National transposition of the European NIS Directive: state of play for Belgium
Locations
Introduction
On 3 May 2019, the Belgian Act of 7 April 2019 establishing a framework for the security of network and information systems of general interest for the public security (the "Belgian Act") was published in the Belgian Official Gazette.
[1] The Belgian Act entered into force on the same day and constitutes the transposition of the NIS Directive[2] in national law. The NIS Directive aims at achieving a high common level of security of network and information systems so as to improve the functioning of the European internal market.
Since the NIS Directive is a directive aimed at minimum harmonisation, the Member States were giving some margin to adopt or maintain provisions in order to achieve a better security level of network and information systems. It appears however that Belgium did not really seize this opportunity, which has resulted in a rather loyal and not really innovative transposition of the NIS Directive.
As is often the case, Belgium was one of the (many) Member States that did not manage to transpose the NIS Directive in time. Indeed, the NIS Directive should have been transposed in national law by 9 May 2018 meaning that the Belgian legislator has missed the deadline by almost one year. Even now, Belgium is still not finished with the transposition: in the coming months the operators of essential services in reach of the relevant sectors will need to be designated.
Territorial scope of the Belgian Act
Article 3 of the Belgian Act clarifies that its provisions will apply to:
- Operators of essential services that have at least one establishment on Belgian territory and are actually carrying out an activity concerning the provision of at least one essential service on the Belgian territory; and
- Digital services providers that have their main establishment in Belgium. Digital service providers that have their registered seat in Belgium will be deemed to have their main establishment in Belgium;
- Digital service providers that are not established in the European Union -, provided that they they deliver services described in Annex 2 in Belgium and their representative is established in Belgium in the context of the NIS Directive.
The obligations in the Belgian Act are relevant for two types of service providers: (i) operators of essential services and (ii) digital service providers.
Operators of essential services
Who?
A public or private entity that is (i) active in Belgium in one of the sectors included in Annex 1 to the Belgian Act (such as electricity companies, airline companies etc.), (ii) meets the criteria listed below (article 12 of the Belgian Act) and (iii) has been appointed as such by the governmental authority.
Article 12 of the Belgian Act clarifies the criteria that need to be complied with in order to identify an operator of essential services:
- The entity provides a service which is essential for the maintenance of critical societal and/or economic activities;
- The provision of that service depends on network and information systems; and
- An incident would have significant disruptive effects on the provision of that service. In order to determine the importance of such disruptive effects, the sectorial authority will determine sectorial and/or inter-sectorial criteria, impact levels or threshold values.
A potential operator of essential services will need to provide all relevant information concerning its potential identification as operator of an essential service, including information allowing objectivising if the provision of the essential service is dependent on network and information systems (article 14 Belgian Act).
Which obligations do they have?
Chapters 2 and 3 of the Belgian Act explain which obligations are imposed on operators of essential services.
- Article 20 indicates that the operator should take the following security measures (the "Security Measures"):
- Appropriate and proportionate technical and organisational measures to manage the risks posed to the security of the network and information systems on which their essential services depend. These measures will ensure, taking into account the state of the art, a level of physical and logical pretention of the network and information systems that is appropriate to the risks posed;
- Appropriate measures to prevent or to minimise the effects of incidents affecting the security of the network used for the provision of the essential services, in order to ensure the continuity of those services.
- The operator is also obliged to draw up a security policy for its network and information systems ("IBB") which will contain at least the Security Measures (article 21 of the Belgian Act).
- This IBB needs to be drawn up at the latest within a period of 12 months following the notification of the operator's appointment.
- The measures described in the IBB need to be implemented by the operator at the latest within a period of 24 months after the notification of its appointment.
- The IBB is deemed to be compliant with the security requirements set forth in article 20 of the Belgian Act until proven otherwise if the security measures comply with the requirements of the ISO/IEC 27001 norm or a national, foreign or international norm recognised by the King to be equivalent (article 22 of the Belgian Act).
- The operator of essential services will designate a point of contact for the security of the network and information systems and will communicate the details to the competent sectorial authority within a period of three months after the notification of its appointment as operator of essential services (article 23 of the Belgian Privacy Act).
- The operator of essential services will also need to promptly notify all incidents having significant impacts on the availability, confidentiality, integrity or authenticity of the network and information systems on which its essential services are depending on (article 24 of the Belgian Act).
- It is important to note that this notification obligation will apply even if the operator of essential services only partly has the relevant information to determine whether an incident has a significant impact (article 25 of the Belgian Act).
- In this respect a company that is providing digital services to an operator of essential services and is subject to the Belgian Act will need to promptly notify any incidents with significant impacts for the continuity of the essential services (article 27 of the Belgian Act).
- The operator of essential services that suffered an incident with a significant impact is obliged to handle the incident and take reactive measures to solve the incident. The operator of essential services will remain liable for the management of the incident (article 28 of the Belgian Act).
Potential providers of essential services (i.e. an entity that is active in one of the sectors set forth in Annex 1 to the Belgian Act but that has not been formally appointed as an operator of essential services) can notify incidents with a significant impact on the continuity of the services provided by them in Belgium on a voluntarily basis (article 30 of the Belgian Act).
The King is responsible to determine the further rules for the notification and reporting of incidents and to establish a secured notification platform (the "Notification Platform") (article 31 of the Belgian Act). This Notification Platform can also be used by operators of essential services to notify breaches concerning personal data to the supervisory authority. With regard to this Notification Platform, the Belgian Data Protection Authority has stressed in its advice that it is necessary to ensure that the responsibility to determine which authorities need to be notified, remains with the data controller. It should be avoided that this responsibility is 'shifted' to entities receiving the incidents via the Notification Platform.
To the extent that public awareness is required to prevent an incident or to manage an existing incident, the national CSIRT can, after having consulted the operator that submitted the notification and the competent sectorial authority, inform the public about individual incidents. However, in such case the public can only be provided with general information about the incident.
Digital services providers
Who?
Any legal entity providing a digital service as set forth in Annex II to the Belgian Act.
The chapter on digital service providers of the Belgian Act does not apply to micro and small entities (article 32 of the Belgian Act).
Which obligations do they have?
The obligations imposed on digital services providers are explained in Chapter 2 and 3 of the Belgian Act:
- The digital services providers will identify the risks for the security of the network and information systems which they use for the provision of the following services in the European Union (the "Digital Services"): (i) online market places; (ii) online search engines; and (iii) cloud computing services (article 33 of the Belgian Act). They will take appropriate and proportionate measures to manage these risks.
- These measures will ensure, taking into account the state of the art, a level of security for the network and information systems that are appropriate to the risks posed and will take into account the following elements:
- The security of systems and facilities;
- The management of incidents;
- The management of business continuity;
- Monitoring, auditing and testing; and
- Compliance with international standards.
- The digital service providers need to take measures to prevent and minimise incidents which can affect the security of their network and information systems used for the Digital Services in order to ensure the continuity of the services.
- Furthermore, the digital services providers are also obliged to appoint a point of contact for computer security and share the details to the sectorial authority (article 34 of the Belgian Act).
- As is the case for the operators of essential services, the digital service providers are obliged to promptly notify any incident having a substantial impact on the Digital Services they provide in the European Union (article 35 of the Belgian Act). Such notification needs to occur in accordance with the implementation regulations of the European Commission, including the Implementing Regulation 2018/151 of 30 January 2018 regarding further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact (see link).
- These notifications contain information to determine if the potential cross-border impact of the incident is significant. Notification cannot result in an increased liability for the notifying party.
- The obligation to notify will only apply if the digital service provider has access to the information required to fully or partially assess the consequences of the incident. The King can determine the further rules of the notification, which will need to occur via the Notification Platform.
Supervision on the operators of essential services and digital service providers
Chapter 1 and Chapter 2 of Title 4 of the Belgian Act contain the rules with regard to the supervision on respectively the operators of essential services and digital service providers.
The operators of essential services
The operator of essential services is obliged to perform or have performed at its own costs (article 38 of the Belgian Act):
- A yearly internal audit of the network and information systems on which its essential services are dependent on.
- This internal audit should allow the operator to make sure that the measures and processes included in its IBB are properly implemented and regularly reviewed.
- The first internal audit should be performed at the latest within the three months following the development of the IBB.
- An external audit by an institution for the conformity assessment that is accredited by a national accreditation authority or by an institution that has signed the "European Cooperation for Accreditation". The first external audit should be provided at the latest within the 24 months following the performance of the first internal audit.
The digital service providers
The King will determine the further practical rules of the supervision on the digital service providers. The digital service providers should however in any case (article 47 of the Belgian Act):
- Provide all information to the competent inspection body within the specified period that is required for evaluating the security of its network and information systems, including all documented policy measures with regard to security;
- Rectify any failure to comply with the security and incident reporting requirements within the required deadlines.
Sanctions for non-compliance
Chapter 3 of the Belgian Act sets forth the applicable sanctions for any violations of the Belgian Act. These include the imposition of criminal penalties or administrative sanctions.
Interaction between the Belgian Act and the GDPR
It is important to underline that the applicability of the Belgian Act does not prevent that the requirements of the GDPR also need to be complied with. In light of the foregoing, article 5 of the Belgian Act clarifies that with the exception of Title 6 of the Belgian Act (which specifically deals with the processing of personal data in the context of the Belgian Act); the provisions of the Belgian Act do not prejudice the applicability of the GDPR. This provision was added upon explicit request of the Belgian Data Protection Authority.
It should be taken into account however that the personal and material scope of the GDPR and NIS Directive, and thus the Belgian Act, differs. We have summarized the most important differences in the table below:
|
|
GDPR |
Belgian Act |
|
Material scope |
|
|
|
Addressees |
|
|
|
Incident notification |
|
|
|
Designated roles |
|
|
Next steps
The Belgian Act reserves quite some powers for the King, meaning that some provisions of the Belgian Act will need to be further specified in a Royal implementation decree. Article 7, §1 of the Belgian Act, for instance, stipulates that the King will appoint the authority charged with the follow-up and coordination of the implementation of the Belgian Act. It can be expected that the Centrum for Cybersecurity Belgium will be appointed as such authority.
The appointment of the Belgian operators of essential services however will in any case need to be done at the latest within six months after the entry into force of the Belgian Act, i.e. 3 November 2019 (article 11; §3 Belgian Act).
At this point, the Belgian government is awaiting the advices of the Belgian Data Protection Authority and the Council of State on the draft of the Royal implementation decree so Belgium is making further slow, but steady, progress in the further transposition of the NIS Directive.
[1] Available here in Dutch and here in French.
[2] Directive 2016/1148 of the European Parliament and of the Council of 6 July 2006 concerning measures for a high common level of security of network and information systems across the Union (see link here).