Belgium’s Cybersecurity Strategy 2.0 (2021–25; the “Strategy”), which was designed by the Belgian federal government in co-operation with the Belgian Cybersecurity Centre (CCB), aims to make Belgium one of the least vulnerable countries in Europe in terms of cybersecurity. It includes a strategic plan to support the development of appropriate capacity to detect, investigate, prosecute and sanction cybercrime.

One of the key objectives of the Strategy is to build out expertise across all levels of law enforcement so that the necessary investigation capacities can be effectively and quickly deployed in a digital environment. The intention is to ensure that the prosecutor’s office and the courts of all judicial districts have prosecutors and judges with sufficient experience in combatting cybercrime.

The Strategy also sets out several strategic objectives that the CCB intends to pursue in co-operation with all relevant stakeholders in the cybersecurity sector in the upcoming years.¬

These objectives include:

• strengthening and increasing trust in digital environments;
• arming users and administrators of computers and networks;
• protecting organisations of vital interest against cyberthreats;
• responding effectively to cyberthreats;
• improving public, private and academic collaborations; and
• participating in international commitments involving cybersecurity.

The main laws and regulations in Belgium relating to cybersecurity include:

• Article 22 of the Belgian Constitution;
• Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation; GDPR);
• the Act of 3 December 2017 establishing the Data Protection Authority (the “DPA Act”), amended by the Act of 25 December 2023;
• the Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, supplementing the GDPR (the “Data Protection Act”);
• the Belgian Criminal Code, as amended by the Act of 28 November 2000 on Cybercrime and the Act of 15 May 2006 on Cybercrime, in particular Article 210bis on computer-related forgery, Articles 259bis and 314bis on the interception of electronic communications, Article 504quater on computer-related fraud, Article 550bis on illegal access (hacking) and Article 550ter on computer sabotage;
• the Belgian Criminal Procedure Code;
• the Royal Decree of 10 October 2014 for the establishment of the CCB, supplemented by Royal Decree of 12 October 2023 determining the conditions for awarding subsidies for activities related to informing and raising awareness in the field of cybersecurity;
• Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) 526/2013 (the “Cybersecurity Act”);
• Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (the “NIS Directive”), as repealed by Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) 910/2014 and Directive (EU) 2018/1972 (the “NIS2 Directive”);
• the Act of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security, and transposing the NIS2 Directive (the “NIS2 Act”);
• Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) 1060/2009, (EU) 648/2012, (EU) 600/2014, (EU) 909/2014 and (EU) 2016/1011 (DORA);
• Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (the “Cyber Resilience Act” or CRA);
• Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (the “Critical Infrastructures Directive”), as repealed by Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities (the “CER Directive”);
• the Act of 1 July 2011 on the security and protection of critical infrastructures, partially implementing the Critical Infrastructures Directive (the “Critical Infrastructures Act”) – the Critical Infrastructures Act was amended by the Royal Decree of 15 September 2023 to align the security requirements for the energy sector with those imposed by the CER Directive; and
• Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) 300/2008, (EU) 167/2013, (EU) 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (the “AI Act”).

The CCB operates under the authority of the federal Prime Minister and is the central authority for cybersecurity in Belgium, in addition to assuming the role of national computer security incident response team (CSIRT). The CCB is charged with monitoring, co-ordinating and supervising the implementation of the government’s cybersecurity policy and strategy.

¬The federal computer emergency response team (CERT) is the operational service of the CCB. The task of CERT is to detect, observe and analyse online security problems, and to provide continuous information about these problems. It helps the government, emergency services and companies to prevent, co-ordinate and provide assistance in the event of cyber-incidents.

The Cyber Threat Research and Intelligence Sharing (“CyTRIS”) Department within the CCB monitors cyberthreats and publishes regular reports.

In addition to the CCB, several sectoral authorities are charged with monitoring cyber-related matters for their respective sectors:

• the federal Minister for Energy – the energy sector (Federal Public Service Economy);
• the federal Minister for Transport – the transport sector, with the exception of transport over waters accessible to seagoing vessels;
• the federal Minister for Maritime Mobility – transport over water accessible to seagoing vessels;
• the federal Minister for Public Health – the health sector; and
• the federal Minister for Economy – the digital services sector, encompassing cloud computing services, online search engines and online marketplaces (Federal Public Service Economy).

Together with the CCB, the National Crisis Centre (NCCN) ensures the organisation and co-ordination of the Cyber Emergency Plan at national level. The two authorities are jointly responsible for crisis management. The NCCN is also in charge of making national risk assessments, and it is the (inter)national point of contact for critical infrastructures. Moreover, the NCCN prepares national emergency plans and provides local support. It operates 24/7, ensures the protection of people and institutions and monitors events.

The Belgian Institute for Postal Services and Telecommunications (BIPT) monitors the security of the electronic communications networks and services of telecoms operators. The BIPT is also the sectoral authority and inspection service for the digital infrastructure sector under the NIS2 Act, and for the electronic communications and digital infrastructure sectors under the Critical Infrastructures Act.

The National Security Council is charged with the co-ordination and evaluation of general intelligence and security policy matters and the national security strategy, the prioritisation of intelligence and security services, the co-ordination of national security priorities, the co-ordination of a general policy on the protection of sensitive information, the co-ordination of the fight against terrorism and extremism and the monitoring of its decisions.

The Coordination Unit for Threat Analysis (CUTA), operating under the Minister of Justice and the Minister of Interior Affairs, is an independent knowledge centre in charge of assessing terrorist and extremist threats in Belgium.

The Belgian Data Protection Authority (DPA) is an independent body that ensures that the fundamental principles of personal data protection are properly observed. This includes the GDPR’s requirements relating to data security and personal data breach notifications. The DPA consists of different departments, each of which plays a specific role in enforcement cases. The Frontline Service performs a triage function to determine which complaints merit further investigation, the Inspection Body carries out investigations, and the Dispute Resolution Chamber issues enforcement decisions. Investigations are typically triggered by a complaint or request for information, but the DPA can also decide to open an investigation at its own initiative.

The Information Security Committee (ISC) was created by the Act of 5 September 2018 to grant certain authorisations in relation to the processing and communication of specific categories of personal data (eg, national registry numbers).

The NIS2 Directive and the Belgian NIS2 Act transposing it apply to public or private entities that are established in Belgium and that provide one of the services listed in Annex I or II to the NIS2 Act within the EU.

An entity will be subject to the NIS2 Act if it carries out one of the activities listed in Annex I or II to the NIS2 Act – as an “essential” or “important” entity – within the EU, and if it is at least considered to be a medium-sized enterprise within the meaning of European Commission Recommendation 2003/361/EC of 6 May 2003 (concerning the definition of micro, small and medium-sized enterprises).

“Essential entities” are those that provide a service listed in Annex I and meet the definition of a large enterprise within the meaning of Recommendation 2003/361/EC.

“Important entities” are organisations that provide a service:

• listed in Annex I and meet the definition of a “medium-sized enterprise” within the meaning of Recommendation 2003/361/EC; or
• listed in Annex II and meet the definition of a “medium-sized or large enterprise” within the meaning of Recommendation 2003/361/EC.

For the purposes of calculating the size of the entity, the European Commission has published guidance as well as a calculation tool. In addition, the CCB has issued guidelines specifying that the scope of the NIS2 Act covers the whole of the entity concerned and not just the activities listed in the Annexes to the NIS2 Act.

Moreover, an entity will be considered in scope of the NIS2 Act even if the essential service it provides is only an ancillary part of all its activities – unless the definition of the service in the Annex takes into account the principal or incidental nature of the activity.

In terms of territorial scope, the NIS2 Act applies in principle to entities established in Belgium that provide their services or carry out their activities within the EU. The concept of establishment consists of the actual pursuit of an activity by means of a permanent installation, irrespective of the legal form adopted, whether this is a registered office, a local branch or a subsidiary with legal personality.

It should also be noted that the operator of one or more critical infrastructure(s) identified under Critical Infrastructures Act will be considered to be an essential entity within the meaning of the NIS2 Act. The NIS2 authorities and the competent authorities under the Critical Infrastructures Act are expected to work together to supervise these entities.

The main cybersecurity requirements for entities in scope of the NIS2 Act can be summarised as follows:

• register with the relevant (sectoral) authorities – this can be done by completing an online form on the Safeonweb@Work registration platform, provided that the entity is already registered with the Belgian Crossroads Bank for Enterprises;
• adopt appropriate cybersecurity risk-management measures – these are technical, operational or organisational measures that allow the entity to manage the risks relating to the security of their network and information systems, and to prevent or minimise the impact of cyber-incidents;
• provide training to their management bodies to ensure that their knowledge and skills are sufficient to identify risks and assess risk-management measures in terms of cybersecurity and their impact on any services provided to the entity;
• ensure supply chain security, which refers to security-related aspects of the relationships between entities and their direct suppliers or service providers – the NIS2 Act does not explain in detail how NIS2 entities should manage this supply chain security obligation, but the CCB recommends that covered entities contractually impose a label or certification obligation on their suppliers, such as those included in the CCB’s CyberFundamentals (CyFun®) framework, in order to demonstrate compliance with this requirement; and
• notify significant (cybersecurity) incidents to the CCB (see 2.3 Incident Response and Notification Obligations).

Entities in scope of the NIS2 Act are required to notify the national CSIRT (ie, the CCB) in the event of a significant (cybersecurity) incident. 

A significant incident is defined as any incident that has a significant impact on the provision of services in the sectors or subsectors listed in the Annexes to the NIS2 Act, and which has caused or is likely to cause:

• serious disruption to the operation of any of the services in the sectors or subsectors listed in Annexes I and II or financial loss to the concerned entity; or
• significant material, personal or non-material damage to other natural or legal persons.

Notification takes place through the following steps:

• first, an early warning is submitted, within 24 hours of becoming aware of the significant incident;
• a formal incident notification is subsequently filed within 72 hours of becoming aware of the significant incident; and
• a final report is ultimately submitted, no later than one month after the initial notification – in the meantime, the CCB may request interim reports, and the CCB will also provide recommendations on when notification is required and on the procedure to follow.

In principle, NIS2 entities are expected to notify incidents to the CCB only. The CCB will subsequently forward notifications to the relevant sectoral authorities and to the NCCN (for essential entities).

However, the notification regime is different for entities in the banking and financial sectors that are in scope of DORA. Those types of entities should notify incidents, as appropriate, to the National Bank of Belgium (NBB) or the Financial Services and Markets Authority (FSMA), which will forward the incident notification to the CCB.

In some cases, entities that have suffered a significant incident will also be required to notify the recipients of their services.

The CCB is responsible for co-ordinating and monitoring the NIS2 Act. Under the NIS2 Act, the CCB will be in charge of supervising essential and important entities (in co-operation with sectoral authorities), in addition to being the central contact point for NIS2 implementation.

Belgium’s CSIRT is also part of the CCB. Entities in scope of the NIS2 Act are required to report significant incidents to this CSIRT. In addition, the NCCN is involved in the implementation of the NIS2 Act, in particular as regards incident notification, cybercrisis management and physical security measures implemented by operators of critical infrastructures and critical entities (subject to the Critical Infrastructures Act).

DORA applies to the following types of financial entities, which are under the supervision of the FSMA:

• asset management and investment advisory companies (investment firms);
• authorised managers of alternative investment funds;
• management companies of collective investment undertakings and self-managed collective investment undertakings;
• trading platforms;
• crowdfunding service providers (crowdfunding platforms);
• insurance and reinsurance intermediaries and ancillary insurance intermediaries; and
• institutions for occupational retirement provision (IORPs).

DORA also applies to institutions that are under the supervision of the NBB, such as credit institutions, insurance and reinsurance companies and payment institutions.

DORA defines information and communication technology (third-party) service providers (ICT TPSPs) as undertakings providing ICT services to financial entities in scope of DORA. ICT services in the context of DORA should be understood in a broad manner, encompassing digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis. This may include providers of cloud computing services, software, data analytics services and data centre services. If financial entities delegate critical or important functions to ICT TPSPs, more stringent requirements will apply.

To ensure the conformity of their ICT risk management framework, financial entities are expected to maintain and update a specific information register (register of information or ROI) that lists the relevant contracts relating to the use of ICT services provided by ICT TPSPs. The agreements with ICT TPSPs will have to be properly documented and clearly distinguish those applicable to ICT services in support of critical functions.

Upon request, financial entities will have to make the entire ROI or certain parts of it available to the FSMA, together with all information that is considered necessary to enable effective supervision of the financial entity.

In addition, financial entities will have to inform the FSMA of any new or planned agreements on the use of ICT services that support critical or important functions.

Contractual provisions on the use of ICT services should include at least the following elements:

• a description of the services provided;

• a description of the locations where the services will be provided;
• the availability, confidentiality and security of the data;
• access to and return of the data;
• the relevant service levels;
• a contractual obligation to assist the customer/financial entity;
• a contractual obligation to co-operate with the FSMA;
• a contractual obligation to contribute to customer/financial entity awareness and education; and
• a right of termination and cancellation.

DORA aims to strengthen the digital operational resilience of the financial sector in the EU by imposing additional (cybersecurity) requirements on financial entities such as crypto-asset service providers, credit institutions and e-money providers (referred to as “financial entities” under DORA).

Sector-specific requirements under DORA include obligations to design ICT risk management frameworks, report major ICT-related incidents and perform digital operational resilience testing. DORA also requires financial entities to address and manage external sources of ICT risks that may result from their use of ICT TPSPs. To this end, financial entities are required to undertake due diligence on prospective ICT TPSPs, enter into specific contractual arrangements with ICT TPSPs and maintain and update a register with information on their relationships with ICT TPSPs.

After collecting and analysing all relevant information, financial entities must report serious ICT-related incidents to the FSMA. This information enables the FSMA to determine the scope of the incident and its possible cross-border effects, and to communicate it to other supervisors and authorities concerned.

The reporting of serious ICT-related incidents involves different steps, including the submission of an initial report, an interim report and a final report. Financial entities must submit an interim report if the status or handling of the incident has changed significantly, or at the request of the FSMA. The final report contains the analysis of the underlying causes of the incident, as well as information about to the actual impact of the incident.

When a serious ICT-related incident affects the financial interests of their clients, financial entities must inform them of the incident and the measures taken to mitigate any negative impact thereof.

DORA also includes a (voluntary) notification regime for significant cyberthreats – ie, cyberthreats that could result in a major ICT-related incident or a major operational or security payment-related incident. Financial entities may, on a voluntary basis, notify significant cyberthreats to the FSMA when they consider the threat to be of relevance to the financial system, service users or clients. Where appropriate, the FSMA may report that information to the other authorities and bodies concerned.

In the case of a significant cyberthreat, financial entities may need to, where applicable, inform clients that are potentially affected of any appropriate protection measures that they should consider taking.

Financial entities may outsource their reporting duties, but they remain fully responsible for ensuring compliance with their financial entity obligations under DORA. 

The NBB and the FSMA are the primary financial services regulators in Belgium. They are also in charge of monitoring cybersecurity risks in the Belgian financial sector. Therefore, DORA compliance will be overseen primarily by the FSMA.

To harmonise the supervision of ICT risks in the financial sector, DORA also brings together EU financial authorities, such as the European Banking Authority and the European Securities and Markets Authority, collectively referred to as the European Supervisory Authorities.

DORA allows EU member state authorities competent to monitor the activities of financial entities and ICTSPs to impose administrative fines (including in collaboration with other authorities, such as DPAs). For example, DORA leaves it to the discretion of these authorities to examine whether a DORA violation was intentional or resulted from a financial entity’s or ICTSP’s negligence in determining the amounts of fines to be imposed.

Furthermore, the EU legislators wanted to ensure appropriate oversight of critical ICTSPs, especially because these companies also provide, in some cases, their services to financial entities within the same group, which may lead to potential conflicts of interest and concentration risks. To address this issue, DORA establishes a new oversight framework whereby one of the major EU financial authorities (eg the European Banking Authority or the European Securities and Markets Authority) is designated as a lead overseer (LO) to monitor the activities of critical ICT TPSPs.

Critical ICT TPSPs are ICT TPSPs that the European Supervisory Authorities have designated as “critical” for financial entities, following an assessment that takes into account the criteria specified in DORA. LOs will have the power to conduct investigations (ie, on-site and offsite inspections) and adopt decisions imposing a periodic penalty payment to compel critical ICT TPSPs to co-operate with the LO in the course of an investigation.

Under DORA, financial entities are required to design, procure and implement ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functions, and to maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit. To achieve these objectives, financial entities are required to use ICT solutions and processes that, inter alia, ensure the security of the means of transfer of data.

In addition, if the data includes personal data (as defined in the GDPR), restrictions imposed by the GDPR may apply to transfers of personal data to recipients in jurisdictions outside of the EU. 

DORA requires certain entities to conduct advanced threat-led penetration tests. This requirement will only apply to financial entities selected on the basis of an assessment of the following elements:

• impact-related factors, in particular the extent to which the financial entity’s services and activities have an impact on the financial sector;
• possible financial stability concerns, including the systemic nature of the financial entity at the EU or national level, where applicable; and
• the specific ICT risk profile, the level of ICT maturity of the financial entity or the technological characteristics at stake.

The obligation to conduct advanced threat-led penetration tests does not apply to (i) small and unconnected investment firms, (ii) IORPs that have no more than 100 affiliates, or (iii) financial entities employing fewer than ten people, and whose annual turnover and/or annual balance sheet total does not exceed EUR2 million.

The CRA imposes minimum cybersecurity standards for connected products placed on the Belgian market, with a view to making the internet of things (IoT) more secure. It contains horizontal cybersecurity requirements for products with digital elements (PDEs), which are defined as products that can be connected to a device or network and include:

• hardware products with connected features, such as smartphones, laptops, home surveillance systems and connected toys; and
• software not embedded in a product and sold on a standalone basis, for example accounting software and mobile gaming apps.

All manufacturers placing PDEs on the Belgian market must comply with the CRA even if they are based outside the EU. For instance, the CRA may apply to a Chinese manufacturer of solar panels that sells its products in Belgium.

The CRA primarily imposes obligations on manufacturers of PDEs to ensure that their products are secure before they are put on the EU/Belgian market, but also afterwards throughout the whole life cycle of the product.

Furthermore, it includes provisions affecting other operators of PDEs such as importers, distributors, open-source software stewards, conformity assessment bodies (CABs) and public authorities.

According to the CCB, the CRA is expected to contribute to the CCB’s vision of making Belgium more cybersecure by ensuring that its citizens and organisations are less vulnerable to cyber-attacks.

The CRA imposes a minimum level of cybersecurity for all PDEs that are placed on the Belgian market and requires manufacturers of PDEs to: 

• design their PDEs with cybersecurity in mind – eg, by ensuring that data stored or transmitted with(in) the product is encrypted, and that the attack surface is as limited as possible;
• ensure that the default settings of their PDEs help reduce vulnerabilities – eg, by avoiding weak default passwords or by making sure that security updates are installed automatically;
• implement user transparency via clear disclosure, on the PDE or its packaging, of the end-of-support date, namely the date until which the manufacturer commits to provide security updates – this should assist PDE users with making purchasing decisions not only based on price and functionality, but also on the PDE’s level of cybersecurity; and
• report actively exploited vulnerabilities as well as severe incidents impacting the security of PDEs to public authorities, within 72 hours (with an early warning within 24 hours) of becoming aware of the vulnerability or incident – to facilitate the notification process and enable secure data sharing among European CSIRTs and ENISA, the CRA introduces a new single reporting platform with different national “end-points”, where this single reporting platform is different from the European vulnerability database established by the NIS2 Directive.

All PDEs, regardless of their cybersecurity risk level, must comply with the CRA’s basic cybersecurity standards outlined in the foregoing. PDEs that are considered more sensitive from a cybersecurity viewpoint – which the CRA refers to as “important” or “critical” products (eg password managers, firewalls, smart meters) are subject to additional, stricter obligations.

Cybersecurity certification plays an important role in increasing trust and security in IoT-related products, services and processes, and the Cybersecurity Act has therefore introduced a European cybersecurity certification framework.

ENISA, the EU Agency for cybersecurity, is in charge of in setting up and maintaining the European cybersecurity certification framework by preparing the technical ground for specific certification schemes. It is also responsible for informing the public on the certification schemes and the issued certificates through a dedicated website.

In addition, Belgium has created (by Royal Decree dated 16 October 2022), a framework that enables companies to evaluate and certify the security of ICT products, services and processes, in line with the Cybersecurity Act. The CCB has been designated as the national cybersecurity certification authority that will co-ordinate the necessary expertise in cybersecurity certification, authorise certificates with high security requirements and establish close collaboration with the Belgian accreditation organisation.

To help covered entities demonstrate compliance with the NIS2 Act in particular, the CCB has created the CyFun framework, which is based on several commonly used cybersecurity frameworks or standards including the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), International Organization for Standardization (ISO) 27001/ISO 27002, Center for Internet Security (CIS) Controls and International Electrotechnical Commission (IEC) 62443. Following a NIS2 conformity assessment, a CyFun certification can be granted by a CAB that is approved by the CCB. CABs are bodies responsible for verifying an entity’s compliance with the requirements set out in the CyFun reference framework.

The GDPR provides that controllers have a legitimate interest in processing personal data to the extent that such processing is strictly necessary and proportionate for the purposes of ensuring network and information security. The GDPR further specifies that permitted practices and tools for network and information security could include those that focus on:

• preventing unauthorised access to electronic communications networks and malicious code distribution; and/or
• stopping “denial of service” attacks and damage to computer and electronic communication systems.

The GDPR also includes a notification regime for personal data breaches. The concept of “personal data breach” is broadly defined in the GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. Controllers whose processing of personal data is subject to Belgian law may be required to notify personal data breaches to the Belgian DPA and, in some cases, to the individuals whose personal data is affected.

A personal data breach is a type of data security incident. While all personal data breaches are data security incidents, not all data security incidents are necessarily personal data breaches. The GDPR, and hence the notification duties to the DPA and affected individuals, only apply where there is a personal data breach.

The AI Act requires that high-risk AI systems must achieve suitable accuracy, robustness and cybersecurity levels, and that they perform consistently in those respects throughout their life cycle. The technical solutions aiming to ensure the cybersecurity of high-risk AI systems must be appropriate to the relevant circumstances and the risks. They can include measures to prevent, detect, respond to, resolve and control for attacks trying to manipulate the training data set (data poisoning), pre-trained components used in training (model poisoning), inputs designed to cause an AI model to make a mistake (adversarial examples or model evasion), confidentiality attacks and model flaws.

The European Commission has requested the European Committee for Standardisation (CEN) and the European Committee for Electrotechnical Standardisation (CENELEC) to draft the new European standards or European standardisation deliverables on AI by 30 April 2025, including European standard(s) and/or European standardisation deliverable(s) on cybersecurity specifications for AI systems. 

High-risk AI systems that have been certified, or for which a statement of conformity has been issued under a cybersecurity scheme pursuant to the Cybersecurity Act, will be presumed to comply with the cybersecurity requirements set out in the AI Act (in so far as the cybersecurity certificate or statement of conformity, or parts thereof, cover those requirements).

Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) 178/2002 and Regulation (EC) 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (the “Medical Devices Regulation”), requires that, for devices that incorporate software or for software packages that are medical devices in themselves, the software must be developed and manufactured in accordance with the state-of-the-art, including in regard to information security standards and verification invalidation. Manufacturers of such medical devices must set out minimum requirements concerning hardware, IT networks characteristics and IT security measures, including any protection against unauthorised access.

Incidents involving the security of medical devices that include or constitute software may require notification to the national competent authority, if certain conditions are met. This will be the case, for example, where the medical device is suspected to be a contributory cause of the incident and the incident has (or might have) led to the death or serious deterioration in the state of health of a patient or other person. For incidents that occur on the Belgian territory, the national competent authority is the Federal Agency for Pharmaceuticals and Health Products (FAGG).