Answer ... (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?
Yes, the NIS Act applies specifically to a list of digital service providers and operators of essential services:
- energy (including electricity, oil and gas);
- transport (including air, rail, water and road transport);
- financial institutes;
- financial market infrastructure;
- healthcare (both public and private);
- drinking water supply; and
- digital infrastructure (including online trade platforms, search engines and cloud computing providers).
Additional criteria are provided to identify which operators in these sectors are in fact covered by the act (eg, whether the provision of the service is dependent on a network and information system).
The proposal for a Directive on measures for a high common level of cybersecurity across the European Union, informally called NIS 2.0, is supposed to repeal and build upon the 2016 NIS Directive. This update envisages broadening the personal scope of application. Entities will be classified based on their importance and divided respectively in the categories of essential or important entities with the consequence of being subjected to different supervisory regimes. Essential entities, such as those in the energy, banking, health or digital infrastructure sectors, will be joined by important entities operating in postal and courier services, waste management, manufacturing, production and distribution of chemicals, food production, processing and distribution. The EU Member States will have the right to expand certain categories.
The Electronic Communications Act of 13 June 2005 lays down specific rules on the security of the telecommunications sector. The origin of these rules can be found in the European Electronic Communications Code and the e-Privacy Directive (2005/58). A debate on an e-Privacy Regulation, to replace the e-Privacy Directive, has been ongoing for a couple of years.
The eIDAS Regulation (910/2014) applies to providers of trust services that make business transactions more secure (eg, by creating, verifying and validating electronic signatures). Further Belgian legislation which is relevant in this respect can be found in:
- Title 2 of Book XII of the Code of Economic Law;
- the Act of 18 July 2017 on electronic identification;
- the Act of 20 September 2018 on the harmonisation of the concepts of electronic signature and durable data carrier and the elimination of obstacles to the conclusion of contracts by electronic means; and
- the Royal Decree of 25 September 2018 on the harmonisation of the concepts of electronic signature and durable data carrier.
The Second Payment Services Directive (2015/2366) includes cybersecurity rules which apply to payment service providers. The Belgian implementing legislation can be found in the Act of 11 March 2018 on the statute and supervision of payment institutions and electronic money institutions, access to the business of payment service provider and to the activity of issuing electronic money, and access to payment systems.
The GDPR and the Privacy Act apply in all sectors, including those mentioned above, in which personal data is processed.
(b) Certain types of information (personal data, health information, financial information, classified information)?
The GDPR specifically applies to any personal data that is being processed, regardless of sector or industry (but excluding that processed by a natural person or by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and prevention of threats to public security).
Health and financial information is also covered by the GDPR, as this in essence constitutes personal data. This is qualified as ‘sensitive data’, meaning that stricter requirements apply (eg, processing is forbidden, except in specific cases). Other types of sensitive data include data relating to a data subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well genetic and biometric data.
Trade secrets are protected by the Code of Economic Law pursuant to the Trade Secrets Directive (2016/943).