On 18 October 2024, NIS 2 officially came into force across all EU member states. While many member states missed the deadline to create national cybersecurity legislation based on NIS 2, that is not the case for Belgium. The new legislation aims to enhance the security and resilience of critical entities across the EU. With the clock now ticking, it is imperative for organisations to act swiftly to ensure compliance and safeguard their operations. In this article, we will delve into some key aspects of NIS 2, providing you with an overview of what to expect.
1. What’s the applicable legislation in Belgium?
In Belgium, the Law of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security (Belgian NIS 2 Law) transposes into Belgian law the NIS 2 Directive (EU) 2022/2555. The Royal Decree of 9 June 2024 implementing the Belgian NIS 2 Law completes the transposition in Belgium. It designates the Centre for Cybersecurity Belgium (CCB) as the national cybersecurity authority and the national CSIRT, as well as various sectoral authorities that support the CCB in its tasks.
2. How to determine if your organisation falls under the scope of NIS 2 in Belgium?
To be covered by the Belgian NIS 2 law, an organisation must meet the following criteria: (i) it must provide a service listed in Annexes I and II of the Belgian NIS 2 Law within the EU; (ii) it must exceed the size thresholds of a medium-sized enterprise as defined in Recommendation 2003/361/EC. This means having a workforce of at least 50 full-time employees or an annual turnover or balance sheet total exceeding EUR 10 million; and (iii) it must be established in Belgium.
Depending on their sector and size, companies are classified as either “essential entities” or “important entities”, which results in different enforcement measures and potential fines:
- Essential entities are supervised both proactively (ex ante) and reactively (ex post). They are subject to mandatory regular conformity assessments.
- Important entities are generally subject to “ex post” supervision, meaning they are monitored after an incident occurs or based on evidence, indications, or information suggesting non-compliance with the law.
Irrespective of the above, the Belgian NIS 2 Law automatically applies to all entities identified as operators of critical infrastructure under the Law of 1 July 2011, no matter their size. These operators are classified as essential entities. Entities identified as operators of essential services or digital service providers under the NIS 1 will generally fall under Belgian NIS 2 Law if they exceed the size thresholds. This is because Belgian NIS 2 Law extends the scope of NIS 1.
3. Even if your company is not directly subject to NIS 2, it may still impact your organisation
NIS 2 has a wide impact. While NIS 2 has specific criteria for determining which organisations fall under its direct scope (see above), its impact can still be felt indirectly. Here’s how:
- The Belgian cybersecurity authority (CCB) can identify certain organisations as essential or important, even if they don’t typically qualify as NIS 2 entities. This could happen if their services are critical to public safety, security, or health.
- If you’re a supplier or service provider to a NIS 2 entity, you might be required to implement specific cybersecurity measures. This is because NIS 2 entities must safeguard the security of their entire supply chain, including you. NIS 2 entities will likely impose contractual obligations on their suppliers or service providers. For instance, NIS 2 entities may require suppliers to obtain certifications like CyberFundamentals (CyFun Framework level Basic) or ISO 27001 to ensure compliance.
4. What are the main obligations under Belgian NIS 2 Law?
Companies within the scope of Belgian NIS 2 Law must comply with the following key elements:
- Registration with the CCB. NIS 2 entities under the Belgian NIS 2 law must register with the CCB via the portal. The deadline for registration depends on the type of entity. Essential and important entities must register by 18 March 2025 and digital sector entities by 18th December 2024.
- Cybersecurity risk-management measures: Both important and essential entities must implement appropriate and proportionate technical, operational, and organisational measures to manage risks to the security of their network and information systems. These measures should prevent or minimise the impact of incidents on their services and other interconnected services. The measures must ensure a level of security appropriate to the risks, considering the state-of-the-art, relevant European and international standards, and the cost of implementation. To facilitate the practical implementation of these measures, the CCB advises all NIS 2 entities to make use of the CyFun Framework, which covers all these points. A validated implementation of the CyFun Framework allows NIS 2 entities to benefit from a presumption of conformity.
- Notification of significant incidents: Essential and important entities must notify the CCB of any significant incident, including, where appropriate, information that makes it possible to determine whether the incident in question has a cross-border impact (see section 5 below).
- Management body obligations: Management bodies must (i) approve the cybersecurity risk-management measures; (ii) oversee their implementation; and (iii) understand they can be held liable for infringements.
- Cooperation with authorities. Entities within its scope must cooperate with national authorities, particularly the CCB and sectoral authorities.
5. What are the incident reporting obligations under Belgian NIS 2 Law?
Starting 18 October 2024, all NIS 2 entities are required to notify the CCB of significant incidents via the notification platform. These are incidents that significantly impact the provision of their services and (i) cause or have the potential to cause severe operational disruption or financial loss; or (ii) affect or have the potential to affect other individuals or organisations, causing considerable material or non-material damage. For instance, someone has obtained greater access than expected to the networks, systems or information supporting the provision of your service. An event causing the loss or dissemination of intellectual property in a way likely to jeopardise future revenues or sales.
The CCB has just published guidelines (in French and in Dutch) on the notifications and information obligations.
Notifications must be made in stages: an early warning within 24 hours of being discovered, a formal notification within 72 hours, and a final report within one month. Interim reports may also be requested. Incident notifications under the Belgian NIS 2 Law do not replace notifications required for personal data breaches, if the incident also involves personal data. Separate notifications must still be made to the Belgian Data Protection Authority in such cases.
6. What are the consequences of non-compliance?
To enforce the Belgian NIS 2 Law, inspectors may conduct on-site visits, gather evidence, and issue reports. Based on these findings, the CCB can initiate proceedings to address violations, including ordering corrective actions and imposing administrative fines. The following administrative fines may be imposed:
- Non-compliance with information obligations: EUR 500 to EUR 125,000
- Non-compliance with supervision obligations: EUR 500 to EUR 200,000
- Non-compliance by important entities: EUR 500 to EUR 7 million or 1.4% of annual turnover
- Non-compliance by essential entities: EUR 500 to EUR 10 million or 2% of annual turnover
The CCB may also impose the following administrative measures, such as warnings or binding instructions; cease conduct or implement measures; public disclosure of non-compliance; designation of a monitoring officer (for essential entities); implementation of recommendations; temporary suspension of certifications or authorisations (essential entities); and temporary prohibition of managerial functions (essential entities).
7. It’s not too late to take action
Even though the Belgian NIS 2 Law is already in effect, there is still time to ensure your organisation is compliant. To prepare effectively, consider the following preliminary steps:
- Assess NIS 2 scope: Determine if your organisation falls under NIS 2’s scope.
- Identify gaps: Evaluate your current cybersecurity posture for potential weaknesses.
- Conduct gap analysis: Compare your network and information security posture with the NIS 2 requirements, thereby paying particular attention to risk management and incident response.
- Don’t delay: Start your NIS 2 compliance journey today.