Following the recent entry into force of the Network and Information Security Directive 2 (NIS 2), the Belgian cybersecurity authority (CCB) has issued guidelines (available in English, Dutch and French) detailing the notification obligations for entities under the Belgian NIS 2 Law. The guidelines set out strict criteria for reportable incidents and impose short deadlines for reporting. Organisations must be fully aware of these obligations to ensure compliance.
1. What is the Belgian NIS 2 Law about?
For a comprehensive overview of the Belgian NIS 2 obligations, and answers to questions such as “What’s the applicable legislation in Belgium?” and “How to determine if your organisation falls under the scope of NIS 2 in Belgium?”, refer to our previous article on the subject.
2. Which incidents must be reported?
Entities under the Belgian NIS 2 Law must report incidents considered “significant”. This requires two criteria: an incident must occur, and it must be significant. Note the following definitions:
- An incident is “an event compromising the availability, authenticity, integrity or confidentiality of data stored, transmitted or being processed, or of services that networks and information systems offer or make accessible”. In other words, any event compromising the availability, authenticity, integrity, or confidentiality of data or services provided by networks and information systems.
- A significant incident is an incident, which has a significant impact on the provision of one of the services provided in the sectors or sub-sectors listed in annexes I and II and has caused or is likely to cause at least one of these three situations:
o severe operational disruption to one of the services provided;
o financial losses for the entity concerned;
o a considerable material, physical or moral damage to other natural or legal persons.
3. How to determine the significance of an incident?
Before deciding if an incident (as defined above) is significant (as defined above) and requires notification, your company should consider the following:
- Impacting the relevant services: The incident must affect the provision of services in the sectors or sub-sectors listed in Annexes I and II of the Belgian NIS 2 Law. This includes networks and information systems essential for these services (e.g. electricity distribution).
- Impacting relevant IT systems: Note that only incidents impacting the information systems and networks supporting the relevant services need to be reported. Incidents affecting isolated systems unrelated to these services do not require notification.
The CCB has identified the following concrete situations in which the significant character of an incident should be considered as established by an entity:
A suspected malicious event compromising the authenticity, integrity, or confidentiality of data on the entity’s networks or information systems, which causes or is likely to cause severe operational disruption.
- Such an event could occur when someone has obtained greater access than expected to the networks, systems or information supporting the provision of the entity’s services; or a system or network supporting the provision of the entity’s services can no longer be configured by privileged users who should have the rights to configure the system or network.
An event compromising the availability of data on the entity's networks or information systems, which causes or is likely to cause severe operational disruption.
- Such an event could occur when at least 20% of users (i.e. natural and/or legal persons, professional customers and/or end customers who have entered into contract with the entity concerned) do not have access to the service for at least one hour; users lose access to the service for at least one hour and the entity cannot determine the number of users affected (in relative or absolute terms); or the event causes a delay in the delivery of products beyond the contractually guaranteed delivery times.
An event causing or likely to cause financial loss to the entity, such as costs associated with internal and external communication; advisory costs, including costs associated with legal counselling; forensic services and remediation services; or staff costs.
- Such an event could occur when it causes a direct financial loss in excess of EUR 250,000 or 5% of the total annual turnover of the entity concerned during the previous full financial year, whichever is lower; the loss or dissemination of IP in a way likely to jeopardise future revenues or turnover; or the exfiltration of trade secrets.
An event causing or likely to cause material, physical or moral damage affecting other natural or legal persons
- Such an event could occur, for instance, when it causes partial or total destruction of physical or digital assets or damage to physical infrastructure causing a delay in the delivery of products or services beyond the contractually guaranteed delivery times.
A recurring event.
- According to the CCB, recurring incidents that are linked through the same apparent root cause, which individually do not meet the criteria of a significant incident, should collectively be considered a significant incident, provided that they collectively meet the criterion for financial loss, and that they have occurred at least twice within six months. Such recurring incidents can indicate significant deficiencies and weaknesses in the relevant entity’s cybersecurity risk management procedures and their level of cybersecurity maturity.
4. How should these incidents be reported?
Notifications should be made to the CCB by filling an online form (available in English, Dutch and French). Unlike GDPR data breach notifications to the Belgian Data Protection Authority (BDPA), incident reporting can be done in English, which may be beneficial for international organisations.
If the form is unavailable or if it is technically impossible to fill in the form, a notification can be made by phone (+32 2 501 05 60). This phone number can also be used to contact the CCB when their immediate support is needed.
5. When should these incidents be reported?
The notification deadlines begin the moment the entity becomes “aware” of such significant incidents. The CCB emphasises that an entity is considered to be “aware” of a breach when it has detected a suspicious event, or after a potential incident has been brought to its attention by a third party (e.g. an individual, a customer, an entity, an authority, a media organisation). The entity should assess in a timely manner the suspicious event to determine whether it constitutes an incident and, if so, determine its nature and severity. The entity is regarded as being “aware” of the significant incident when, after such initial assessment, that entity has a reasonable degree of certainty that a significant incident has occurred.
There are several stages in the notification process:
- Early warning: The entity must submit an early warning without undue delay and, in any event, within 24 hours of becoming aware of the significant incident.
- Incident notification: The entity must submit an incident notification without undue delay and, in any event, within 72 hours (24 hours for trusted service providers) of becoming aware of the significant incident.
- Intermediate report: At the request of the CCB or the competent sectoral authority, the entity must submit an intermediate report.
- Final report: The entity must submit a final report no later than one month after the notification of the incident referred to in point 2.
- Progress report: If the incident is still ongoing at the time of the final report submission, the entity must submit a progress report. Subsequently, a final report must be submitted within one month of the incident being resolved.
The term “without undue delay” means that the entity must notify the incident as soon as possible, without waiting for the maximum deadlines of 24 or 72 hours. According to the CCB, only duly justified special circumstances may warrant waiting until the end of these deadlines. Compliance with a company’s internal procedures must not cause an unreasonable delay in notifying an incident.
If the significant incident is likely to affect the provision of services listed in the annexes to the Belgian NIS 2 Law, the entity must also inform the recipients of its services (if identifiable) without undue delay. This information obligation can be fulfilled by any available means, such as information on the website, mailing lists, messages in an application, or paper communications. The same goes for any measures or corrections in response to a significant cyber-threat.
6. Additional considerations
These guidelines apply solely to Belgium. Other EU member states may adopt slightly different rules.
This new notification obligation does not remove the requirement to notify the national data protection authority (e.g. the BDPA), as prescribed by the GDPR, in the event of a personal data breach.
The specific rules established by the EU Commission for the notification of incidents in the digital infrastructure and ICT service management (B2B) sectors, as well as by digital providers (as defined in the NIS 2 Law), have also taken effect. In case of conflict with CCB guidelines, these specific EU rules will take precedence. Additionally, specific notification procedures for the financial sector are outlined in the EU Digital Operational Resilience Act (Regulation 2022/2554).
7. Key takeaways
- Make sure to create an incident handling policy, including the roles and responsibilities for the discovery, examination, qualification, containment, recovery and reporting of significant incidents. Be sure to include criteria allowing the quick determination if an incident is significant or not. For incidents involving personal data, prepare to report under both NIS 2 and GDPR requirements.
- Ensure relevant personnel understand NIS 2 requirements and can quickly identify and report significant incidents
- If your entity falls under other specific categories listed by the EU Commission, familiarise yourself with the special rules that apply.
- Be sure to strictly follow the incident response deadlines put forward by the CCB.
