Cybersecurity 2024

Last Updated March 14, 2024

Belgium

Law and Practice

Author



Alston & Bird LLP is an international law firm with extensive experience in a wide spectrum of cybersecurity issues. The firm leverages this experience to help companies manage their cybersecurity-related responsibilities. This includes advising clients on incident response and breach notification requirements under EU and EU member state laws.

Major laws and regulations in the cybersecurity field include the following.

Cybersecurity

  • Act of 13 June 2005 on electronic communications (“Telecom Act”), implementing the ePrivacy Directive (2002/58/EC), as amended on 21 December 2021 to transpose the European Electronic Communications Code (Directive (EU)2018/1972) (EECC) into Belgian law.
  • Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (“Critical Infrastructures Directive”), as repealed by Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities (“RCE Directive”). The RCE Directive is to be transposed into Belgian law by 17 October 2024.
  • Act of 1 July 2011 on the security and protection of critical infrastructures partially implementing the Critical Infrastructures Directive (“Critical Infrastructures Act”). The Critical Infrastructures Act was amended by the Royal Decree of 15 September 2023 to align the security requirements for the energy sector with those imposed by the RCE Directive.
  • Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (“NIS Directive”), as repealed by Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 (“NIS 2 Directive”). The NIS 2 Directive is to be transposed into Belgian law by 17 October 2024. On 10 November 2023, the Belgian Council of Ministers approved a preliminary draft Act and Royal Decree transposing the NIS 2 Directive into Belgian law, which was followed by a public consultation. The new Act and Royal Decree are expected to be passed into law in the course of 2024. 
  • Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of the NIS Directive.
  • Act of 7 April 2019 establishing a framework for the security of network and information systems of general interest for public security, implementing the NIS Directive (“NIS Act”). The NIS Act is to be amended in light of the NIS 2 Directive.
  • Royal Decree of 12 July 2019 implementing the NIS Act and the Critical Infrastructures Act. This Royal Decree is to be amended in light of the NIS 2 Directive and the RCE Directive.
  • Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (“DORA”). DORA shall apply from 17 January 2025. 

Cybercrime

  • Belgian Criminal Code, as amended by the Act of 28 November 2000 on Cybercrime and the Act of 15 May 2006 on Cybercrime, in particular Article 210bis on computer-related forgery, Articles 259bis and 314bis on interception of electronic communications, Article 504quater on computer-related fraud, Article 550bis on illegal access (hacking), and Article 550ter on computer sabotage.
  • Belgian Criminal Procedure Code.
  • Royal Decree of 10 October 2014 for the establishment of the Belgian Centre for Cybersecurity, supplemented by Royal Decree of 12 October 2023 determining the conditions for awarding subsidies for activities related to informing and raising awareness in the field of cybersecurity.

Data Protection

  • Article 22 of the Belgian Constitution.
  • Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).
  • Act of 3 December 2017 establishing the Data Protection Authority (“DPA Act”). On 14 December 2023, a draft Act amending the DPA Act was approved by the Belgian Parliament. The new Act, which is expected to come in effect in the course of 2024, is intended to strengthen the functioning and independence of the Belgium Data Protection Authority (DPA), in addition to improving the DPA’s pragmatic approach and sectoral expertise.
  • Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, supplementing the GDPR (“Data Protection Act”).

Basic Concepts or Principles

The National Risk Assessment 2018-23 of the Belgian National Crisis Centre (NCCN) considers cybercrime as one of the main risks the country will be facing in the coming years. Cybersecurity is described as the result of a set of security measures that minimise the risk of disruption or unauthorised access to information and communication systems.

Relevant Enforcement and Penalty Environment

Overview

  • Articles 51 and 52 NIS Act: criminal penalties and administrative fines.
  • Articles 114 and 145 Telecom Act: criminal penalties.
  • Article 26 Critical Infrastructures Act: criminal penalties.
  • Chapter VIII GDPR and the Data Protection Act: criminal penalties and administrative fines.

Cybersecurity

Belgium’s Cybersecurity Strategy 2.0 (2021 – 2025; see also 11.1 Further Considerations Regarding Cybersecurity Regulation) includes a strategic plan to support the development of appropriate capacity to detect, investigate, prosecute and sanction cybercrime. One of the objectives is to build expertise across all levels of law enforcement so that the necessary investigative capacities can be effectively and quickly deployed in a digital environment. The intention is to ensure that the prosecutor’s office and the courts of all judicial districts have sufficient prosecutors and judges with experience in combatting cybercrime.

Data protection

The Strategic Plan 2020–25 of the DPA highlights a number of sectors, key GDPR obligations and social matters as policy and enforcement priorities. Priority sectors include telecommunications and media, public authorities, direct marketing, and education. Key GDPR obligations on which the DPA will focus include the designation and role of data protection officers, the legitimacy of the processing of personal data, and the rights of data subjects.

The NIS Act authorises government entities at national and sectoral level to oversee compliance with the NIS Act.

The Belgian Centre for Cybersecurity (BCC), operating under the authority of the Prime Minister, is the central authority for cybersecurity, as well as Belgium’s national Computer Security Incident Response Team (CSIRT). The BCC is charged with the monitoring, co-ordination and supervision of the implementation of the government’s cybersecurity policy and strategy.

The Federal Computer Emergency Response Team (“CERT.be”) is the operational service of the BCC. The task of CERT.be is to detect, observe and analyse online security problems, and to provide continuous information about these problems. It helps the government, emergency services and companies to prevent, co-ordinate and provide assistance in the event of cyber incidents.

The Cyber Threat Research and Intelligence Sharing (“CyTRIS”) department within the BCC monitors the cyberthreats and publishes regular reports.

In addition to the BCC, several sectoral authorities are charged with monitoring cyber-related matters for their respective sectors:

  • the federal Minister for Energy – the energy sector (Federal Public Service Economy);
  • the federal Minister for Transport – the transport sector, with the exception of transport over waters accessible to seagoing vessels;
  • the federal Minister for Maritime Mobility – transport over water accessible to seagoing vessels;
  • the federal Minister for Public Health – the health sector; and
  • the federal Minister for Economy – the sector of digital services such as cloud computing services, online search engines, and online marketplaces (Federal Public Service Economy).

Together with the BCC, the National Crisis Centre (NCCN) ensures the organisation and co-ordination of the Cyber Emergency Plan at national level. The two authorities are jointly responsible for crisis management. The NCCN is also in charge of making national risk assessments and it is the (inter)national point of contact for critical infrastructures. Moreover, the NCCN prepares national emergency plans and provides local support. It operates 24/7, ensures the protection of people and institutions and monitors events.

The Belgian Institute for Postal Services and Telecommunications (BIPT) monitors the security of the electronic communications networks and services of telecoms operators. The BIPT is also the sectoral authority and inspection service for the digital infrastructure sector under the NIS Act and for the electronic communications and digital infrastructure sectors under the Critical Infrastructures Act.

The National Security Council is charged with the co-ordination and evaluation of general intelligence and security policy matters and the national security strategy, the prioritisation of intelligence and security services, the co-ordination of national security priorities, the co-ordination of a general policy on the protection of sensitive information, the co-ordination of the fight against terrorism and extremism, and the monitoring of its decisions.

The Co-ordination Unit for Threat Analysis (CUTA), operating under the Minister of Justice and the Minister of Interior Affairs, is an independent knowledge centre in charge of assessing terrorist and extremist threats in Belgium.

The DPA is an independent body that ensures that the fundamental principles of personal data protection are properly observed. This includes the GDPR’s requirements relating to data security and personal data breach notifications. The DPA consists of different departments, each of which plays a specific role in enforcement cases. The Frontline Service performs a triage function to determine which complaints merit further investigation, the Inspection Body carries out investigations, and the Dispute Resolution Chamber issues enforcement decisions. Investigations are typically triggered by a complaint or request for information, but the DPA can also decide to open an investigation on its own initiative.

The Information Security Committee (ISC) was created by the Act of 5 September 2018 to grant certain authorisations in relation to the processing and communication of specific categories of personal data (eg, national registry numbers).

A breach of the NIS Act can be sanctioned either:

  • criminally in court; or
  • administratively by sectoral authorities.

Under the NIS Act, the relevant sectoral inspectorate may at any time verify the compliance of providers of essential services with the security obligations and incident reporting rules of the NIS Act. Providers of essential services in the scope of the NIS Act are obliged to co-operate fully with the sectoral authorities and, in particular, to inform them to the best of their ability of all existing security measures.

The DPA is in charge of monitoring and supervising compliance with the GDPR and the Data Protection Act. To that end, the DPA has diverse and far-reaching investigative powers, including the power to conduct on-site investigations and audits, to interview relevant individuals, to seize documents and IT systems, to request identification of relevant individuals, and any other investigation, verification and interrogation measures that are deemed necessary to ascertain that data protection law is complied with.

Cybercrimes are prosecuted by the Belgian justice system.

By Royal Decree dated 16 October 2022, Belgium has created a framework that enables companies to evaluate and certify the security of ICT products, services and processes, in line with the Cybersecurity Act (see 2.1 Key Laws). The BCC has been designated as the National Cybersecurity Certification Authority that will co-ordinate the necessary expertise in cybersecurity certification, authorise certificates with high security requirements, and establish close collaboration with the Belgian accreditation organisation.

As a member of the Council of Europe, Belgium has joined the Council’s Convention on Cybercrime (ETS No 185 of 23 November 2001). The Act of 28 November 2000 transposes the Convention’s requirements on cybercrime in the Criminal Code. The Act of 15 May 2006 implements the requirements of the Additional Protocol to the Convention on Cybercrime concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems (ETS No 189 of 28 January 2003).

The Council of Europe adopted the Second Additional Protocol on 17 November 2021, which aims to enhance co-operation between state parties, facilitate the disclosure of electronic evidence for the purpose of criminal investigations and proceedings, and increase the ability of law enforcement authorities to counter cybercrime. It was opened for signature on 12 May 2022, and so far, more than 40 countries – including Belgium – have signed it.

The BCC is Belgium’s national cybersecurity authority. In this role, it receives pertinent threat information from various partners and stakeholders. Within the BCC, CyTRIS collects information on and monitors cyberthreats, and publishes related reports on a regular basis. CyTRIS is also responsible for the BCC’s Early Warning System (EWS) and for the communication and information exchange with CSIRTs in other EU countries. CyTRIS is also in charge of the Spear Warning procedure, which provides organisations with individual warnings about specific infections or vulnerabilities (see also 7.2 Voluntary Information Sharing Opportunities). In addition, CyTRIS organises quarterly cyberthreat report (QCTR) events, which bring together different stakeholders and consultation platforms at least once a quarter and inform all participants about the active cyberthreats.

Belgium advocates an open, free and secure cyberspace where citizens and businesses can fully develop, where they can engage internationally, and where fundamental rights are safeguarded and protected.

Cybersecurity Strategy 2.0 (2021–25), released by the BCC in May 2021, is an ambitious national cybersecurity strategy aiming to make Belgium one of the most cybersecure countries in Europe by 2025 (see 11.1 Further Considerations Regarding Cybersecurity Regulation).

The Belgian National Risk Assessment 2018–23 of the NCCN considers cybercrime as one of the main risks the country will be facing in the coming years. In particular, cybercrime and “hacktivism” (ie, cyber-activism involving hacking) against businesses and critical infrastructures are identified as national priority risks.

Cybersecurity Strategy 2.0 sets out several strategic objectives that the BCC intends to pursue in co-operation with all relevant stakeholders in the cybersecurity sector in the upcoming years. Its objectives include:

  • strengthening and increasing trust in the digital environment;
  • arming users and administrators of computers and networks;
  • protecting organisations of vital interest from all cyberthreats;
  • responding effectively to cyberthreats;
  • improving public, private and academic collaborations; and
  • participating in international commitments.

The DPA’s Strategic Plan 2020–25 identifies telecommunications, media, public authorities, direct marketing and education as priority sectors. The designation and role of data protection officers, the legitimacy of the processing, and the rights of data subjects are considered as key GDPR obligations. It is expected that these priorities will be further reflected in the DPA’s policies and enforcement actions in the coming years.

In addition to the laws and regulations listed in 1.1 Laws, the following pieces of EU and Belgian legislation are relevant in the area of cybersecurity.

  • Act of 30 November 1998 governing the intelligence and security services.
  • Act of 11 December 1998 on security classification and security clearances, certificates and advisory opinions, as amended by the Act of 4 February 2010 on data collection methods by the intelligence and security services.
  • Act of 21 March 2007 regarding the installation and use of surveillance cameras, as amended by the Act of 21 March 2018.
  • Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (“eIDAS Regulation”).
  • Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (PSDII).
  • Title 2 of Book XII of the Code of Economic Law (as amended by the Act of 21 July 2016, Book VI and Book XII of the Code of Economic Law on direct marketing and cookies, the Act of 18 July 2017 on electronic identification, the Act of 20 September 2018 on the harmonisation of the concepts of electronic signature and durable data carrier and the elimination of obstacles to the conclusion of contracts by electronic means, and the Royal Decree of 25 September 2018 on the harmonisation of the concepts of electronic signature and durable data carrier, implementing the eIDAS Regulation.
  • Act of 2 October 2017 regulating private and special security, as amended by the Act of 9 May 2019.
  • Act of 11 March 2018 regarding the legal status and the supervision of payment institutions and electronic money institutions, the access to the undertaking of payment service providers and to the activity of issuing electronic money, and the access to payment systems, implementing the PSDII.
  • Act of 5 September 2018 setting up the Information Security Committee and amending various laws regarding the implementation of the GDPR.
  • Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (“Cybersecurity Act”), which has applied since 28 June 2021.

See 1.2 Regulators.

Cybersecurity Strategy 2.0 emphasises that Belgium supports the legislative and diplomatic roles of the EU, NATO and other relevant international organisations in their contribution to an open, free and secure cyber-environment, and in particular the European Union Agency for Cybersecurity (ENISA).

ENISA is the EU centre of expertise for cybersecurity in Europe. It helps the EU institutions and member states to be better equipped and prepared to prevent, detect and respond to information security issues. ENISA provides practical advice and solutions, including on cross-Europe cyber crisis exercises, the development of national cybersecurity strategies, and the co-operation between CERTS. The BCC, in its capacity as national cybersecurity authority, represents Belgium in ENISA’s various working groups and platforms.

See 1.2 Regulators.

The National Bank of Belgium (NBB) and the Financial Services and Markets Authority (FSMA) are the primary financial services regulators in Belgium. They are also in charge of monitoring cybersecurity risks in the Belgian financial sector. Under the NIS Act, credit institutions, operators of trading venues and certain financial institutions that are subject to the supervision of the NBB may qualify as operators of essential services (OES). These OES must notify the NBB of all incidents that substantially affect the availability, confidentiality, integrity or authenticity of the network and information systems on which the essential service or services they provide depend.

See 1.2 Regulators.

There is a wide variety of cybersecurity-related guidance issued by regulators in Belgium. General guidance, such as the Cyber Security Guide for SMEs (2017) and the Cyber Security Incident Management Guide (2016) are frequently used guidelines from the BCC. The BCC also maintains an Online Cybersecurity Reference Guide to assist organisations in developing bespoke cybersecurity strategies. The guide offers recommendations in terms of planning, risk management, security measures and evaluation in the use of computers and computer networks. In 2023, the BCC has published a new guide to help small and medium-sized organisations combat ransomware attacks and prevent future breaches. The new guide provides practical steps that organisations can follow in order to effectively respond to ransomware incidents and improve their overall cybersecurity situation.

The BCC frequently collaborates with sectoral authorities to adopt sector-specific guidance. The Baseline Principles for Managing Cyber Security Risk in the Financial Sector (2018), for example, is the result of such a collaboration with the FSMA.

Other commonly deployed guidance and standards in Belgium include ENISA standards for cybersecurity, the NIST Cyber Security Framework, the ISO/IEC 27000 series standards, and the guidance of the European Cyber Security Organization (ECSO).

The GDPR requires that personal data be protected by appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state-of-the-art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risks (of varying likelihood and severity) to the rights and freedoms of natural persons. In 2023, The Belgian DPA issued a statement in which it endorses the Data Protection Guide for Small Business, published by the European Data Protection Board (EDPB). That Guide includes recommendations on how to secure personal data (in compliance with the GDPR). There is no standard applied framework in Belgium to meet the (Article 32) GDPR requirements. In general, the ISO/IEC 27000 series standards are widely applied in Belgium.

OES must take appropriate and proportionate technical and organisational measures to detect, prevent and mitigate the risks to the security of their network and information systems in accordance with the NIS Act. These measures should take account of the state-of-the-art and the risk of likelihood and severity of the risks. The BCC and other authorities have published guidelines and best practices in this regard, both on national and sectoral levels.

The NIS Act establishes a framework for the security of networks and information systems of general interest for public security, imposing duties on OES and digital service providers (DSP) that are in scope of the NIS Act.

OES are required to take technical and organisational security measures, draw up a security policy for network and information systems, appoint a contact person for security of network and information systems, communicate the contact details to the sectoral authority, notify incidents, conduct an annual internal audit of the network and information systems, and conduct an external audit of their network and information systems every three years.

DSP, including online marketplaces, online search engines and cloud computing services are required to take technical and organisational security measures, appoint a contact person for security of network and information systems, and communicate the contact details to the sectoral authority.

The Critical Infrastructures Act imposes several duties on operators of critical infrastructures in the following sectors:

  • energy (electricity, oil and gas);
  • transport (road, rail, water);
  • finance (including online trade platforms);
  • electronic communications;
  • digital infrastructures;
  • healthcare; and
  • potable water.

Such operators are required to take internal and external security measures in order to protect their critical infrastructures. They need to appoint a contact point and communicate the contact details of the contact point to the sectoral authority. They need to draw up a security plan aiming to prevent, reduce and neutralise the risks of disruption of the operation or destruction of the critical infrastructure by putting in place internal physical and organisational measures.

The Telecom Act requires telecoms operators (ie, providers of telecommunications and internet service providers) to take appropriate and proportionate technical and organisational measures, including encryption where appropriate, to properly manage these risks, as well as to minimise the impact of security incidents on users and on other networks and services.

The BIPT (sectoral authority) can monitor the measures taken by telecoms operators and make recommendations on best practices regarding the level of security to be achieved by the measures. At the request of the BIPT, telecoms operators need to participate in or organise an exercise related to the security of their networks or services. 

The GDPR requires the designation of a data protection officer (DPO) where the processing is carried out by a public authority or body or in certain high-risk cases.

In addition, the GDPR requires that data protection impact assessments be conducted for data processing activities that are likely to result in a high risk to the rights and freedoms of natural persons. Where the assessment shows a high residual risk that cannot be mitigated by specific measures, the controller is required to consult the DPA.

Belgium is a member of the Global Forum on Cyber Expertise (GFCE). The GFCE is a global platform for countries, international organisations and private companies to exchange best practices and expertise on cyber capacity building by connecting needs, resources and expertise, and by making practical knowledge available to the global community.

Belgium is also a member of the Permanent Structured Cooperation on security and defence (PESCO). PESCO is an initiative of the European Defence Agency established by a Council Decision (CFSP) 017/2315 of 11 December 2017. The goal of the initiative is to collaboratively develop a coherent full spectrum force package and make these capabilities available to the participating EU member states.

The GDPR requires that personal data be protected by appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

Additional requirements may be imposed on a sectoral level. For example, the Telecom Act imposes specific security duties relating to the protection of personal data on telecoms operators (see 3.3 Legal Requirements and Specific Required Security Practices).

There are currently no specific legal requirements regarding the security and protection of material business data. However, Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (“Data Governance Act”), which became effective on 24 September 2023, introduces an obligation for public sector bodies to implement technical measures aimed at safeguarding protected data that will be re-used by others (ie, through anonymisation, aggregation, or modification of protected data).

The Critical Infrastructures Act imposes several duties on operators of critical infrastructures (OCI) in the following sectors:

  • energy (electricity, oil and gas);
  • transport (road, rail, water);
  • finance (including online trade platforms);
  • electronic communications;
  • digital infrastructures;
  • healthcare; and
  • potable water.

OCI are required to implement internal and external security measures in order to protect their critical infrastructures. They must appoint a contact point and communicate the contact details to the sectoral authority. They are also required to draw up a security plan aiming to prevent, reduce and neutralise the risks of disruption of the operation or destruction of the critical infrastructure by putting in place internal physical and organisational measures. They may also need to notify incidents relating to their critical infrastructure (see 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event).

There are no specific legal requirements aimed at preventing denial of service attacks.

Cybersecurity certification will play an important role in increasing trust and security in IoT-related products, services and processes, and the Cybersecurity Act has therefore introduced a European cybersecurity certification framework (see also 5.6 Security Requirements for IoT).

For the time being, cybersecurity certification is voluntary, unless otherwise specified by EU or member state law.

On 30 November 2023, the EU reached a political agreement on the proposed Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 (“Cyber Resilience Act”). The Cyber Resilience Act, which is expected to be adopted in the course of 2024, will impose a range of cybersecurity requirements on manufacturers of products with digital elements.

There are currently no special requirements applicable to ransomware attacks. However, both the Belgian police and the BCC advise against the payment of ransomware. The BCC considers that, even if ransomware is paid, the targeted company may still experience difficulties in restoring its data files. Also, according to the BCC, once a company has paid ransomware, it is at high risk of being targeted again in the future.

The BCC recently published an Emergency Response Toolkit, which includes guidance on how to respond to a ransomware attack (in 12 steps).

GDPR

Under the GDPR, controllers whose processing of personal data is subject to Belgian law are required to notify personal data breaches to the Belgian DPA and, in some cases, to the individuals whose personal data is affected. A personal data breach is a type of data security incident. While all personal data breaches are data security incidents, not all data security incidents are necessarily personal data breaches. The GDPR, and hence the notification duties to the DPA and affected individuals, only apply where there is a personal data breach.

The GDPR defines the concept “personal data breach” broadly as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

NIS Act

Under the NIS Act, OES must report incidents that affect the availability, confidentiality, integrity or authenticity of the network and information systems on which the essential service or services they provide depend. Under the NIS Act, DSP must notify incidents having a substantial impact on the provision of the services they offer within the European Union. Reporting is done via a centralised NIS platform to the BCC, the relevant sectoral authority, and the Ministry of Interior Affairs’ crisis centre (ADCC). In this context, the term “incident” refers to “any event having an actual adverse effect on the security of network and information systems”.

Critical Infrastructures Act

Under the Critical Infrastructures Act, operators of critical infrastructures in scope of the Act are required to notify the federal police, the relevant sectoral authority, as well as the ADCC in the case of an event that can compromise the security of the critical infrastructures for which they are responsible. The Act does not further define what constitutes a reportable “event”. These reporting obligations are likely to change under the RCE Directive. Once the RCE Directive is transposed into Belgian law, critical entities in scope of the law will be required to submit an initial notification no later than 24 hours after becoming aware of an incident, followed, where relevant, by a detailed report no later than one month thereafter. For the purposes of the RCE Directive, “incident” means an event which has the potential to significantly disrupt, or that disrupts, the provision of an essential service, including when it affects the national systems that safeguard the rule of law.

Telecom Act

The Telecom Act (transposing the e-Privacy Directive and the EECC) defines the security measures that providers of publicly available electronic communications services and networks in Belgium must take, both to guarantee the continuity of the operation of their networks and services and to protect the (personal) data that is processed in the context of the provision of those networks and services. The Telecom Act requires telecoms operators to notify the Belgian Institute for Postal Services and Telecommunications (BIPT) in the following circumstances.

  • If there is a specific and significant threat of a security incident. In that case, the telecom operators must also inform users potentially affected by such a threat of any possible protective measures or remedies which can be taken by the users.
  • In case of an actual security incident that has had an important impact on the operation of networks and services. The Telecom Act sets out five parameters in order to determine the significance of the impact.

In this context, a “security incident” is defined as “an event having an actual adverse effect on the security of electronic communications networks or services”. Telecom operators are also required to notify the DPA if there has been a breach relating to personal data that is transmitted, stored or otherwise processed in connection with their services. The DPA will subsequently have to inform the BIPT of the breach.

DORA

Regarding ICT-related incidents in the financial sector, DORA will require financial entities to record all incidents and implement extensive incident management procedures. This includes establishing detailed processes to classify incidents and assess their impact based on specific factors, such as the criticality of the services of the financial entity, the geographical impact of the incident, and the types of data affected. Financial entities will have to report major ICT-related incidents in accordance with standards that will be established at EU level by July 2024 (and which will determine the content of reports and notifications, in addition to reporting deadlines). “Major ICT-related incident” means an ICT-related incident with a potentially high adverse impact on the network and information systems that support critical functions of the financial entity. In some cases, financial entities may also have to inform their clients and the media about ICT-related incidents.

The GDPR

The notification duties in the GDPR apply only to the extent that there has been a personal data breach, which means that the breach must involve personal data, as that concept is defined in the GDPR. The GDPR refers to personal data as “any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

The type and sensitivity of personal data involved in a personal data breach will play an important role in the risk assessment that the controller must conduct in the immediate wake of the breach. The more sensitive the personal data, the higher the risk of harm to affected individuals and the more likely the breach will have to be reported.

The Telecoms Act

The provisions in the Telecom Act regarding regulator and user notifications refer to the concept of “breaches relating to personal data”, which the Telecom Act defines as a security breach resulting in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed in connection with the provision of electronic communications services in the European Union.

Under the NIS Act, there are reporting duties when an incident has (adversely) affected the security of network and information systems. The concept “network and information system” refers to:

  • an electronic communications network within the meaning of the Telecom Act (ie, transmission systems, whether or not based on a permanent infrastructure or centralised management capacity and, where appropriate, the switching or routing equipment and other resources, including network elements that are not active, that may allow signals to be conveyed by wire, radio waves, optical or other electromagnetic means – this includes satellite networks, fixed (circuit and packet-switched, including the internet) and mobile networks, electricity networks in so far as these are used for the transmission of signals other than those for audio-visual and auditory media services are used);
  • any device or group of (permanently or temporary) interconnected or related devices, one or more of which, pursuant to a program, perform automatic processing of digital data, including the digital, electronic, or mechanical components of that device which enable the automation of the operational process, the monitoring from a distance, or the collection of processing data in real time; and
  • digital data stored, processed, retrieved or transmitted by elements covered under the above bullet points for the purposes of their operation, use, protection and maintenance.

Under the Critical Infrastructures Act, the reporting duty applies to operators of critical infrastructures in the scope of the Act (ie, in the areas of transportation, energy, finances, trade platforms, electronic communications and digital infrastructures, healthcare, and potable water supplies). The Critical Infrastructures Act defines the concept “critical infrastructure” as an installation, system or part thereof, of federal importance, which is critical to the preservation of vital societal functions, health, safety, security, economic prosperity, or societal well-being, whose functioning or destruction would have a significant repercussion by disrupting those functions.

Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (“Medical Devices Regulation”), requires that, for devices that incorporate software or for software that is categorised as a medical device in itself, the software must be developed and manufactured in accordance with state-of-the-art security standards.

Incidents involving the security of medical devices that include or constitute software may require notification to the national competent authority, if certain conditions are met. This will be the case, for example, where the medical device is suspected to be a contributory cause of the incident and the incident has (or might have) led to the death or serious deterioration in the state of health of a patient or other person. For incidents that occur on the Belgian territory, the national competent authority is the Federal Agency for Pharmaceuticals and Health Products (FAGG).

Industrial Control Systems (ICS) are command and control networks and systems designed to support industrial processes. The largest subgroup of ICS is formed by Supervisory Control and Data Acquisition (SCADA) systems. Critical infrastructures, such as electricity generation plants, transportation systems, oil refineries, chemical factories and manufacturing facilities are increasingly making use of ICS to monitor their facilities and ensure their proper operation.

If an event has occurred affecting ICS or SCADA systems, as a result of which the security of a critical infrastructure could be compromised, the operator of the critical infrastructure may be required to notify the relevant authorities pursuant to the Critical Infrastructure Act, or if the event adversely affects the provision of essential services, the relevant authorities pursuant to the NIS Act (see 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event).

The Cybersecurity Act recognises that digitisation and connectivity are becoming core features in a growing number of products and services, and with the advent of the internet of things (IoT) a high number of connected digital devices are expected to be deployed across the EU. The digital single market, and in particular the IoT, can thrive only if there is general public trust that IoT-based products, services and processes provide a certain level of cybersecurity. Cybersecurity certification will play an important role in increasing trust and security in IoT-related products, services and processes, and the Cybersecurity Act has therefore introduced a European cybersecurity certification framework.

The upcoming Cyber Resilience Act is expected to impose specific cyber-resilience obligations on companies that manufacture or distribute products that connect to a device or network.

The Cybersecurity Act has introduced a regime of cybersecurity certifications (see also 5.6 Security Requirements for IoT). The regime is designed to achieve a number of security objectives, including ensuring that ICT products, services and processes are provided with up-to-date software (and hardware) not containing publicly-known vulnerabilities, and are provided with mechanisms for secure updates. Organisations, manufacturers or providers involved in the design and development of software should therefore implement measures at the earliest stages of design and development to protect the software to the highest possible degree (“security-by-design”). Also, software should be designed in a way that ensures a higher level of security which should enable the first user to receive a default configuration with the most secure settings possible (“security by default”).

The upcoming Cyber Resilience Act will impose cybersecurity obligations on manufacturers of products with digital elements. “Products with digital elements” refers to any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately.

In addition, the anticipated Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (“AI Act”) will require users of high-risk AI systems to inform the provider or distributor of the AI system when they have identified any serious incident or any malfunctioning within the meaning of the AI Act.

Although the GDPR imposes an obligation on controllers to notify personal data breaches, in practice notification is not always required:

  • notification to the DPA is required, unless a personal data breach is unlikely to result in a risk to the rights and freedoms of individuals; and
  • communication of a breach to affected individuals is only triggered if the breach is likely to result in a high risk to the rights and freedoms of those individuals.

When controllers have engaged processors, those processors must notify the controllers, without undue delay, if they have suffered a personal data breach involving personal data that is being processed on the controllers’ behalf.

Under the NIS Act, OES must notify all incidents that affect the availability, confidentiality, integrity or authenticity of the network and information systems on which the essential service or services they provide depend.

Under the NIS Act, DSP must notify/report all incidents that have significant consequences for the provision of the digital service(s) that they offer in the European Union.

Telecoms operators subject to the Telecom Act must report to the BIPT security incidents that reach one or more of the following thresholds:

  • the incident lasts at least one hour and affects at least 25,000 end users;
  • the incident has an impact on the network affecting access to emergency services via that network;
  • the incident has an impact on interconnections on the Belgian territory and therefore affects other operators in Belgium or abroad; and
  • the incident has an impact on a network component that the operator considers critical for the operation of its networks or services.

Under the GDPR, controllers that have become aware of a personal data breach are expected to assess the risk that could result from the breach. According to regulatory guidance on this topic, there are two main reasons for this:

  • knowing the likelihood and the potential severity of the impact on affected individuals will help the controller to take effective steps to contain and address the breach; and
  • a risk assessment will help the controller determine whether notification is required to the DPA and, if necessary, to the affected individuals.

A personal data breach must be notified to the DPA, unless it is unlikely to result in a risk to the rights and freedoms of individuals. However, the key trigger requiring communication of a personal data breach to affected individuals is the likeliness that the breach may result in a high risk to the rights and freedoms of those individuals.

When the breach involves personal data that reveals special or “sensitive” categories of personal data (eg, data revealing racial or ethnic origin, health data, or data concerning sex life), the DPA considers that such damage is likely to occur.       

The GDPR provides explicitly that controllers have a legitimate interest in processing personal data to the extent that such processing is strictly necessary and proportionate for the purposes of ensuring network and information security. The GDPR further specifies that permitted practices and tools for network and information security could include those that focus on:

  • preventing unauthorised access to electronic communications networks and malicious code distribution; and/or
  • stopping “denial of service” attacks and damage to computer and electronic communication systems.

Whether monitoring practices and tools meet the necessity and proportionality test under the GDPR will require a careful balancing of the interests of the controller and the rights of the individuals whose personal data are at stake.

The Belgian DPA has issued extensive guidance on workplace privacy and employers’ monitoring of network and information systems. In addition, in 2002, employer and employee organisations in Belgium reached a consensus on a Collective Bargaining Agreement (CBA No 81) that allows employers – subject to strict conditions – to monitor their workers’ use of electronic/online communication means (eg, email and internet). CBA No 81 sets out general principles of privacy and data protection that employers must follow, and creates a framework that allows employers to engage in certain monitoring activities, including for purposes of preserving the security and/or functioning of their organisation’s IT systems.

There are three main reasons why the intersection of cybersecurity, privacy and data protection presents severe compliance challenges.

  • At EU and national level, cybersecurity, privacy and data protection are regulated by different legal instruments – in particular the GDPR, the Telecom Act (which transposes the ePrivacy Directive and EECC), and the NIS Act (which transposes the NIS Directive). As a result, organisations in Belgium whose activities fall under, for example, both the GDPR and NIS Act may be subject to different security and breach notification requirements.
  • While cybersecurity rules aim to protect networks and information systems, privacy and data protection laws focus on the protection of individuals’ privacy and the safeguarding of their personal data. In other words, cybersecurity and privacy/data protection serve different and, to an extent, conflicting objectives.
  • From a cybersecurity perspective, there is a tendency to expand monitoring of networks and information systems as this is considered essential in order to withstand increasing cyberthreats. However, in many cases, monitoring involves processing of individuals personal data, which will need to comply with the basic data protection principles laid down in the GDPR. The GDPR recognises that controllers have a legitimate interest in monitoring their networks and information systems – and in processing personal data along the way – provided that the data processing is strictly necessary and proportionate for the purposes of ensuring network and information security.

There is currently no required or formally authorised sharing of cybersecurity information with the Belgian government. See, however, 7.2 Voluntary Information Sharing Opportunities for an overview of voluntary data sharing initiatives.

Both the Cybersecurity Act and the NIS Directive promote the creation of Information Sharing and Analysis Centres (ISACs). ISACs are stakeholder-driven private-public partnerships (PPPs) that collect, analyse and disseminate actionable threat information and provide their members with tools to mitigate risks and enhance resilience.

In Belgium, ISACs are facilitated by the Belgian Cybersecurity Centre (BCC). Some of the ISAC initiatives that the BCC has fostered include the Cyber Threat Intelligence Research Project (CTISRP), the Cyber Security Coalition, and Belgian Network and Information Security (BELNIS). This last initiative acts as a co-ordinating work-group comprising representatives from various government agencies engaged in cybersecurity. It provides advice to the Belgian government on cybersecurity incidents and cybersecurity in general. The Cyber Security Coalition Belgium acts as a platform for cyber-experts from private, academic and public sectors.

In addition, the BCC has a specific department (CyTRIS) that collects relevant information, monitors cyberthreats and publishes related reports on a regular basis. CyTRIS is also responsible for the BCC’s Early Warning System (EWS) and for the communication and information exchange with CSIRTs in other EU countries. CyTRIS is also in charge of the Spear Warning procedure, which provides organisations with warnings about specific infections or vulnerabilities.

Other information-sharing initiatives include:

  • the QCTR events, organised by CyTRIS, which bring together different stakeholders at least once a quarter and inform all participants about active cyberthreats;
  • the Cyber Security Sectoral Authority Platform (CySSAP), which brings together the supervisory authorities of OES;
  • The CSI/DPO (les conseillers en sécurité de l’information, data protection officers’ platform), which provides a meeting forum for security advisers and data protection officers of the different public services in Belgium; and
  • Synergy IT (SIT), which is a platform for sharing knowledge and information among IT managers from all federal public services, with the aim of setting up and monitoring joint IT (security) initiatives.

In recent years, there has been a steep increase in the number of personal data breaches that have been notified to the DPA. The majority of personal data breaches that are notified to the Belgian DPA relate to incidents caused by human error, as well as hacking, phishing or malware. In 2022, more than 9% of the personal data breaches handled by the DPA involved ransomware cases. However, thus far, the DPA has issued few enforcement decisions that involve lack of compliance with the GDPR’s requirements relating to data security and personal data breaches.

To date, there have been no significant audits, investigations or penalties imposed for alleged cybersecurity violations or data security incidents or breaches.

The main legal standards under the GDPR can be summarised as follows:

  • controllers and processors are required to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of personal data;
  • in assessing the appropriate level of security, the focus should be on those risks that stem from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed;
  • in the case of a personal data breach, the controller is in principle required to notify the personal data breach to the DPA without undue delay (and, where feasible, within 72 hours after having become aware of the personal data breach);
  • the controller must communicate the personal data breach to affected individuals – without undue delay – only if a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons; and
  • the controller is responsible for documenting any personal data breaches that it has suffered – this documentation should enable the DPA to verify the controller’s compliance with security-related obligations under the GDPR.

The GDPR provides each individual in Belgium with the right to an effective judicial remedy against a controller or processor where they consider that their rights under the GDPR have been infringed as a result of personal data processing in non-compliance with the GDPR. This includes non-compliance with the GDPR’s in terms of personal data breaches and data security more generally.

Proceedings against the controller or processor responsible for the GDPR infringement must be brought before the courts of the EU member state where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of Belgium, if that is where the individual has their habitual residence.

Despite the fact that the GDPR introduced this specific right to judicial remedy into the Belgian legal system almost five years ago, to date there has been no noteworthy private litigation involving cybersecurity allegations, or data security incidents or breaches. See, however, the collective redress case highlighted in 8.5 Class Actions.

Under the GDPR, individuals in Belgium have the right to mandate a non-profit organisation or association (that meets certain conditions) to exercise, on the individual’s behalf, the right to an effective judicial remedy where the individual considers that their data protection rights have been infringed. This infringement could relate to any processing of personal data in non-compliance with the GDPR, including requirements on security of (data) processing. Non-profit organisations and associations can also exercise individuals’ rights to receive compensation under the GDPR.

The possibility to file an action for collective redress (or class action) already existed before the GDPR became applicable, since the adoption of the Class Action Act of 28 March 2014. The procedures for class actions under this Act are restricted to specific types of claims, including claims relating to data protection. However, pursuant to this Act, only a group of consumers or small and medium-sized enterprises (SMEs) may initiate an action for collective address if they have suffered damage as a result of a common course. The group must also decide whether the action should be based on an opt-in or opt-out system for potential claimants. In order to initiate an action for collective address, the group of consumers or SMEs must be represented by a “group representative” – typically a non-profit association – that meets a number of conditions set out in the Class Action Act.

So far, relatively few actions for collective redress have been launched in connection with data protection claims. In 2018, Belgian consumer protection organisation Test Aankoop/Test Achats initiated a class-action before the Brussels courts on behalf of approximately 44,000 individuals against Facebook, in the wake of the Cambridge Analytica matter. Test Aankoop/Test Achat initially claimed per capita damages of EUR200, but ultimately decided to terminate its legal action against Facebook, following a settlement between the parties.

Under the NIS 2 Directive, management bodies of essential and important entities will have to approve the cybersecurity risk-management measures taken by those entities in order to comply with the requirements of the NIS 2 Directive. They will also have to oversee the implementation of these measures and can be held liable for infringements by the entities. In addition, management members will be required to follow cyber training and encourage essential and important entities to offer similar training to their employees on a regular basis.

The RCE Directive imposes an obligation on critical entities to carry out a risk assessment within nine months of receiving notification from the Belgian authorities that they are in scope of the RCE Directive, and subsequently at least every four years, on the basis of EU member state risk assessments and other relevant sources of information.

DORA requires financial entities to have in place mechanisms to promptly detect anomalous ICT activities, including ICT network performance issues and ICT-related incidents, and to identify all potential material single points of failure.

In corporate transactions where the buyer assumes legal responsibility for the target’s data processing systems and operations (eg, as a result of a share acquisition), it is important to ensure that the buyer has obtained all relevant information about the target’s compliance with network, information system and data security requirements.

In particular, the buyer will want to receive reassurance from the seller – by means of representations and warranties, and after having conducted thorough due diligence – that the target has carried on its business at all times substantially in compliance with applicable cybersecurity and data protection laws and regulations. This should include confirmation that the target has, for instance:

  • implemented appropriate technical and organisational measures, including data protection policies and procedures, to protect against the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data;
  • put in place data security incident and personal data breach response plans (including maintaining a record of personal data breaches); and
  • entered into written contracts vendors/processors ensuring that they have implemented appropriate technical and organisational measures to safeguard any data that they are processing on behalf of the target. 

One possible issue is that sellers sometimes fail to provide the prospective buyer with copies of all of the target’s policies, procedures, certifications, reports, or test results prepared internally or by a third party relating to the security of the target’s IT and data processing systems, including risk assessments, security audits, vulnerability reports, user awareness reports, or the results of any penetration (“pen”) testing. Another issue is the seller’s representations and warranties around compliance with applicable cybersecurity and data protection rules may be of limited value if the buyer’s due diligence has identified broad non-compliance. In those cases, buyers may want to secure cybersecurity and data protection related indemnities from the seller.

There are currently no laws mandating public disclosure of an organisation’s cybersecurity risk profile or experience. However, if there is a personal data breach that must be notified to affected individuals pursuant to the GDPR and notifying them individually would involve disproportionate efforts, data controllers are required to issue a public communication (or take similar measures) to make sure that the affected individuals are informed effectively. This requirement may therefore result in a public disclosure of the organisation’s cybersecurity experience.

In May 2021, the BCC published its Cybersecurity Strategy 2.0, which aims to ensure that Belgium becomes one of the least vulnerable countries in Europe in the cybersecurity area by 2025. Cybersecurity Strategy 2.0 is built on a number of strategic objectives that the BCC intends to pursue in co-operation with all relevant stakeholders. This includes the establishment of a Cyber Greenhouse – an innovation centre that will help create and test innovative cyber solutions and business models in a risk-free environment. These efforts should also result in additional cybersecurity guidelines and best practices.

As part of Cybersecurity Strategy 2.0, the Belgian government intends to create a framework that allows companies to assess and certify the safety of ICT products, services and processes. This framework shall be aligned with the Cybersecurity Act.

In terms of cybersecurity insurance, although it is not legally required, companies in Belgium are increasingly seeking to obtain specialised insurance coverage. As a result of this demand, several insurance companies are now offering a variety of cyber-insurance solutions to their Belgium-based (business) customers. Most of these insurance offerings provide coverage in case of loss or damage caused by cybercrime, hacker-related damage, cyber-extortion (eg, ransomware or cryptoware) and data theft. Many also offer 24/7 (helpdesk) assistance in the event of a cyber-attack or data breach and/or reimburse costs for legal, IT and PR services that are necessary to limit any damage to the company and its reputation.

Alston & Bird LLP

Guimard 9
B-1040 Brussels
Belgium

+32 2 486 8822

Wim.Nauwelaerts@alston.com www.alston.com
Author Business Card

Law and Practice

Author



Alston & Bird LLP is an international law firm with extensive experience in a wide spectrum of cybersecurity issues. The firm leverages this experience to help companies manage their cybersecurity-related responsibilities. This includes advising clients on incident response and breach notification requirements under EU and EU member state laws.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.