Claeys & Engels
Search

New law to strengthen cybersecurity - Transposition of the NIS 2 Directive into Belgian law

Newsflash
Data protection and privacy

On 17 May 2024, the law establishing a framework for the cybersecurity of network and information systems of general importance for public safety (the NIS 2 Act) was published in the Belgian State Gazette. The NIS 2 Act replaces the NIS 1 Act and has a much broader scope. The law requires certain essential and important entities to take appropriate measures to enhance their cybersecurity. Additionally, the law provides for reporting obligations, strict penalties, and director liability.

1 NIS 1

In 2016, the current NIS 1 Directive came into effect. It was subsequently implemented into Belgian legislation through the NIS 1 Act of 7 April 2019. The law applies to a limited number of sectors (e.g., energy, transportation, digital services, etc.) and requires companies in these sectors to implement certain minimum security measures and report incidents. It soon became evident that the scope of the NIS 1 Act was too limited and that the measures did not go far enough in some areas. This led to the NIS 2 Directive, also referred to as ‘NIS 1 on steroids’.

2 Broader material scope

The material scope of the NIS 2 Act is significantly broader than that of its predecessor. The existing sectors covered by the law have been expanded, and new sectors have been added.

The NIS 2 Act applies to ‘entities’, which includes both natural persons and legal entities. Public or private entities generally fall within the scope of the NIS 2 Act as soon as they meet the following cumulative conditions:

  • they operate within one of the sectors specified in the two annexes of the law, and
  • they have a certain size. This is the case if the entity employs at least 50 employees or has an annual turnover of more than EUR 10 million.

There are numerous exceptions to this basic rule, making the size irrelevant for some entities.

3 Essential and important entities

The law distinguishes between essential and important entities. This qualification is generally to be carried out by the entity itself based on the guidelines in the law, but the cybersecurity authority (in Belgium, the Cybersecurity Centre, “CCB”) can also identify an entity as such. The qualification is significant for the applicable obligations and also affects the potential sanctions.

Entities are generally required to register with the CCB within 5 months of the law’s entry into force or their identification by the CCB. With the NIS 2 Act coming into force on 18 October 2024, companies have until 17 March 2025, to deliberate on this matter. However, it is highly recommended to undertake this exercise well in advance, as the relevant obligations apply from the date the law comes into effect.

4 Cybersecurity risk-management measures

Both essential and important entities are required to take measures to secure their network and information systems. The NIS 2 Act provides an overview of the minimum measures that entities must implement. The specific implementation of these measures will depend on several factors, such as the state of the art, implementation costs, the likelihood of an incident occurring, and its risks.

A significant new measure in the NIS 2 Act is the requirement for ‘supply chain measures’. This means that the entity must ensure the quality of the cybersecurity of its direct suppliers and service providers. As a result, even companies that do not fall within the scope of the NIS 2 Act may still be indirectly affected.

The NIS 2 Act also requires entities to have a policy on risk analysis and the security of information systems. Having a policy alone will not be sufficient: internal training in cybersecurity must also be provided. In particular, members of the governing bodies are required to undergo training to ensure they have sufficient knowledge and skills to identify and manage risks.

Essential and important entities also have a reporting obligation for significant incidents. The entity must make an initial report to the national computer security incident response team (CSIRT) within the CCB without delay, but in any case within 24 hours of becoming aware of the incident.

5 Cybersecurity risk-management measures

Failure to comply with the NIS 2 Act can be sanctioned with various administrative measures and fines. These fines can amount to up to 10 million EUR or 2 percent of the total worldwide annual turnover, whichever amount is higher.

Finally, the NIS 2 Act comes with a personal liability for the natural persons who represent, control, or make decisions on behalf of the important or essential entity. According to the CCB this is intended to raise awareness among the 'top management.' It is advisable for the top management to check whether this is covered by their liability insurance.

Anticipate and begin preparations now

Companies and organisations should start today with an initial analysis to determine whether they fall within the expanded scope of the NIS 2 Act. If they do, we recommend conducting a thorough analysis to identify which measures have already been implemented and which are still lacking. Finally, this should be developed into a concrete action plan in collaboration with all relevant stakeholders within the organisation. Special attention should be give to employee training and training for members of the governing bodies in this process.