An important milestone for cybersecurity in Belgium was achieved on April 18, 2024, when Parliament approved the transposition of the EU NIS2 Directive. Many companies across a variety of sectors will face increased cybersecurity obligations scheduled to take effect on October 18, 2024. Compliance has significant consequences, including not only director liability but also administrative sanctions and fines.
Scope of application
NIS2 obsoletes and replaces the NIS1 directive (Directive (EU) 2016/1148 on high common level security measures for networks and information systems throughout the European Union), was judged insufficient to deal with the escalating incidents related to the digitalization of society. NIS1 had already set certain minimum cybersecurity standards for companies and sectors considered important to society. This includes “digital service providers” (providers of online search engines, online marketplaces, cloud computing services) and “operators of essential services” (e.g. energy, healthcare, transport sectors). The parties concerned were obliged, among other things, to implement technical and organizational security measures and to notify national cybersecurity authorities of significant cybersecurity incidents.
NIS2 also requires 12 departments to take cybersecurity risk management measures and comply with incident notification obligations. The new rules also improve security and reporting by establishing a minimum list of critical elements that all companies must consider or implement, including incident management, supply chain security, and vulnerability handling and disclosure. Enhance and streamline requirements.
The entities involved fall into two main categories (the first category is subject to the most stringent obligations).
Organizations in these sectors (with some exceptions) are subject to NIS2 if they meet certain criteria in terms of size (number of employees and annual turnover).
These companies must implement specific risk analysis policies, provide appropriate incident handling, auditing and testing, and perform cybersecurity supply chain due diligence (assessing the cybersecurity practices of their suppliers and service providers). Subject to strict minimum cybersecurity risk management requirements, including: Rules regarding incident notifications have also been tightened.
Member States will have until April 17, 2025 to draw up a list of entities covered by NIS2 and may also impose self-registration on entities.
How has Belgium approached the replacement of the NIS2 directive?
Belgium has decided to take advantage of the possibility of expanding the list of entities covered by the NIS2 regime. More precisely, Belgian transposition law allows for the expansion of the existing list as well as the inclusion of additional sectors and sub-sectors through Royal Decree. Additionally, there is flexibility for national regulators to add specific companies to the list. Therefore, even if a company is not currently involved or listed, it remains possible that it will be included in the future.
Given the large number of entities likely to be involved in NIS2, voluntary registration is required within two or five months of the law's entry into force. A platform will be made available for this purpose.
Belgium has also expanded its list of risk management measures and information obligations. As a result, companies covered by Belgium's NIS2 law must adopt tailored vulnerability disclosure policies that take into account all potential risks in order to protect their networks, information systems, and physical environments from incidents. A comprehensive risk analysis must be conducted. Based on this assessment, information systems and network security policies should be developed that incorporate the elements required by law. The list of duties may be further expanded by royal decree.
Finally, the Belgian legislator outlined a framework for overseeing compliance with NIS2. Key aspects include the identification of the relevant authority (national CSIRT), the Belgian Cyber Security Center (“CCB”), the possibility for “important organizations” to undergo a voluntary preliminary assessment (required for “important organizations”); )It is included. , provisions regarding administrative sanctions and fines.
sanctions
Under NIS2, national regulators can provide “essential entities” with up to €10 million or 2% of annual global turnover (whichever is higher), and up to €7 million or 1.4% of annual turnover. Binding injunctions and administrative fines can be issued. Global sales of the “significant entity” (whichever is higher).
Directors and management also have a legally mandated responsibility to implement the necessary measures and follow appropriate cybersecurity training, potentially exposing them to liability if their company is not NIS2 compliant. Please note that there is.
What's next?
Essential and critical businesses have until October 18, 2024 to effectively organize their NIS2 compliance. From this date, a new cybersecurity regime will apply.
Additionally, additional cybersecurity requirements will apply to certain companies, particularly those operating in the financial sector, from January 1, 2025 under the Digital Operational Resilience Act. The law is currently being debated in the Belgian parliament for further implementation.
The content of this article is intended to provide a general guide on the subject. You should seek professional advice regarding your particular situation.
