to affected individuals pursuant to the GDPR and notifying them individually would involve disproportionate efforts, data controllers are required to issue a public communication (or take similar measures) to make sure that the affected individuals are informed effectively. This requirement may therefore result in a public disclosure of the organisation’s cybersecurity experience.
In May 2021, the Belgian Cybersecurity Centre (BCC) published its Cybersecurity Strategy 2.0, which aims to ensure that Belgium becomes one of the least vulnerable countries in Europe in the cybersecurity area by 2025. Cybersecurity Strategy 2.0 is built on a number of strategic objectives that the BCC intends to pursue in co-operation with all relevant stakeholders. This includes the establishment of a Cyber Greenhouse – an innovation centre that will help create and test innovative cyber solutions and business models in a risk-free environment. These efforts should also result in additional cybersecurity guidelines and best practices.
As part of Cybersecurity Strategy 2.0, the Belgian government intends to create a framework that allows companies to assess and certify the safety of ICT products, services and processes. This framework shall be aligned with the EU Cyber Security Act as well as any relevant developments at EU level. The EU Cyber Security Act aims to ensure the mutual recognition of cybersecurity-related certificates within the European Union. To that end, the Belgian government plans to establish a national cybersecurity certification authority (NCCA), which is expected to develop a cybersecurity recognition mechanism for companies that wish to demonstrate the implementation within their organisation of basic cybersecurity requirements, best practices and policies.
In terms of cybersecurity insurance, although it is not legally required, companies in Belgium are increasingly seeking to obtain specialised insurance coverage. As a result of this demand, several insurance companies are now offering a variety of cyber-insurance solutions to their Belgium-based (business) customers. Most of these insurance offerings provide coverage in case of loss or damage caused by cybercrime, hacker-related damage, cyber-extortion (eg, ransomware or cryptoware) and data theft. Many also offer 24/7 (helpdesk) assistance in the event of a cyber-attack or data breach and/or reimburse costs for legal, IT and PR services that are necessary to limit any damage to the company and its reputation.
+32 2 486 8822Wim.Nauwelaerts@alston.com www.alston.com