1. Basic National Regime

 1.1 Laws

Major laws and regulations in the cybersecurity field include the following.

Cybersecurity

  • Act of 13 June 2005 on electronic communications ("Telecom Act"), implementing the ePrivacy Directive (2002/58/EC), as amended on 21 December 2021 to transpose the European Electronic Communications Code (Directive (EU)2018/1972) (EECC) into Belgian law.
  • Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection ("Critical Infrastructures Directive").
  • Act of 1 July 2011 on the security and protection of critical infrastructures partially implementing the Critical Infrastructures Directive ("Critical Infrastructures Act").
  • Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union ("NIS Directive").
  • Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of the NIS Directive.
  • Act of 7 April 2019 establishing a framework for the security of network and information systems of general interest for public security, implementing the NIS Directive ("NIS Act").
  • Royal Decree of 12 July 2019 implementing the NIS Act and the Critical Infrastructures Act.

Cybercrime

  • Belgian Criminal Code, as amended by the Act of 28 November 2000 on Cybercrime and the Act of 15 May 2006 on Cybercrime, in particular Article 210bis on computer-related forgery, Articles 259bis and 314bis on interception of electronic communications, Article 504quater on computer-related fraud, Article 550bis on illegal access (hacking), and Article 550ter on computer sabotage.
  • Belgian Criminal Procedure Code.

Data Protection

  • Article 22 of the Belgian Constitution.
  • Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).
  • Act of 3 December 2017 establishing the Data Protection Authority ("DPA Act").
  • Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, supplementing the GDPR ("Data Protection Act").

Basic Concepts or Principles

The National Risk Assessment 2018-2023 of the Belgian National Crisis Centre (NCCN) considers cybercrime as one of the main risks the country will be facing in the coming years. Cybersecurity is described as the result of a set of security measures that minimise the risk of disruption or unauthorised access to information and communication systems.

Relevant Enforcement and Penalty Environment

Overview

  • Articles 51 and 52 NIS Act: criminal penalties and administrative fines.
  • Articles 114 and 145 Telecom Act: criminal penalties.
  • Article 26 Critical Infrastructures Act: criminal penalties.
  • Chapter VIII GDPR: criminal penalties and administrative fines.

Cybersecurity

For a long time, the main cybersecurity focus in Belgium was on prevention and raising awareness. However, the recently adopted Cybersecurity Strategy 2.0 (see also 10.1 Further Considerations regarding Cybersecurity Regulation) includes a strategic plan to support the development of an appropriate repressive capacity that is able to detect, investigate, prosecute and sanction cybercrime. One of the objectives is to build appropriate capacity and expertise at all levels of law enforcement so that the necessary investigation capacities can be effectively and quickly deployed in a digital environment. The intention is to ensure that the prosecutor's office and the courts of all judicial districts have sufficient prosecutors and judges with experience in combatting cybercrime.

Data protection

The Strategic Plan 2020–2025 of the Belgian Data Protection Authority (DPA) highlights a number of sectors, key GDPR obligations and social matters as policy and enforcement priorities. Priority sectors include telecommunications and media, public authorities, direct marketing, and education. Key GDPR obligations on which the DPA will focus include the designation and role of data protection officers, the legitimacy of the processing of personal data, and the rights of data subjects. From a social perspective, the DPA is expected to concentrate on three topics that are high on the agenda: (i) photos and cameras, (ii) online data protection, and (iii) the processing of sensitive data.

 1.2 Regulators

The NIS Act authorises government entities at national and sectoral level to oversee compliance with the NIS Act.

The Belgian Centre for Cybersecurity (BCC), operating under the authority of the Prime Minister, is the central authority for cybersecurity, as well as Belgium's national Computer Security Incident Response Team (CSIRT). The BCC is charged with the monitoring, co-ordination and supervision of the implementation of the government's cybersecurity policy and strategy.

The Federal Computer Emergency Response Team (CERT.be) is the operational service of the BCC. The task of CERT.be is to detect, observe and analyse online security problems, and to provide continuous information about these problems. It helps the government, emergency services and companies to prevent, co-ordinate and provide assistance in the event of cyber incidents.

The Cyber Threat Research and Intelligence Sharing (CyTRIS) department within the BCC monitors the cyber threats and publishes regular reports.

In addition to the BCC, several sectoral authorities are charged with monitoring cyber-related matters for their respective sectors:

  • the federal Minister for Energy – the energy sector (Federal Public Service Economy);
  • the federal Minister for Transport – the transport sector, with the exception of transport over waters accessible to seagoing vessels;
  • the federal Minister for Maritime Mobility – transport over water accessible to seagoing vessels;
  • the federal Minister for Public Health – the health sector;
  • the federal Minister for Economy – the sector of digital services such as cloud computing services, online search engines, and online marketplaces (Federal Public Service Economy).

Some of these authorities are responsible for monitoring compliance by providers of essential services or digital service providers with the provisions of the NIS Act, and may conduct audits and compliance checks.

Together with the BCC, the National Crisis Centre (NCCN) ensures the organisation and co-ordination of the Cyber Emergency Plan at national level. The two authorities are jointly responsible for crisis management. The NCCN is also in charge of making national risk assessments and it is the (inter)national point of contact for critical infrastructures. Moreover, the NCCN prepares national emergency plans and provides local support. It operates 24/7, ensures the protection of people and institutions and monitors events.

The Belgian Institute for Postal Services and Telecommunications (BIPT) monitors the security of the electronic communications networks and services of telecom operators. The BIPT is also the sectoral authority and inspection service for the digital infrastructure sector under the NIS Act and for the electronic communications and digital infrastructure sectors under the Critical Infrastructures Act.

The National Security Council is charged with the co-ordination and evaluation of general intelligence and security policy matters and the national security strategy, the prioritisation of intelligence and security services, the co-ordination of national security priorities, the co-ordination of a general policy on the protection of sensitive information, the co-ordination of the fight against terrorism and extremism, and the monitoring of its decisions.

The Coordination Unit for Threat Analysis (CUTA), operating under the Minister of Justice and the Minister of Interior Affairs, is an independent knowledge centre in charge of assessing terrorist and extremist threats in Belgium.

The Belgian Data Protection Authority (DPA) is an independent body that ensures that the fundamental principles of personal data protection are properly observed. This includes the GDPR's requirements relating to data security and personal data breach notifications. The DPA was established by the DPA Act and is the successor to the former Privacy Commission. The DPA consists of different departments, each of which plays a specific role in enforcement cases. The Frontline Service performs a triage function to determine which complaints merit further investigation, the Inspection Body carries out investigations, and the Dispute Resolution Chamber issues enforcement decisions. Investigations are typically triggered by a complaint or request for information, but the DPA can also decide to open an investigation (eg, focusing on data security compliance in a particular industry or sector) at its own initiative.

The Information Security Committee (ISC) has been created by the Act of 5 September 2018 to grant certain authorisations in relation to the processing and communication of specific categories of personal data (eg, national registry number).

 1.3 Administration and Enforcement Process

A breach of the NIS Act can be sanctioned either (i) criminally in court or (ii) administratively by sectoral authorities. Under the NIS Act, the relevant sectoral inspectorate may at any time verify the compliance of providers of essential services with the security obligations and incident reporting rules of the NIS Act. Providers of essential services in scope of the NIS Act are obliged to co-operate fully with the sectoral authorities and, in particular, to inform them to the best of their ability of all existing security measures.

The DPA is in charge of monitoring and supervising compliance with the GDPR and the Data Protection Act. To that end, the DPA has diverse and far-reaching investigative powers, including the power to conduct on-site investigations and audits, to interview relevant individuals, to seize documents and IT systems, to request identification of relevant individuals, and any other investigation, verification and interrogation measures that are deemed necessary to ascertain that data protection law is complied with.

Cybercrimes are prosecuted by the Belgian justice system.

 1.4 Multilateral and Subnational Issues

Belgium is in the process of creating a framework that enables companies to evaluate and certify the security of ICT products, services and processes, in line with the EU Cybersecurity Act (see 2.1 Key Laws). Belgium will establish a National Cybersecurity Certification Authority that will co-ordinate the necessary expertise in cybersecurity certification, authorise certificates with high security requirements, and establish close collaboration with the Belgian accreditation organisation.

As a member of the Council of Europe, Belgium has joined the Council's Convention on Cybercrime (ETS No 185 of 23 November 2001). The Act of 28 November 2000 transposes the Convention's requirements on cybercrime in the Criminal Code. The Act of 15 May 2006 implements the requirements of the Additional Protocol to the Convention on Cybercrime concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems (ETS No 189 of 28 January 2003).

The Council of Europe adopted the Second Additional Protocol on 17 November 2021. This Protocol aims to enhance co-operation between state parties, improving the disclosure of electronic evidence for the purpose of specific criminal investigations and proceedings, and increasing the ability of law enforcement authorities to counter cybercrime and other crime, while fully respecting human rights and fundamental freedoms. It is expected to be opened for signature in May 2022.

 1.5 Information Sharing Organisations and Government Cybersecurity Assistance

The BCC is Belgium's national cybersecurity authority. In this role, it receives pertinent threat information from various partners and stakeholders. Within the BCC, the Cyber Threat Research and Intelligence Sharing department (CyTRIS) collects information on and monitors cyber threats, and publishes related reports on a regular basis. CyTRIS is also responsible for the BCC's Early Warning System (EWS) and for the communication and information exchange with CSIRTs in other EU countries. CyTRIS is also in charge of the Spear Warning procedure, which provides organisations with warnings about specific infections or vulnerabilities (see also 7.2 Voluntary Information Sharing Opportunities).

 1.6 System Characteristics

Belgium advocates an open, free and secure cyberspace where citizens and businesses can fully develop, where they can engage internationally, and where fundamental rights are safeguarded and protected.

 1.7 Key Developments

Cybersecurity Strategy 2.0 (2021–2025), released by the BCC in May 2021, is an ambitious national cybersecurity strategy aiming to make Belgium one of the most cybersecure countries in Europe by 2025 (see 10.1 Further Considerations regarding Cybersecurity Regulation).

 1.8 Significant Pending Changes, Hot Topics and Issues

The Belgian National Risk Assessment 2018–2023 of the NCCN considers cybercrime as one of the main risks the country will be facing in the coming years. In particular, cybercrime and "hacktivism" (ie, cyber-activism involving hacking) against businesses and critical infrastructures are identified as national priority risks.

Cybersecurity Strategy 2.0 sets out several strategic objectives that the BCC intends to pursue in co-operation with all relevant stakeholders in the cybersecurity sector in the upcoming years. Its objectives include:

  • strengthening and increasing trust in the digital environment;
  • arming users and administrators of computers and networks;
  • protecting organisations of vital interest from all cyber threats;
  • responding effectively to cyber threats;
  • improving public, private and academic collaborations; and
  • participating in international commitments.

The DPA's Strategic Plan 2020–2025 identifies telecommunications, media, public authorities, direct marketing and education as priority sectors. The designation and role of data protection officers, the legitimacy of the processing, and the rights of data subjects are considered as key GDPR obligations. It is expected that these priorities will be further reflected in the DPA's policies and enforcement actions in the coming years.

2. Key Laws and Regulators at National and Subnational Levels

 2.1 Key Laws

In addition to the laws and regulations listed in 1.1 Laws, the following EU and Belgian legislation is relevant in the area of cybersecurity.

  • Act of 30 November 1998 governing the intelligence and security services.
  • Act of 11 December 1998 on security classification and security clearances, certificates and advisory opinions, as amended by the Act of 4 February 2010 on data collection methods by the intelligence and security services.
  • Act of 21 March 2007 regarding the installation and use of surveillance cameras, as amended by the Act of 21 March 2018.
  • Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (eIDAS Regulation).
  • Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (PSDII).
  • Title 2 of Book XII of the Code of Economic Law (as amended by the Act of 21 July 2016, Book VI and Book XII of the Code of Economic Law on direct marketing and cookies, the Act of 18 July 2017 on electronic identification, the Act of 20 September 2018 on the harmonisation of the concepts of electronic signature and durable data carrier and the elimination of obstacles to the conclusion of contracts by electronic means, and the Royal Decree of 25 September 2018 on the harmonisation of the concepts of electronic signature and durable data carrier, implementing the eIDAS Regulation.
  • Act of 2 October 2017 regulating private and special security, as amended by the Act of 9 May 2019.
  • Act of 11 March 2018 regarding the legal status and the supervision of payment institutions and electronic money institutions, the access to the undertaking of payment service provider and to the activity of issuing electronic money, and the access to payment systems, implementing the PSDII.
  • Act of 5 September 2018 setting up the Information Security Committee and amending various laws regarding the implementation of the GDPR.
  • Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 ("Cybersecurity Act").

 2.2 Regulators

See 1.2 Regulators.

 2.3 Over-Arching Cybersecurity Agency

Cybersecurity Strategy 2.0 emphasises that Belgium supports the legislative and diplomatic roles of the EU, NATO and other relevant international organisations in their contribution to an open, free and secure cyber-environment, and in particular the European Union Agency for Cybersecurity (ENISA).

ENISA is the EU centre of expertise for cybersecurity in Europe. It helps the EU and the EU member states to be better equipped and prepared in order to prevent, detect and respond to information security issues. ENISA provides practical advice and solutions to the public and private sector as well as to EU institutions, including on cross-Europe cyber crisis exercises, the development of national cybersecurity strategies, and the co-operation between CERTS. The BCC, in its capacity of national cybersecurity authority, represents Belgium in ENISA's various working groups and platforms.

 2.4 Data Protection Authorities or Privacy Regulators

See 1.2 Regulators.

 2.5 Financial or Other Sectoral Regulators

For the financial sector, various authorities in Belgium have monitoring duties and powers.

For example, credit institutions, operators of trading venues and certain financial institutions that are subject to the supervision of the National Bank of Belgium may qualify as operators of essential services (OES) under the NIS Act.

The National Bank of Belgium (NBB) and the Financial Services and Markets Authority (FSMA) are the primary financial services regulators in Belgium. They are also in charge of monitoring of cybersecurity risks in the Belgian financial sector. OES in the financial sector must notify the NBB of all incidents that substantially affect the availability, confidentiality, integrity or authenticity of the network and information systems on which the essential service or services they provide depend. 

 2.6 Other Relevant Regulators and Agencies

See 1.2 Regulators.

3. Key Frameworks

 3.1 De Jure or De Facto Standards

There is a wide variety of cybersecurity-related guidance issued by regulators in Belgium. General guidance, such as the Cyber Security Guide for SMEs (2017) and the Cyber Security Incident Management Guide (2016) are frequently used guidelines from the BCC. The BCC also maintains an Online Cybersecurity Reference Guide to assist organisations in developing bespoke cybersecurity strategies. The Guide offers recommendations in terms of planning, risk management, security measures and evaluations in the use of computers and computer networks.

The BCC frequently collaborates with sectoral authorities to adopt sector-specific guidance. The Baseline Principles for Managing Cyber Security Risk in the Financial Sector (2018), for example, is the result of such a collaboration with the FSMA.

Other commonly deployed guidance and standards in Belgium include ENISA standards for cybersecurity, the NIST Cyber Security Framework, the ISO/IEC 27000 series standards, and the guidance of the European Cyber Security Organization (ECSO).

 3.2 Consensus or Commonly Applied Framework

The GDPR requires that personal data is protected by appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state-of-the-art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. To date, the Belgian DPA has not issued any post-GDPR guidance on this subject. There is no standard applied framework in Belgium to meet the (Article 32) GDPR requirements. In general, the ISO/IEC 27000 series standards are widely applied in Belgium.

Operators of essential services (OES) must take appropriate and proportionate technical and organisational measures to detect, prevent and mitigate the risks to the security of their network and information systems in accordance with the NIS Act. These measures should take account of the state-of-the-art and the risk of likelihood and severity of the risks. The BCC and other authorities have published guidelines and best practices in this regard, both on national and sectoral levels.

 3.3 Legal Requirements

The NIS Act establishes a framework for the security of networks and information systems of general interest for public security, imposing duties on operators of essential services (OES) and digital service providers (DSP) that are in scope of the NIS Act. The relevant sectoral authorities are in charge of identifying OES in the following sectors: energy (electricity, oil and gas); transport (air, rail, water and road); finance (financial institutions and financial trade platforms); healthcare, potable water (supply and distribution); and digital infrastructure (IXPs, DNS providers, TLD name registries).

OES are required to take technical and organisational security measures, draw up a security policy for network and information systems, appoint a contact person for security of network and information systems, communicate the contact details to the sectoral authority, notify incidents, conduct an annual internal audit of the network and information systems, and conduct an external audit of their network and information systems every three years.

DSP, including online marketplaces, online search engines and cloud computing services are required to take technical and organisational security measures, appoint a contact person for security of network and information systems, and communicate the contact details to the sectoral authority.

The Critical Infrastructures Act imposes several duties on operators of critical infrastructures in the following sectors: energy (electricity, oil and gas); transport (road, rail, water); finance (including online trade platforms); electronic communications; digital infrastructures; healthcare; and potable water. Such operators are required to take internal and external security measures in order to protect their critical infrastructures. They need to appoint a contact point and communicate the contact details of the contact point to the sectoral authority. They need to draw up a security plan aiming to prevent, reduce and neutralise the risks of disruption of the operation or destruction of the critical infrastructure by putting in place internal physical and organisational measures.

The Telecom Act requires telecom operators (ie, providers of telecommunications and internet service providers) to take appropriate and proportionate technical and organisational measures, including encryption where appropriate, to properly manage these risks, as well as to minimise the impact of security incidents on users and on other networks and services. These measures need to ensure a level of security appropriate to the risks encountered, taking into account the state-of-the-art. Such measures include, at least, that only authorised personnel have access to personal data, that stored or transmitted personal data is protected against data breach incidents, and a security policy is implemented with respect to the processing of personal data.

The BIPT (sectoral authority) can monitor the measures taken by telecom operators and make recommendations on best practices regarding the level of security to be achieved by the measures. At the request of the BIPT, telecom operators need to participate in or organise an exercise related to the security of their networks or services. Also, at the request of the BIPT, telecom operators may be asked to communicate a contact person who can be reached at all times in the context of managing security incidents.

The GDPR requires the designation of a data protection officer (DPO) where the processing is carried out by a public authority or body, the core activities of the controller or processor consist of processing operations which, by virtue of their nature, their scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale, or the core activities of the controller or processor consist of processing on a large scale of special categories of data or data relating to criminal convictions and offences. The function of the DPO is different from the role of an information security officer. While the DPO may fulfil other tasks and duties, such combination may not result in a conflict of interests, including conflicts from combining data protection and cybersecurity functions.

In addition, the GDPR requires that data protection impact assessments are conducted for data processing activities that are likely to result in a high risk to the rights and freedoms of natural persons. Where the assessment shows a high residual risk that cannot be mitigated by specific measures, the controller is required to consult the DPA.

 3.4 Key Multinational Relationships

Belgium is a member of the Global Forum on Cyber Expertise (GFCE). The GFCE is a global platform for countries, international organisations and private companies to exchange best practices and expertise on cyber capacity building by connecting needs, resources and expertise, and by making practical knowledge available to the global community.

Belgium is also a member of the Permanent Structured Cooperation on security and defence (PESCO). PESCO is an initiative of the European Defense Agency established by a Council Decision (CFSP) 017/2315 of 11 December 2017. The goal of the initiative is to collaboratively develop a coherent full spectrum force package and make these capabilities available to the participating EU member states.

4. Key Affirmative Security Requirements

 4.1 Personal Data

The GDPR requires that personal data is protected by appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state-of-the-art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

In assessing the appropriate level of security, the focus should be on those risks that stem from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

Additional requirements may be imposed on a sectoral level. For example, the Telecom Act imposes specific security duties relating to the protection of personal data on telecom operators (see 3.3 Legal Requirements).

 4.2 Material Business Data and Material Non-public Information

There are currently no specific legal requirements in regard to the security and protection of material business data.

 4.3 Critical Infrastructure, Networks, Systems

The Critical Infrastructures Act imposes several duties on operators of critical infrastructures (OCI) in the following sectors: energy (electricity, oil and gas); transport (road, rail, water); finance (including online trade platforms);electronic communications; digital infrastructures; healthcare; and potable water.

OCI are required to implement internal and external security measures in order to protect their critical infrastructures. They must appoint a contact point and communicate the contact details to the sectoral authority. They are also required to draw up a security plan aiming to prevent, reduce and neutralise the risks of disruption of the operation or destruction of the critical infrastructure by putting in place internal physical and organisational measures. They may also need to notify incidents relating to their critical infrastructure (see 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event).

 4.4 Denial of Service Attacks

Despite the massive DDoS attack on Belnet in May 2021, which took down several Belgian government websites, there are no specific legal requirements aimed at preventing such attacks, or similar attacks.

 4.5 Internet of Things (IoT), Software, Supply Chain, Other Data or Systems

Cybersecurity certification will play an important role in increasing trust and security in IoT-related products, services and processes, and the Cybersecurity Act has therefore introduced a European cybersecurity certification framework (see also 5.6 Security Requirements for IoT).

For the time being, cybersecurity certification is voluntary, unless otherwise specified by EU or member state law.

5. Data Breach Reporting and Notification

 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event

Under the GDPR, controllers whose processing of personal data is subject to Belgian law are required to notify personal data breaches to the Belgian Data Protection Authority (DPA) and, in some cases, to the individuals whose personal data are affected. A personal data breach is a type of data security incident. While all personal data breaches are data security incidents, not all data security incidents are necessarily personal data breaches. The GDPR, and hence the notification duties to the DPA and affected individuals, only apply where there is a personal data breach.

The GDPR defines the concept "personal data breach" broadly as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed". There is "destruction" of personal data where the data no longer exists, or no longer exists in a form that is of any use to the controller. "Damage" means that personal data has been altered, corrupted or is no longer complete. In terms of "loss" of personal data, this should be interpreted in the sense that the data may still exist, but the controller has lost control or access to it, or no longer has it in its possession. Finally, "unauthorised" or "unlawful" processing may include disclosure of personal data to (or access by) recipients who are not authorised to receive (or access) the data, or any other form of processing which violates the GDPR.

Under the NIS Act, operators of essential services (OES) must report incidents that affect the availability, confidentiality, integrity or authenticity of the network and information systems on which the essential service or services they provide depend. Digital service providers (DSP) under the NIS Act must notify incidents having a substantial impact on the provision of the services they offer within the European Union. Reporting is done, via a centralised NIS platform, to the BCC, the relevant sectoral authority, and the Ministry of Interior Affairs' crisis centre (ADCC). In this context, the term "incident" refers to "any event having an actual adverse effect on the security of network and information systems". "Security of network and information systems" refers to "the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems".

Under the Critical Infrastructures Act, operators of critical infrastructures in scope of the Act are required to notify the Federal Police, the relevant sectoral authority, as well as the ADCC in case of an event that can compromise the security of the critical infrastructures for which they are responsible. The Act does not further define what constitutes a reportable "event".

The Telecom Act (transposing the e-Privacy Directive and the EECC) defines the security measures that providers of publicly available electronic communications services and networks in Belgium ("telecom operators") must take, both to guarantee the continuity of the operation of their networks and services and to protect the (personal) data that is processed in the context of the provision of those networks and services. The Telecom Act requires telecom operators to notify the Belgian Institute for Postal Services and Telecommunications (BIPT) in the following circumstances.

  • If there is a specific and significant threat of a security incident. In that case, the telecom operators must also inform users potentially affected by such a threat of any possible protective measures or remedies which can be taken by the users.
  • In case of an actual security incident that has had an important impact on the operation of networks and services. The Telecom Act sets out five parameters in order to determine the significance of the impact. 

In this context, a "security incident" is defined as "an event having an actual adverse effect on the security of electronic communications networks or services". Telecom operators are also required to notify the DPA if there has been a breach relating to personal data that is transmitted, stored or otherwise processed in connection with their services. The DPA will subsequently have to inform the BIPT of the breach.

 5.2 Data Elements Covered

The GDPR

The notification duties in the GDPR apply only to the extent that there has been a personal data breach, which means that the breach must involve personal data, as that concept is defined in the GDPR. The GDPR refers to personal data as "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".

Pseudonymised data – ie, information that has been processed in such a manner that it can no longer be attributed to a specific individual without the use of additional information – is still considered personal data under the GDPR.

The type and sensitivity of personal data involved in a personal data breach will play an important role in the risk assessment that the controller must conduct in the immediate wake of the breach. The more sensitive the personal data, the higher the risk of harm to affected individuals and the more likely the breach will have to be reported.

The Telecoms Act

The provisions in the Telecom Act regarding regulator and user notifications refer to the concept of "breaches relating to personal data", which the Act defines as a security breach resulting in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed in connection with the provision of electronic communications services in the European Union.

 5.3 Systems Covered

Under the NIS Act, there are reporting duties when an incident has (adversely) affected the security of network and information systems. The concept "network and information system" refers to:

  • a) an electronic communications network within the meaning of the Telecom Act (ie, transmission systems, whether or not based on a permanent infrastructure or centralised management capacity and, where appropriate, the switching or routing equipment and other resources, including network elements that are not active, that may allow signals to be conveyed by wire, radio waves, optical or other electromagnetic means – this includes satellite networks, fixed (circuit and packet-switched, including the internet) and mobile networks, electricity networks insofar as these are used for the transmission of signals other than those for audio-visual and auditory media services are used);
  • b) any device or group of (permanently or temporary) interconnected or related devices, one or more of which, pursuant to a program, perform automatic processing of digital data, including the digital, electronic, or mechanical components of that device which enable the automation of the operational process, the monitoring from a distance, or the collection of processing data in real time; 
  • c) digital data stored, processed, retrieved or transmitted by elements covered under points a) and b) for the purposes of their operation, use, protection and maintenance.

Under the Critical Infrastructures Act, the reporting duty applies to operators of critical infrastructures in scope of the Act (ie, in the areas of transportation, energy, finances, trade platforms, electronic communications and digital infrastructures, healthcare, and potable water supplies). The Critical Infrastructures Act defines the concept "critical infrastructure" as an installation, system or part thereof, of federal importance, which is critical to the preservation of vital societal functions, health, safety, security, economic prosperity, or societal well-being, whose functioning or destruction would have a significant repercussion by disrupting those functions.

 5.4 Security Requirements for Medical Devices

The Medical Devices Regulation requires that for devices that incorporate software or for software that are medical devices in themselves, the software must be developed and manufactured in accordance with the state-of-the-art, including in regard to information security and verification invalidation. Manufacturers of such medical devices must set out minimum requirements concerning hardware, IT networks characteristics and IT security measures, including any protection against unauthorised access.

Incidents involving the security of medical devices that include or constitute software may require notification to the national competent authority, if certain conditions are met. This will be the case, for example, where the medical device is suspected to be a contributory cause of the incident and the incident has (or might have) led to the death or serious deterioration in the state of health of a patient or other person. For incidents that occur on the Belgian territory, the national competent authority is the Federal Agency for Pharmaceuticals and Health Products (FAGG).

The timing for notifying medical device-related incidents varies depending on the outcome of the incident. For instance, in the case of a public health threat, incidents must be notified immediately and, in any event, no later than two calendar days after the manufacturer has become aware of the threat. In the case of death or serious deterioration in an individual's state of health, the FAGG must be notified immediately after the manufacturer has established a link between the device and the event, but not later than ten calendar days following the date of awareness of the event. For other types of reportable events, manufacturers may have up to 30 calendar days (following the date of awareness of the event) to notify the FAGG.

Reportable incidents involving the security of medical devices must be notified to the FAGG using a standardised form that the European Commission has made available online (Manufacturer Incident Report – MIR).

 5.5 Security Requirements for Industrial Control Systems (and SCADA)

Industrial Control Systems (ICS) are command and control networks and systems designed to support industrial processes. The largest subgroup of ICS is formed by Supervisory Control and Data Acquisition (SCADA) systems. Critical infrastructures, such as electricity generation plants, transportation systems, oil refineries, chemical factories and manufacturing facilities are increasingly making use of ICS to monitor their facilities and ensure their proper operation.

If an event has occurred affecting ICS or SCADA systems, as a result of which the security of a critical infrastructure could be compromised, the operator of the critical infrastructure may be required to notify the relevant authorities pursuant to the Critical Infrastructure Act, or if the event adversely affects the provision of essential services, the relevant authorities pursuant to the NIS Act (See 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event).

 5.6 Security Requirements for IoT

The Cybersecurity Act recognises that digitisation and connectivity are becoming core features in a growing number of products and services, and with the advent of the internet of things (IoT) a high number of connected digital devices are expected to be deployed across the EU. The digital single market, and in particular the IoT, can thrive only if there is general public trust that IoT-based products, services and processes provide a certain level of cybersecurity. Cybersecurity certification will play an important role in increasing trust and security in IoT-related products, services and processes, and the Cybersecurity Act has therefore introduced a European cybersecurity certification framework.

For the time being, cybersecurity certification is voluntary, unless otherwise specified by EU or member state law.

The Belgian government is still to designate a National Cybersecurity Certification Authority (NCCA), which will be tasked with monitoring compliance with and enforcing the obligations of manufacturers or providers of ICT products, services or processes that are established in Belgium and have joined a particular cybersecurity certification scheme.

Although the Cybersecurity Act does not provide for a reporting duty in the case of an incident involving "certified" products, services or processes, the NCCA will have the power to carry out compliance investigations, in the form of audits, of Belgian-based cybersecurity certificates' holders. The NCCA will also be entitled to access to the premises of holders of cybersecurity certificates in Belgium, for the purpose of carrying out investigations in accordance with Belgian procedural law. If its investigation reveals (substantial) non-compliance, the NCCA will be able to impose penalties in accordance with national law, and to require the immediate cessation of infringements.

 5.7 Requirements for Secure Software Development

The Cybersecurity Act has introduced a regime of cybersecurity certifications (see also 5.6 Security Requirements for IoT), participation in which is still voluntary at this point. The regime is designed to achieve a number of security objectives, including ensuring that ICT products, services and processes are provided with up-to-date software (and hardware) that do not contain publicly known vulnerabilities, and are provided with mechanisms for secure updates. Organisations, manufacturers or providers involved in the design and development of software should therefore implement measures at the earliest stages of design and development to protect the software to the highest possible degree ("security-by-design"). Also, software should be designed in a way that ensures a higher level of security which should enable the first user to receive a default configuration with the most secure settings possible ("security by default").

In addition, cybersecurity certification schemes for software will need to take into account current software development methods and, in particular, the impact of frequent software or firmware updates on cybersecurity certificates. They should also specify the conditions under which an update may require that a software product be recertified or that the scope of a specific European cybersecurity certificate be reduced. This may be necessary if an update could adversely affect compliance with the security requirements of that certificate.

 5.8 Reporting Triggers

Although the GDPR imposes an obligation on controllers to notify personal data breaches, in practice notification is not always required:

  • notification to the DPA is required, unless a personal data breach is unlikely to result in a risk to the rights and freedoms of individuals;
  • communication of a breach to affected individuals is only triggered if the breach is likely to result in a high risk to the rights and freedoms of those individuals.

When controllers have engaged processors, those processors must notify the controllers, without undue delay, if they have suffered a personal data breach involving personal data that is being processed on the controllers' behalf.

Under the NIS Act, operators of essential services (OES) must notify all incidents that affect the availability, confidentiality, integrity or authenticity of the network and information systems on which the essential service or services they provide depend. The NIS Act provides for the possibility to determine, by royal decree, impact levels and/or thresholds for the reporting of incidents, or different reporting categories according to the degree of impact of the incident. However, to date no such royal decree has been passed.

Digital service providers (DSP) under the NIS Act must notify/report all incidents that have significant consequences for the provision of the digital service(s) that they offer in the European Union. The European Commission has identified examples of cases where an incident has a significant impact on the provision of a digital service (Implementing Regulation 2018/151 of 30 January 2018). Apart from the aforementioned thresholds and parameters, the BCC encourages DSP to voluntarily report any incident with previously unknown characteristics, such as new attack vectors, threats, dangers or weaknesses.

Telecom operators subject to the Telecom Act must report to the BIPT security incidents that reach one or more of the following thresholds:

  • the incident lasts at least one hour and affects at least 25,000 end users;
  • the incident has an impact on the network affecting access to emergency services via that network;
  • the incident has an impact on interconnections on the Belgian territory and therefore affects other operators in Belgium or abroad;
  • the incident has an impact on a network component that the operator considers critical for the operation of its networks or services.

 5.9 "Risk of Harm" Thresholds or Standards

Under the GDPR, controllers that have become aware of a personal data breach are expected to assess the risk that could result from the breach. According to regulatory guidance on this topic, there are two main reasons for this:

  • knowing the likelihood and the potential severity of the impact on affected individuals will help the controller to take effective steps to contain and address the breach; and
  • a risk assessment will help the controller determine whether notification is required to the DPA and, if necessary, to the affected individuals.

A personal data breach must be notified to the DPA, unless it is unlikely to result in a risk to the rights and freedoms of individuals. However, the key trigger requiring communication of a personal data breach to affected individuals is the likeliness that the breach may result in a high risk to the rights and freedoms of those individuals. That risk exists when the breach may lead to physical, material or non-material damage for the affected individuals. Examples of such damage include discrimination, identity theft or fraud, financial loss and damage to reputation.

When the breach involves personal data that reveals special or "sensitive" categories of personal data (eg, data revealing racial or ethnic origin, health data, or data concerning sex life), the DPA considers that such damage is likely to occur.

Also, if the controller is aware that personal data that has been breached is in the hands of individuals or organisations whose intentions are unknown or possibly malicious, this can have a bearing on the potential risk of harm.

6. Ability to Monitor Networks for Cybersecurity

 6.1 Cybersecurity Defensive Measures

The GDPR provides explicitly that controllers have a legitimate interest in processing personal data to the extent that such processing is strictly necessary and proportionate for the purposes of ensuring network and information security. This includes ensuring the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data.

The legitimate interest justification would also apply to the security of related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), or by providers of electronic communications networks and services and by providers of security technologies and services. The GDPR further specifies that permitted practices and tools for network and information security could include those that focus on: (i) preventing unauthorised access to electronic communications networks and malicious code distribution; and/or (ii) stopping "denial of service" attacks and damage to computer and electronic communication systems.

Whether monitoring practices and tools meet the necessity and proportionality test under the GDPR will require a careful balancing of the interests of the controller and the rights of the individuals whose personal data are at stake.

The Belgian Data Protection Authority (DPA) has issued extensive guidance on workplace privacy and employers' monitoring of network and information systems. In addition, in 2002 employer and employee organisations in Belgium reached a consensus on a Collective Bargaining Agreement (CBA No 81) that allows employers – subject to strict conditions – to monitor their workers' use of electronic/online communication means (eg, email and internet). CBA No 81 sets out general principles of privacy and data protection that employers must follow, and creates a framework that allows employers to engage in certain monitoring activities, including for purposes of preserving the security and/or functioning of their organisation's IT systems. 

 6.2 Intersection of Cybersecurity and Privacy or Data Protection

There are three main reasons why the intersection of cybersecurity, privacy and data protection presents severe compliance challenges.

  • At EU and national level, cybersecurity, privacy and data protection are regulated by different legal instruments – in particular the GDPR, the Telecom Act (which transposes the ePrivacy Directive and EECC), and the NIS Act (which transposes the NIS Directive). As a result, organisations in Belgium whose activities fall under, for example, both the GDPR and NIS Act may be subject to different security and breach notification requirements.
  • While cybersecurity rules aim to protect networks and information systems, privacy and data protection laws focus on the protection of individuals' privacy and the safeguarding of their personal data. In other words, cybersecurity and privacy/data protection serve different and, to an extent, conflicting objectives.
  • From a cybersecurity perspective, there is a tendency to expand monitoring of networks and information systems as this is considered essential in order to withstand increasing cyber threats. However, in many cases, monitoring involves processing of individuals personal data, which will need to comply with the basic data protection principles laid down in the GDPR. The GDPR recognises that controllers have a legitimate interest in monitoring their networks and information systems – and in processing personal data along the way – provided that the data processing is strictly necessary and proportionate for the purposes of ensuring network and information security.

7. Cyberthreat Information Sharing Arrangements

 7.1 Required or Authorised Sharing of Cybersecurity Information

There is currently no required or formally authorised sharing of cybersecurity information with the Belgian government. See, however, 7.2 Voluntary Information Sharing Opportunities for an overview of voluntary data sharing initiatives. 

 7.2 Voluntary Information Sharing Opportunities

Both the Cybersecurity Act and the NIS Directive promote the creation of Information Sharing and Analysis Centres (ISACs). ISACs are stakeholder-driven private-public partnerships (PPPs) that collect, analyse and disseminate actionable threat information and provide their members with tools to mitigate risks and enhance resilience.

In Belgium, ISACs are facilitated by the Belgian Cybersecurity Centre (BCC). Some of the ISAC initiatives that the BCC has fostered include the Cyber Threat Intelligence Research Project (CTISRP), the Cyber Security Coalition, and Belgian Network and Information Security (BELNIS). This last initiative acts as a co-ordinating workgroup comprising representatives from various government agencies engaged in cybersecurity. It provides advice to the Belgian government on cybersecurity incidents and cybersecurity in general. The Cyber Security Coalition Belgium acts as a platform for cyber experts from private, academic and public sectors.

In addition, the BCC has a specific department (Cyber Threat Research and Intelligence Sharing – CyTRIS) that collects relevant information, monitors cyber threats and publishes related reports on a regular basis. CyTRIS is also responsible for the BCC's Early Warning System (EWS) and for the communication and information exchange with CSIRTs in other EU countries. CyTRIS is also in charge of the Spear Warning procedure, which provides organisations with warnings about specific infections or vulnerabilities.

Other information-sharing initiatives include:

  • the Quarterly Cyber Threat Report (QCTR) events, organised by CyTRIS, which bring together different stakeholders at least once a quarter and inform all participants about active cyber threats;
  • the Cyber Security Sectoral Authority Platform (CySSAP), which brings together the supervisory authorities of operators of essential services (OES);
  • The CSI/DPO (les conseillers en sécurité de l'information, data protection officers' platform, which provides a meeting forum for security advisers and data protection officers of the different public services in Belgium; and
  • Synergy IT (SIT), which is a platform for sharing knowledge and information among IT managers from all federal public services, with the aim of setting up and monitoring joint IT (security) initiatives.

8. Significant Cybersecurity and Data Breach Regulatory Enforcement and Litigation

 8.1 Regulatory Enforcement or Litigation

In the past three years, there has been a steep increase in the number of personal data breaches that have been notified to the DPA. The majority of personal data breaches that are notified to the Belgian DPA relate to incidents caused by human error (33%) as well as hacking, phishing or malware (28%). However, thus far the DPA has issued few enforcement decisions that involve lack of compliance with the GDPR's requirements relating to data security and personal data breaches.

In one decision, dated 28 April 2020, the DPA emphasised that it is essential that controllers document every personal data breach that they have suffered, even if the breach did not result in a (high) risk to the rights and freedoms of individuals. In addition, the DPA reminded controllers that if they have designated a data protection officer (DPO), they should sufficiently involve their DPO in the risk assessment that must be performed in the event of a personal data breach.

 8.2 Significant Audits, Investigations or Penalties

To date, there have been no significant audits, investigations or penalties imposed for alleged cybersecurity violations or data security incidents or breaches.

 8.3 Applicable Legal Standards

The main legal standards under the GDPR can be summarised as follows: 

  • controllers and processors are required to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of personal data;
  • in assessing the appropriate level of security, the focus should be on those risks that stem from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed;
  • in the case of a personal data breach, the controller is in principle required to notify the personal data breach to the DPA without undue delay (and, where feasible, within 72 hours after having become aware of the personal data breach);
  • the controller must communicate the personal data breach to affected individuals – without undue delay – only if a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons;
  • the controller is responsible for documenting any personal data breaches that it is suffered – this documentation should enable the DPA to verify the controller's compliance with security-related obligations under the GDPR.

 8.4 Significant Private Litigation

The GDPR provides each individual in Belgium with the right to an effective judicial remedy against a controller or processor where they consider that their rights under the GDPR have been infringed as a result of personal data processing in non-compliance with the GDPR. This includes non-compliance with the GDPR's in terms of personal data breaches and data security more generally.

Proceedings against the controller or processor responsible for the GDPR infringement must be brought before the courts of the EU member state where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of Belgium, if that is where the individual has their habitual residence.

Despite the fact that the GDPR introduced this specific right to judicial remedy into the Belgian legal system almost five years ago, to date there has been no noteworthy private litigation involving cybersecurity allegations, or data security incidents or breaches. See, however, the collective redress case highlighted in 8.5 Class Actions.

 8.5 Class Actions

Under the GDPR, individuals in Belgium have the right to mandate a non-profit organisation or association (that meets certain conditions) to exercise, on the individual's behalf, the right to an effective judicial remedy where the individual considers that their data protection rights have been infringed. This infringement could relate to any processing of personal data in non-compliance with the GDPR, including requirements on security of (data) processing. Non-profit organisations and associations can also exercise individuals' rights to receive compensation under the GDPR.

The possibility to file an action for collective redress (or class action) already existed before the GDPR became applicable, since the adoption of the Class Action Act of 28 March 2014. The procedures for class actions under this Act are restricted to specific types of claims, including claims relating to data protection. However, pursuant to this Act, only a group of consumers or small and medium-sized enterprises (SMEs) may initiate an action for collective address if they have suffered damage as a result of a common course. The group must also decide whether the action should be based on an opt-in or opt-out system for potential claimants. In order to initiate an action for collective address, the group of consumers or SMEs must be represented by a "group representative" – typically a non-profit association – that meets a number of conditions set out in the Class Action Act.

So far relatively few actions for collective redress have been launched in connection with data protection claims. In 2018, Belgian consumer protection organisation Test Aankoop/Test Achats initiated a class-action before the Brussels courts on behalf of approximately 44,000 individuals against Facebook, in the wake of the Cambridge Analytica matter. Test Aankoop/Test Achat initially claimed per capita damages of EUR200, but ultimately decided to terminate its legal action against Facebook, following a settlement between the parties.

9. Due Diligence

 9.1 Processes and Issues

In corporate transactions where the buyer assumes legal responsibility for the target's data processing systems and operations (eg, as a result of a share acquisition), it is important to ensure that the buyer has obtained all relevant information about the target's compliance with network, information system and data security requirements. 

In particular, the buyer will want to receive reassurance from the seller – by means of representations and warranties, and after having conducted thorough due diligence – that the target has carried on its business at all times substantially in compliance with applicable cybersecurity and data protection laws and regulations. This should include confirmation that the target has, for instance:

  • implemented appropriate technical and organisational measures, including data protection policies and procedures, to protect against the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data;
  • put in place data security incident and personal data breach response plans (including maintaining a record of personal data breaches);
  • entered into written contracts vendors/processors ensuring that they have implemented appropriate technical and organisational measures to safeguard any data that they are processing on behalf of the target. 

One possible issue is that sellers sometimes fail to provide the prospective buyer with copies of all of the target's policies, procedures, certifications, reports, or test results prepared internally or by a third party relating to the security of the target's IT and data processing systems, including risk assessments, security audits, vulnerability reports, user awareness reports, or the results of any penetration ("pen") testing. Another issue is the seller's representations and warranties around compliance with applicable cybersecurity and data protection rules may be of limited value if the buyer's due diligence has identified broad non-compliance. In those cases, buyers may want to secure cybersecurity and data protection related indemnities from the seller.

 9.2 Public Disclosure

There are currently no laws mandating public disclosure of an organisation's cybersecurity risk profile or experience. However, if there is a personal data breach that must be notified to affected individuals pursuant to the GDPR and notifying them individually would involve disproportionate efforts, data controllers are required to issue a public communication (or take similar measures) to make sure that the affected individuals are informed effectively. This requirement may therefore result in a public disclosure of the organisation's cybersecurity experience.

10. Insurance and Other Cybersecurity Issues

 10.1 Further Considerations regarding Cybersecurity Regulation

In May 2021, the Belgian Cybersecurity Centre (BCC) published its Cybersecurity Strategy 2.0, which aims to ensure that Belgium becomes one of the least vulnerable countries in Europe in the cybersecurity area by 2025. Cybersecurity Strategy 2.0 is built on a number of strategic objectives that the BCC intends to pursue in co-operation with all relevant stakeholders. This includes the establishment of a Cyber Greenhouse – an innovation centre that will help create and test innovative cyber solutions and business models in a risk-free environment. These efforts should also result in additional cybersecurity guidelines and best practices.

As part of Cybersecurity Strategy 2.0, the Belgian government intends to create a framework that allows companies to assess and certify the safety of ICT products, services and processes. This framework shall be aligned with the EU Cyber Security Act as well as any relevant developments at EU level. The EU Cyber Security Act aims to ensure the mutual recognition of cybersecurity-related certificates withing the European Union. To that end, the Belgian government plans to establish a national cybersecurity certification authority (NCCA), which is expected to develop a cybersecurity recognition mechanism for companies that wish to demonstrate the implementation within their organisation of basic cybersecurity requirements, best practices and policies.

In terms of cybersecurity insurance, although it is not legally required, companies in Belgium are increasingly seeking to obtain specialised insurance coverage. As a result of this demand, several insurance companies are now offering a variety of cyber insurance solutions to their Belgium-based (business) customers. Most of these insurance offerings provide coverage in case of loss or damage caused by cybercrime, hacker-related damage, cyber-extortion (eg, ransomware or cryptoware) and data theft. Many also offer 24/7 (helpdesk) assistance in the event of a cyber-attack or data breach, and/or reimburse costs for legal, IT and PR services that are necessary to limit any damage to the company and its reputation.

Optionally, cyber insurance may also extend to (alleged) infringements of privacy and data protection law (eg, the GDPR) and provide coverage when the insured company is facing administrative fines – for example, for not having adequately protected the personal data for which it is responsible as the data controller

Originally published by Chambers and Partners.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.