1 Legal framework

1.1 Does the law in your jurisdiction distinguish between 'cybersecurity', 'data protection' and 'cybercrime' (jointly referred to as 'cyber')? If so, how are they distinguished or defined?

In Belgium, a legal distinction exists between these concepts, which follows from Belgian and EU law.

'Cybersecurity' is defined on the basis of EU law instruments. For example, the EU Cybersecurity Act (Regulation 2019/881 of 17 April 2019, which directly applies in Belgium) defines 'cybersecurity' as "the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats". The recently adopted Belgian cybersecurity strategy of 2021-2025 defines 'cybersecurity' as "the result of a set of security measures that minimize the risk of disruption of, or unauthorized access to, information and communication (ICT) systems".

A 'cyber threat' is defined in the EU Cybersecurity Act as a "potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons".

The Belgian Network and Information Systems Security Act of 7 April 2019 ('NIS Act'), which implements the EU NIS Directive 2016/1148, states that the obligation to protect network and information systems aims to ensure "the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems".

'Data protection' usually refers to the legal framework for the protection of personal data – that is, data relating to an identified or identifiable person – which is set out in the General Data Protection Regulation (2016/679) (GDPR) and further regulated by the Privacy Act of 30 July 2018. In contrast, 'cybersecurity' can relate to the protection of all types of data, including non-personal data.

'Cybercrime' may be understood in the broad sense as all punishable actions and behaviours committed with the assistance of the Internet, data networks or IT systems. These include hacking, phishing, financial scams and cyberstalking. From a Belgian legal perspective, the term includes all crimes set out in the Act of 28 November 2000, which transposed the Council of Europe's Convention on Cybercrime of 23 November 2001.

1.2 What are the key statutory and regulatory provisions that address cyber in your jurisdiction?

Data protection:

  • The GDPR;
  • The Act of 3 December 2017 establishing the Data Protection Authority;
  • The Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data;
  • The Act of 5 September 2018 setting up the information security committee and amending various laws regarding the implementation of the GDPR; and
  • Article 22 of the Belgian Constitution.

Cybersecurity:

  • The Act of 1 July 2011 on the security and protection of critical infrastructures;
  • The NIS Directive;
  • The NIS Act;
  • The Act of 13 June 2005 on electronic communications;
  • Royal Decree of 12 July 2019, implementing the Act of 7 April 2019, establishing a framework for the security of network and information systems of general interest for public security and the Act of 1 July 2011 on the security and protection of critical infrastructure;
  • The Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for the application of the NIS Directive as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems, and of the parameters for determining whether an incident has a substantial impact; and
  • The EU Regulation 2019/881 of 17 April 2019 on the European Union Agency for Cybersecurity, information and communications technology, cybersecurity certification and repealing EU Regulation 526/2013.

Cybercrime:

  • The Penal Code (including amendments made by the Act of 28 November 2000 on cybercrime, the Act of 15 May 2006 on cybercrime and Title 14 of the Act of 6 July 2017), and specifically Articles 210bis, 504quater, 550bis and 550ter;
  • The Code of Criminal Proceedings; and
  • The Act of 13 June 2005 on electronic communications.

Further sector-specific laws and regulations exist (eg, with regard to electronic communications, employee surveillance or trade secrets), which are discussed in this Q&A where relevant.

1.3 Do special cyber statutes or regulations apply to: (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)? (b) Certain types of information (personal data, health information, financial information, classified information)?

(a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?

Yes, the NIS Act applies specifically to a list of digital service providers and operators of essential services:

  • energy (including electricity, oil and gas);
  • transport (including air, rail, water and road transport);
  • financial institutes;
  • financial market infrastructure;
  • healthcare (both public and private);
  • drinking water supply; and
  • digital infrastructure (including online trade platforms, search engines and cloud computing providers).

Additional criteria are provided to identify which operators in these sectors are in fact covered by the act (eg, whether the provision of the service is dependent on a network and information system).

The proposal for a Directive on measures for a high common level of cybersecurity across the European Union, informally called NIS 2.0, is supposed to repeal and build upon the 2016 NIS Directive. This update envisages broadening the personal scope of application. Entities will be classified based on their importance and divided respectively in the categories of essential or important entities with the consequence of being subjected to different supervisory regimes. Essential entities, such as those in the energy, banking, health or digital infrastructure sectors, will be joined by important entities operating in postal and courier services, waste management, manufacturing, production and distribution of chemicals, food production, processing and distribution. The EU Member States will have the right to expand certain categories.

The Electronic Communications Act of 13 June 2005 lays down specific rules on the security of the telecommunications sector. The origin of these rules can be found in the European Electronic Communications Code and the e-Privacy Directive (2005/58). A debate on an e-Privacy Regulation, to replace the e-Privacy Directive, has been ongoing for a couple of years.

The eIDAS Regulation (910/2014) applies to providers of trust services that make business transactions more secure (eg, by creating, verifying and validating electronic signatures). Further Belgian legislation which is relevant in this respect can be found in:

  • Title 2 of Book XII of the Code of Economic Law;
  • the Act of 18 July 2017 on electronic identification;
  • the Act of 20 September 2018 on the harmonisation of the concepts of electronic signature and durable data carrier and the elimination of obstacles to the conclusion of contracts by electronic means; and
  • the Royal Decree of 25 September 2018 on the harmonisation of the concepts of electronic signature and durable data carrier.

The Second Payment Services Directive (2015/2366) includes cybersecurity rules which apply to payment service providers. The Belgian implementing legislation can be found in the Act of 11 March 2018 on the statute and supervision of payment institutions and electronic money institutions, access to the business of payment service provider and to the activity of issuing electronic money, and access to payment systems.

The GDPR and the Privacy Act apply in all sectors, including those mentioned above, in which personal data is processed.

(b) Certain types of information (personal data, health information, financial information, classified information)?

The GDPR specifically applies to any personal data that is being processed, regardless of sector or industry (but excluding that processed by a natural person or by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and prevention of threats to public security).

Health and financial information is also covered by the GDPR, as this in essence constitutes personal data. This is qualified as 'sensitive data', meaning that stricter requirements apply (eg, processing is forbidden, except in specific cases). Other types of sensitive data include data relating to a data subject's racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well genetic and biometric data.

Trade secrets are protected by the Code of Economic Law pursuant to the Trade Secrets Directive (2016/943).

1.4 Do any cyber statutes or regulations have extraterritorial reach? If so, how do they apply extraterritorially and what are the factors or criteria for such application?

The Penal Code in itself has no extraterritorial application, as it provides that the criminal courts are competent only for crimes committed in the Belgian territory.

However, on 19 February 2019 the Court of Cassation (the country's highest court) decided in the Skype case that a provider of electronic communications services had to provide technical cooperation for tapping, as there was a territorial link with Belgium because Skype was economically active in the country by providing services to Belgian internet users. Thus, a physical presence – whether a seat or any infrastructure – is not required to determine territoriality. Skype had argued that it could not be forced to cooperate with the Belgian authorities for tapping purposes, as it was headquartered in Luxembourg and therefore could only provide such support in Luxembourg. This decision followed on the 1 December 2015 ruling in the Yahoo! case, in which the Court of Cassation held that webmail providers that are economically active in Belgium by providing services to Belgian internet users must also be considered operators which must provide technical cooperation to Belgian law enforcement.

These cases may have been one of the reasons why the Council of Europe and the European Union have initiated the drafting of a protocol to create a regulation on direct cooperation with foreign service providers regarding the gathering of electronic information in criminal matters.

Both the GDPR and the NIS Act have explicit extraterritorial reach, even where the organisation targeted by the legislation is not established in Belgium (or the European Union).

The GDPR specifically applies to:

  • the processing of personal data in the context of the activities of an establishment of a controller or processor in the European Union, regardless of whether the processing takes place in the European Union; and
  • the processing of personal data of data subjects by a controller or processor not established in the European Union, where the processing activities relate to:
    • the offering of goods or services, irrespective of whether a payment is required, to such data subjects in the European Union; or
    • the monitoring of their behaviour, insofar as such behaviour takes place within the European Union.

The European Data Protection Board's Guidelines 3/2018 further explain the (extra)territorial reach of the GDPR.

The NIS Act also applies to digital service providers which are not established in the European Union, but which provide services in Belgium and whose representatives are established in Belgium. This provision fulfils the obligation in the EU NIS Directive for digital service providers to designate a representative in an EU member state, which will determine the jurisdiction applying to the digital service provider.

1.5 Do any bilateral or multilateral instruments related to cyber have effect in your jurisdiction?

As an EU member state, Belgium is a party to several bilateral and multilateral agreements relating to mutual assistance in criminal matters and jurisdiction (including European institutions such as Europol).

Belgium is also part of the Budapest Convention on Cybercrime on 23 November 2001, which entered into force on 1 May 2006. The convention's purpose is to pursue a common criminal policy to protect society against cybercrime.

1.6 What are the criminal penalties for cybercrime (eg, hacking, theft of trade secrets)?

Belgium was one of the first EU member states to include cybercrimes in its Penal Code. In the near future a new Penal Code will be introduced in Belgium which may further expand the penalties for certain cybercrimes. The penalties for the most common cybercrimes (hacking, computer sabotage and phishing) are set out below.

Hacking (Article 550bis of the Penal Code):

  • External hacking (where an unauthorised person knowingly accesses an IT system or maintains access to it): Between six months' and two years' imprisonment and/or a fine of between €208 and €200,000. The maximum sentence is increased to three years' imprisonment in case of fraudulent purpose.
  • Internal hacking (where a person exceeds his or her access rights with a fraudulent purpose or with the intention to cause damage): Between six months' and three years' imprisonment and/or a fine of between €208 and €200,000.
  • Subsequent actions such as stealing data (including trade secrets), using a third-party IT system to hack another IT system or damaging (even unintentionally) an IT system or data, including data stored processed or transferred through the system: Such aggravating circumstances are sanctioned with increased penalties of between one and five years' imprisonment and a fine of between €208 and €400,000.
  • Unlawfully possessing, producing, selling, acquiring to use, importing, spreading or making available in any other way any instrument (including IT data) that is designed or adapted to facilitate any of the crimes above: Between six months' and three years' imprisonment and a fine of between €208 euro and €800,000.
  • Instructing or commissioning a third party to commit hacking: Between six months' and five years' imprisonment and/or a fine of between €800 and €1.6 million.

Computer sabotage (Article 550ter of the Penal Code): This crime is defined as being committed by a person who, without authorisation, directly or indirectly enters, changes or erases any data in an IT system or with any other technological means changes the normal use of any data in an IT system. It also includes the infection of IT systems with malware (including ransomware or spyware). The penalties are between six months' and three years' imprisonment and/or a fine of between €208 and €200,000.

If the data is damaged, the punishment is increased to a maximum term of imprisonment of five years and a maximum fine of €600,000. Disrupting the correct working of an IT system is a further aggravating circumstance that may result in increased penalties of between one and five years' imprisonment and/or a fine of between €208 and €800,000.

Phishing (Article 504quater of the Penal Code): This provision sanctions the acquisition, with a fraudulent purpose, of an unlawful economic advantage for oneself or for someone else by:

  • entering, modifying or erasing any data that is stored, processed or transferred by an IT system; or
  • changing the normal use of that data with any other technological means.

This is penalised with between six months' and five years' imprisonment and/or a fine of between €208 euro and €800,000.

In addition, Article 145, §3, 1° of the Electronic Communications Act of 13 June 2005 prohibits the fraudulent initiation of electronic communications by means of an electronic communications network with the intent to obtain an illegitimate economic advantage, which is punishable with between one and four years' imprisonment and/or a fine of between €4,000 and €400,000.

2 Enforcement

2.1 Which governmental entities are responsible for enforcing cyber statutes and regulations? What powers do they have? Can they impose civil and criminal penalties? On whom can penalties be imposed (eg, companies, directors, officers, employees)? Do those entities have extraterritorial reach, and if so what?

The General Data Protection Regulation (GDPR) obliges each EU member state to establish a supervisory authority – a national data protection authority (DPA) – which is tasked with monitoring compliance with the GDPR. The Belgian DPA is the Gegevensbeschermingsautoriteit (Dutch) or the Autorité de protection des données (French).

The DPA has strong investigative powers, including the right:

  • to obtain information from a data controller or processor;
  • to obtain access to any premises of a data controller or processor; and
  • to carry out data protection audits.

Administrative fines can amount to a maximum of €10 million or, in case of a legal entity, a maximum of 2% of its total worldwide turnover in the last financial year, if this amount is higher. These fines can be doubled if the data controller or processor is deemed to have breached the general obligation to comply with the GDPR's basic data protection principles. Further sanctions include warnings, reprimands and orders to comply with the GDPR. The highest fine in Belgium to date was issued by the DPA on 14 July 2020 against Google Belgium for violation of the right to be forgotten (€600,000).

Under the GDPR, there is no explicit individual lability, meaning that the organisation as a whole is responsible for a breach of law. Thus, the DPA can only fine organisations as such, even if there is one specific person behind the breach.

The Privacy Act also foresees criminal sanctions for certain offences (eg, processing without a lawful basis).

A breach of the Network and Information Systems Security Act ('NIS Act') can be sanctioned either criminally in court or administratively by a sectoral supervisor. Compliance is further monitored by the National Computer Security Incident Response Team.

Cybercrimes are prosecuted by the Belgian justice system. In 2019 alone, the Belgian Federal Police reported over 32,000 cases of cybercrimes (an increase from 25,000 cases in 2018). This amount has risen to over 43,000 cases in 2020.

2.2 Do private parties have a right of action? If so, what type of relief or remedy is available? Is any relief or remedy available against individuals (eg, directors, officers, employees)?

Under the GDPR and the Privacy Act, private parties (or data subjects) have a wide array of rights. They enjoy a right:

  • to information;
  • to access, change and transfer their data;
  • to withdraw their consent;
  • to have their data deleted; and
  • to restrict the processing of their data.

If the data subject is unsuccessful in exercising his or her rights, he or she can file a complaint with the DPA. After receiving the complaint, the DPA may conduct a mediation between the data subject and the data controller or processor, or commence an investigation if the GDPR has been breached.

In order to obtain adequate compensation for a data breach, private parties can enforce the GDPR through judicial proceedings against the data controller or processor (Article 82 of the GDPR). An individual can file a cease and desist order with the president of the court of first instance in summary proceedings against the unlawful processing of data based on the Privacy Act.

Additionally, Book 6 of the Economic Law prohibits any kind of act that is contrary to fair market behaviour which could harm competition on the market (eg, the use of unfair commercial practices in relation to consumers). Although there is, to our knowledge, no precedent yet, if a company thinks that a competitor is engaging in unfair market practices relating to the unlawful use of personal data (or in breach of the GDPR), it may seek to file an order before the Business Court against that undertaking.

2.3 What defences are available to companies in response to governmental or private enforcement?

The burden of proof rests with the data controller or processor, which must prove that no infringement of the GDPR has taken place. For instance, a data controller can provide proof that it has implemented appropriate technical and organisational measures to ensure a level of data security appropriate to the risk, taking into account certain factors such as:

  • the costs of implementation;
  • the potential impact on individuals' rights and freedoms;
  • the state of the art; and
  • the nature, scope, context and purposes of the data processing.

The GDPR also provides, for instance, an exemption from liability for controllers or processors for damage caused by data processing if they can prove that they were not responsible for the event giving rise to the damage.

In any procedure, the rights of defence of companies are safeguarded. Companies can also appeal a legally binding decision of the DPA before the Market Court Section of the Brussels Court of Appeal.

With respect to the NIS Act, operators of essential services and digital service providers may also seek to defend the position that they took appropriate technical and organisational measures to manage the risks posed to the security of the NIS which they use in their operations. If criminal sanctions are pursued by a prosecutor, the operator or service provider enjoys all rights of defence of a criminal procedure.

3 Landmark matters

3.1 Have there been any landmark cyber enforcement actions or judicial decisions in your jurisdiction? If so, what were they?

There has been at least one recent decision of the Belgian DPA regarding cybersecurity and privacy. On 26 April 2021, the litigation chamber of the Belgian DPA imposed a fine of €100,000 on a financial institution for – amongst other things – a failure to provide an adequate level of cybersecurity. The case at hand related to the access within a financial institution to the Central Credit Register operated by the Belgian National Bank. The financial institution had two methods of access in place based on the rank of employee or managers. The managers used the same password without a logging system in place. This system was misused by one of the managers for personal profit in his personal life. The litigation chamber of the Belgian DPA deemed "the absence of any system for access control of managers" a "blatant violation" of Article 32 of the GDPR, in particular due to the data sensitive nature of the financial data. The lack of logging or other security measures was also viewed as preventing data subjects from exercising their right of access concerning the (unlawful) processing carried out, since the financial institution did not keep any evidence of such processing.

3.2 Have there been any pivotal cyber incidents or events (eg, major data breaches, major cyber-related legislative activity, major cyber-related innovation or technology development) in your jurisdiction?

The recent attacks on Belnet, a Belgian internet provider, and the recently discovered hacking of the Federal Public Service Homeland affairs - whereby cybercriminals had access to any local data for over two years – has demonstrated the need for an updated version of the cybersecurity strategy. The new strategy is part of a transposition of several international commitments. The strategy is now in line with the NIS Act of 2019, the EU Cybersecurity Act by adopting the "cybersecurity certificates" and the NATO Cyber Defence Pledge which endorses cyber as a fourth operational domain of defence (alongside the conventional domains, being air, land and sea).

On 9 March 2021, Belgian law enforcement authorities undertook the biggest operation against organized crime Belgium has ever seen, leading to the simultaneous deployment of over 1500 police officers across the country. This was made possible thanks to a close collaboration with their Dutch and French colleagues under the supervision of Europol, which led to the cracking of Sky ECC's encrypted messaging system. Law enforcement was able to intercept millions of messages and apprehend a significant number of suspects. The future for crypto phones and end-to-end encryption remains to be seen.

The most well-known Belgian cyber incident dates from January 2020, when the Picanol Group (a globally respected Belgian weaving machine manufacturer) fell victim to a large-scale ransomware attack. The attack left the company without access to its own systems and interrupted a part of computerised production. This was the first time that a cyberattack in Belgium received wide media coverage and attracted public attention to the issue of cybersecurity. The cyberattack resulted in 2,300 employees of Picanol, including in Romania and China, being declared technically unemployed. Picanol's shares on the Brussels Stock Exchange were suspended, leading to further financial loss. Picanol was assisted by the Belgian Federal Computer Crime Unit in managing the aftermath of the cyberattack.

Another well-known incident was the hacking in January 2019 of Belgian metal producer Nyrstar, which was hit by a ransomware attack that blocked its email database and some administrative servers. Finally, in June 2019 Asco, a producer of aircraft parts, was hit by a cyberattack which paralysed the company for a couple of weeks. While no ransom was paid, Asco incurred expenses in the range of €20 million (mostly consultancy costs).

According to a parliamentary report of November 2020, Belgian companies pay around €100 million a year to criminal hackers. In many cases, companies pay ransoms instead of reporting the cyberattack to the police, as they fear a loss of reputation.

4 Proactive cyber compliance

4.1 Have any industry best practices or industry standards in proactive cyber compliance developed over time in your jurisdiction? If so, please briefly describe.

Cyber threats and the attack techniques used are evolving very quickly. Knowledge sharing and the sharing of best practices is therefore very valuable. Not only does this enrich knowledge and generate new ideas to address the threats, but it also facilitates decision-making.

Industry best practices and industry standards are developing in Belgium. The best example is those developed by the Belgian Financial Services and Markets Authority (FSMA), the supervisor of the financial sector in cooperation with the Belgian Centre for Cyber Security – the Baseline Principles for Managing Cyber Security Risks. The FSMA expects all firms in the financial sector to comply with these guidelines and to adopt the necessary measures in order to manage information security and cyber risks. Notably, it has developed four main principles which, when implemented, will help companies to have effective cybersecurity management:

  • security and strategy support (eg, creating a culture of information security and risk analysis for all new projects);
  • asset identification and risk analysis (eg, managing information security risks to set priorities);
  • implementation of measures – protect/detect/respond and recover (eg, implementing specific measures to secure the information); and
  • evaluation of security measures (eg, conducting an annual review of the security measures to assess the status of the security plan).

International standards also shape the best practice framework, such as ISO/IEC 27001 on information security management systems and ISO/IEC 22301 on business continuity management systems.

4.2 Have any governmental entities issued voluntary guidance or similar documentation on the issue of proactive cyber compliance? If so, please briefly describe.

The Belgian data protection authority has issued and continues to issue recommendations on better data protection compliance for various sectors of economy, including cybersecurity matters concerning the protection of personal data (including specific recommendations on its website).

The Ministry of Economic Affairs has also produced a handbook on cybersecurity (Cybersecurity: Is your company already ready for it?), which includes many practical guidelines for businesses to identify threats and improve cybersecurity.

The Belgian Centre for Cyber Security has established guidelines on cybersecurity compliance for various stakeholders. For instance, the Online Cybersecurity Reference Guide is a set of minimum guidelines designed to assist data controllers and, in general, IT managers in implementing information security plans. The Guide offers "basic" and "more advanced" recommendations in terms of planning, risk management, security measures and evaluations in the use of computers and computer networks. The identification and management of risk is critical in this regard. The guidelines offered are based on international standards and are continuously updated by the CCB. As such, companies are strongly encouraged to adopt these guidelines in their cybersecurity policies. Another Guide for Small and Medium-Sized Enterprises advises these businesses to implement security controls based on their cyber risk assessment, which in turn will improve their cybersecurity levels.

The Belgian National Institute for Health and Disability Insurance has issued its own guidelines (in the form of a Q&A) for healthcare workers on how to comply with the GDPR. It mentions that various services available to healthcare professionals on the Belgian eHealth platform must also follow the GDPR. The guidelines reiterate, for instance, that if a hospital or a doctor's practice uses software (eg, for patient files collection or invoicing), they must ensure that the software provided also complies with the GDPR by being sufficiently secure.

4.3 What legal duties, if any, do corporate officers and directors have with respect to proactive cyber compliance? Under what circumstances might they be considered in breach?

While the Belgian Code on Companies and Associations and other acts and regulations do not impose specific legal duties with respect to cyber compliance, it can be argued that corporate officers and directors must exercise a proactive role in this regard.

After all, under Belgian corporate law, directors may be held liable for damage caused by a fault which resulted from the negligent exercise of their duties, provided that it is considered that such fault would not have been made by a prudent director in the same circumstances. It is thus the responsibility of the board to ensure that the organisation is digitally secure and immune against cyberattacks (especially if such security is vital for its daily operations). This also applies to the secure processing of personal data in compliance with the GDPR (eg, sufficient technical and organisational measures should be foreseen to secure the processing). Further, officers and directors may be held criminally liable if any of their faults would constitute an offence.

4.4 Are there special rules, regulations or guidance in the proactive cyber compliance area that apply to public (eg, exchange-listed) entities?

There are no specific rules which directly and exclusively apply to listed entities with respect to proactive cyber compliance. Nevertheless, it is more likely that an increased level of scrutiny will apply to compliance by listed companies, due to their nature (eg, essential operators as understood in the Network and Information Systems Security Act are often listed).

4.5 Is there scope for companies to share details of actual or potential cybersecurity threats, or other cyber-intelligence information, with industry or other stakeholders?

The Belgian cybersecurity strategy of 2021-2025 embodies the will of cooperation, coordination and dialogue. It emphasizes that collaboration is essential in preventing, reducing, treating and monitoring cyber threats and incidents. This forms an extra layer on top of the responsibilities of entities such as Centre for Cybersecurity (including CERT), Federal Police (Regional Computer Crime Units and the Federal Computer Crime Unit), Defence, the National Crisis Centre (NCCN), Body for Coordination and Analysis of the Threat (OCAD), sectoral authorities, the Belgian Institute for Postal Services and Telecommunications (BIPT), etc. Although Belgium already has several initiatives that enable this (e.g., Cybersecurity Sectoral Authority Platform and Cyber Security Sectoral Authority Platform for various stakeholders respectively Operators of Vital Importance), the new strategy also calls for an overarching 'cyber governance' to enable dialogue and coordination of the various activities.

The Belgian Cyber Security Coalition is a network platform which brings together stakeholders from academia, the private sector and public authorities, to exchange information and experience. This helps to create guides which the coalition then publishes (eg, Interactive Cyber Security E-Learning, SME Security Scan and Cyber Security Kit). They also take joint action in order to strengthen cybersecurity. The coalition's activity report for 2019 mentions several experience-sharing events at which stakeholders could exchange knowledge, best practices and potential threats.

5 Cyber-incident response

5.1 In your jurisdiction, do certain types of cyber incidents (eg, data breaches, unauthorised destruction, data leakage) trigger mandatory or voluntary notification requirements? How are such incidents defined? Are notification requirements dependent on the type of information affected? If so, what types?

The most important notification requirement is set out in Article 33 of the General Data Protection Regulation (GDPR), which in some cases triggers an obligation to notify the data protection authority (DPA) of the existence of a personal data breach. The latter is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed". This definition is so broad that it also covers data breaches which do not result from cyberattacks.

In 2019, 861 data breaches were reported to the Belgian DPA, while this number rose to 1,097 in 2020. Compared to the Netherlands, where 27,000 data breaches were reported in 2019 to the Dutch DPA (but 'only' 23,976 in 2020), this amount remains extremely low.

While controllers should notify data breaches, processors are obliged to notify a personal data breach to the controller on whose behalf they process personal data without undue delay.

Pursuant to the Network and Information Systems Security Act ('NIS Act') and the additional rules set out in the Royal Decree of 12 July 2019, operators of essential services must also respect a notification requirement (which in some cases is additional) in relation to any incidents that would have considerable consequences for the availability, confidentiality, integrity or authenticity of the network and information system on which the essential services or the services provided rely. Such notification must be made through a secure national notification platform and shared with all relevant actors. This may also relate to non-personal data breaches.

Operators of critical infrastructure must notify the Communication and Information Centre of any incident that would endanger the security of the critical infrastructure pursuant to the Act of 1 July 2011 on the security and protection of critical infrastructure.

Any breach of security or loss of integrity that has a significant impact on a trust service should be notified to the Ministry of Economic Affairs or the DPA, based on the eIDAS Regulation.

The transposition of the European Electronic Communications Code (EECC) has brought many changes to the Act of 13 June 2005 on electronic communications. In contrast to the previously undefined term of "integrity of a network" that triggers certain notification obligations to data subjects and the Belgian Institute for Post and Telecommunications (BIPT), a security incident has now been brought in line with the definition of the NIS Act as "an event having an actual adverse effect on the security - i.e. availability, confidentiality, integrity or authenticity - of electronic communications networks or services". In case of a personal data breach, the DPA becomes involved.

5.2 What are the mandatory or voluntary cyber-incident notification requirements? For example, to whom must notification be sent (eg, individuals, regulators, public filings)? Is there a required form or format? What is the timeframe for notification? Is the organisation that suffered the cyber-incident obliged to provide services, compensation or specific information to individuals who were affected? What are the exceptions/safe harbours that would allow organisations to avoid or not make notifications (eg, no risk of harm; information accessed was encrypted)?

As mentioned in question 5.1, a personal data breach must be notified to the DPA by the data controller within 72 hours of the data controller discovering the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.

Such notification should describe:

  • the nature of the personal data breach, including, where possible:
    • the categories and approximate number of data subjects concerned; and
    • the categories and approximate number of personal data records concerned;
  • the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • the likely consequences of the personal data breach; and
  • the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

If the DPA is not notified within 72 hours of the data breach, the data controller should explain the reasons for this delay.

If the personal data breach is likely to present a high risk to the rights and freedoms of data subjects, the data controller must also notify the data subjects as soon as possible, except where:

  • personal data is protected by appropriate technical and organisational measures and will thus be incomprehensible to anyone who is not authorised to access it;
  • the controller has taken further measures to ensure that the high risk is no longer likely to materialise; or
  • communication of the breach to the data subjects would require disproportionate effort.

Group notifications may be possible if individual notifications would involve disproportionate effort.

Operators of essential services must immediately report all incidents which would have considerable consequences for the availability, confidentiality, integrity or authenticity of the network and information system on which the essential services or the services provided rely. The form for notification is available on the platform through which the notification is made.

The Electronic Communications Act repeats the above notification requirements, but also imposes a general obligation to notify end users and the Belgian Institute for Post and Telecommunications (BIPT) in case of a specific risk of a breach of the network's security. The operator must inform the BIPT and data subjects in case of a specific and significant security incident, and does so promptly in case of an important impact on the operation of networks or services. Such important impact is measured in compliance with criteria of the Belgian NIS Act, being: (i) the number of users affected by the security incident; (ii) the duration of the security incident; (iii) the geographical distribution of the area affected by the security incident; (iv) the extent to which the operation of the network or service is affected; and (v) the extent of the impact on economic and social activities. The BIPT may inform the public at large or require the operators to do so, if it considers the disclosure of the security incident to be of public interest. The BIPT may inform ENISA of the incident and consult the Computer Security Incident Response Team on matters falling within the tasks of that team.

An organisation that makes a notification is not automatically obliged to compensate data subjects or users whose data has been leaked, but it may be held civilly liable if a fault on its part which can be proven (eg, inappropriate security measures) created losses for the data subject or user, provided that there is causality between the fault and the losses.

5.3 What steps are companies legally required to take in response to cyber incidents?

With respect to a personal data breach which falls under the scope of application of the GDPR, the data controller should respect the obligation to document the facts relating to the breach, as well as its effects and the remedial action taken. This information should enable the DPA to verify compliance with the data controller's notification obligations.

Aside from the notification and reporting obligations, prudent data controllers should analyse the breach which took place and take the necessary steps to mitigate any identified risks in order to prevent further or future damage.

The NIS Act obliges providers of essential services to take adequate measures to minimise the effects of a cyber incident, in order to safeguard continuity of service.

5.4 What legal duties, if any, do corporate officers and directors have with respect to cyber-incident response? Under what circumstances might they be considered in breach?

Corporate officers and directors must act under their general duty of care in order to diligently manage the organisation. This prudent behaviour should also help them to avoid any liability for their acts (as set out in question 4.3).

5.5 Do companies maintain cyber-incident insurance policies in your jurisdiction?

In recent years, we have seen a shift in crime from the real world to the digital world. The Covid-19 crisis has further accelerated this trend. In 2020, 67,000 fraudulent phishing transactions occurred amounting to losses of almost €34 million. But cybercrime takes many forms, from virus attacks to scams and identity fraud. The Federal Police recorded 43,501 cases of cybercrime in 2020, an increase of 27% compared to 2019.

Belgian insurers are slowly but steadily responding to these trends by offering a variety of products against cybercrime. The damage covered ranges from exposure to viruses and jacking to human error by employees. Where some insurances are only open to those in a professional capacity, others can be chosen by private individuals as an additional option to the family insurance. While all policies cover the consequences of identity theft, reputational damage and online fraud, the products vary from classic non-life insurances - covering an amount up to a certain ceiling - to legal, psychological and technical assistance. The latter products consist of technical assistance by a third party to remove viruses and recover lost data in case of a cyber incident. Insurers therefore may also act as a helpline (eg, by providing IT, legal and PR assistance).

All policies mention classic exclusions such as pre-existing and intentional damage. Illegal goods and counterfeit products are also not covered, regardless of whether one was aware of their true nature. The recovery of illegal data is therefore not covered. The cover for purchases on the Internet is only valid if one purchases from professional traders established within the European Union. Purchases made through auction websites and online second-hand marketplaces where private individuals operate, are therefore excluded from coverage.

The differences between the policies are very large and they are full of fine print exceptions and conditions. For example, specific attention should be paid to phishing. Insurers possibly limit their coverage to the channel used during the phishing activity by including e-mails but excluding scams via telephony and dating sites. Others cover the misuse of bank or identity information if there is an actual theft of that information. But if the insured party passes on details about itself, there is no theft and thus no coverage. Some insurers go even further by wholly excluding phishing. They simply state that the obligation of the insured party is to refrain from passing on passwords, access codes or other similar confidential information regarding methods of payment.

In addition to the general obligations on the insured party to immediately inform the insurer of the cyber incident and take further damage mitigation measures, certain insurers go even further by imposing preventative obligations on the insured party. These range from regularly, at least every two weeks, checking the balance of one's bank accounts you use to make online payments, to using up-to-date antivirus and operating systems. Insurers also ask you not to admit liability or make payments. This is especially important in the case of ransomware, where a ransom is asked in exchange for unblocking the infected computer.

Belgian companies are increasingly taking out cyber-incident insurance policies, with certain brokers seeing a yearly growth of up to 70%. As awareness of cyber threats continues to grow, more businesses are opting for such insurance.

6 Trends and predictions

6.1 How would you describe the current cyber landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

Belgium remains highly exposed to cybercrime, despite significant efforts to enhance cybersecurity. Cyber incidents reportedly cost the country about €4.5 billion every year. The Belgian Federal Cyber Emergency Team records up to 35 cases of cybercrime a day, with ransomware increasingly common. The Covid-19 pandemic has aggravated this situation, as operational systems – which frequently depend on cloud services – may become paralysed in the event of hacking, preventing employees from working remotely. Moreover, the increase in working from home has increased the risk of cybercrime such as phishing. In 2021, reports of phishing to the Centre for Cybersecurity increased with almost a third from 2020, amounting to a stunning 4.5 million reports. Hence, the need for clear guidelines and a strong legal framework to prevent cyber incidents remains high and, due to Covid-19, will remain at the top of the agenda in the coming year. It is also expected that awareness of the importance of cyber security among wider society will continue to rise. Major incidents have helped to increase awareness.

We see four trends persisting in 2022 as a result of technological and social developments:

  • Deep fakes, or imitations of known persons, will make voice phishing more convincing and can make many more victims;
  • Smishing, or the fraudulent practice of sending text messages purporting to be from reputable companies - such as the government or parcel services - in order to induce individuals to reveal personal information, will continue to increase;
  • Unwanted calendar invitations, where hackers may spam one's calendar with meeting invites and fraud based on QR codes, will increasingly plague us in the coming year;
  • The rise of 'bitcoin mules' helps phishing attackers disappear even further into anonymity, making it harder for hackers to catch them.

The need for an updated version of Belgium's cybersecurity strategy was highlighted by the recent attacks on Belnet and the recently discovered hacking of the Federal Public Service of Homeland affairs. The cybersecurity act of 2021-2025 intends to, amongst others, strengthen and increase trust in the digital environment. Belgium will establish a framework that will allow companies to evaluate and certify the security of ICT products, services, and processes. Work will also be done on the creation of a cybersecurity recognition mechanism for companies, with a special focus on SMEs who wish to demonstrate that basic cybersecurity requirements, best practices and policies are in place.

At the EU level, a new e-Privacy Regulation may be agreed. The latest official version was presented in early January 2021, while one of the latest drafts was leaked in November 2021. Pursuant to the European Union's Cyber Security Strategy, presented in December 2020, a new directive on the resilience of critical entities has been proposed, as well as a revision of the Network and Information Systems Security Directive. These new proposals will be discussed in the following months. Another proposal being discussed is the Data Governance Act, which aims to facilitate the availability of data for use by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the European Union.

Another interesting future development is the creation of a European cloud, which would provide:

  • world-class data infrastructure to store and manage data;
  • high-speed connectivity to transport data; and
  • more powerful high-performance computers to process data.

7 Tips and traps

7.1 What are the top three cyber-related problems or challenges that companies face in trying to secure their networks and data assets, and what are the best ways to address them?

  • The human factor: While the underlying cause of a cyber incident is external, the (internal) human factor within an organisation is just as essential. Many cyber-related problems arise due to the insufficient knowledge or diligence of the personnel within an organisation (eg, failure to identify suspicious correspondence). Hence, in-house training to help personnel understand how to use the organisation's IT system and manage data securely is essential, especially in times where many businesses have gone digital due to teleworking requirements. In addition, clear and concise guidelines and policies (including on private use of company systems) should be implemented and adhered to.
  • Cloud computing: As organisations increasingly rely on cloud services for their daily operations, they must be aware of the cybersecurity and dependency risks presented by such services. Companies must not only prevent incidents through technical and organisational means, but also carefully negotiate their cloud contracts in order to ensure that there are adequate security guarantees and sufficient grounds to hold the service provider liable in case of incidents attributable to it. The cheapest cloud solutions also do not necessarily provide an adequate security level for (sensitive) data.
  • Funding: Cybersecurity requires sufficient investment. Finding enough funds is not easy for all businesses, especially small and medium-sized enterprises. During a global pandemic, securing adequate budget becomes even more challenging. Nevertheless, firms should not only maintain cybersecurity teams to handle cyber incidents where damage has been done, but also dedicate funds and assets to identify critical risks and develop measures to mitigate those risks. Cyber insurance, despite its costs, should also be carefully considered. After all, in many cases a proactive approach will save money in the long term, if cyber incidents can be avoided.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.