Belgium Moves Forward With Transposition Of New EU Cybersecurity Rules – Security

A significant milestone for cybersecurity in Belgium was reached
when the Parliament ratified the transposition of the EU NIS2
Directive on 18 April 2024. Numerous companies across different
sectors will face a landscape of increased cybersecurity
obligations, set to take effect on 18 October 2024. Failure to
comply carries significant consequences, including administrative
sanctions and fines, as well as directors’ liability.

Scope of application

NIS2 repeals and replaces the NIS1 Directive
(Directive (EU) 2016/1148 concerning measures for a high common
level of security of network and information systems across the
Union), which was deemed insufficient in addressing the
escalating incidents associated with the digitization of society.
NIS1 had already set certain minimum standards with regard to
cybersecurity for companies and sectors deemed critical to society,
which included “digital services providers” (online
search engines, online marketplaces and providers of cloud
computing services) and “operators of essential services”
(e.g. in the energy, healthcare and transportation sector). The
entities concerned were, among other things, obliged to implement
technical & organisational security measures and to notify
serious cybersecurity incidents to the national cybersecurity
authority.

Under NIS2, twelve additional sectors are mandated to institute
cybersecurity risk management measures and follow incident
notification obligations. The new rules also strengthen and
streamline security and reporting requirements by establishing a
minimum list of key elements that all entities must consider or
implement, including incident management, supply chain security,
vulnerability handling and disclosure.

The entities concerned are divided into two main categories (the
first one being subject to the strictest obligations):

Organisations in these sectors (with some exceptions) will be
covered by NIS2 if they meet certain thresholds in terms of size
(employee headcount and annual turnover).

They will be subject to strict minimum cybersecurity risk
management requirements, e.g. having certain risk analysis policies
in place, provide for proper incident handling, auditing and
testing, performing cybersecurity supply chain due diligence (to
assess the cybersecurity practices of suppliers and services
providers). Also, the rules on incident notification have been
tightened.

By 17 April 2025, Member States are required to establish a list
with the entities covered by NIS2, with the option to impose
entities to self-register.

How has Belgium tackled the transposition of the NIS2
Directive?

Belgium has decided to make use of the possibility to expand the
list of entities subject to the NIS2 regime. More precisely, the
Belgian transposition law permits the inclusion of additional
sectors and sub-sectors, as well as the expansion of the existing
list, through royal decree. Additionally, there is flexibility for
the national regulator to add specific entities to the list.
Consequently, if an entity is presently not concerned or listed,
there remains a potential for its inclusion in the future.

Given the significant number of entities likely concerned by
NIS2, entities are asked to self-register within either two or five
months of the law coming into effect. A platform will be made
available for this purpose.

Belgium also extended the list of risk management measures and
information obligations. As a consequence, entities falling under
the Belgian NIS2 law must adopt a coordinated vulnerability
disclosure policy and conduct a comprehensive risk analysis that
considers all potential risks, in order to safeguard networks,
information systems, and physical environments against incidents.
Based on this assessment, they must develop a security policy for
information systems and networks, incorporating elements stipulated
by law. The list of obligations can be still extended by royal
decree.

Finally, the Belgian legislator has outlined the framework for
supervision of compliance with NIS2. Key aspects include the
identification of the relevant authority (the national CSIRT) – the
Centre for cybersecurity Belgium (“CCB”) -, the
possibility for “Important Entities” to voluntarily
undergo a pre-assessment, which is mandatory for “Essential
Entities”, and the provisions regarding administrative actions
and fines.

Sanctions

Under NIS2, the national regulator may issue binding injunctions
and administrative fines of up to EUR 10 million or 2% of the
annual worldwide turnover (whichever is higher) for “Essential
Entities”, and up to EUR 7 million or 1.4% of the annual
worldwide turnover (whichever is higher) for “Important
Entities”.

Note that also directors and management bodies can be held
liable for non-compliance of companies with NIS2, as they are
responsible for implementing the required measures and required by
law to follow appropriate cybersecurity trainings.

What’s next?

Essential and Important Entities have until 18 October 2024 to
effectively organize their NIS2 compliance. On this date, the new
regime for cybersecurity will apply to them.

Additionally, for certain companies, notably those active in the
financial sector, additional cybersecurity requirements will apply
per 1 January 2025 pursuant to the Digital Operational Resilience Act, which is
currently also being discussed for further implementation in
Belgian parliament.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.