Transposition of the NIS 2 Directive into Belgian law to strengthen cybersecurity

The law establishing a framework for the cybersecurity of network and information systems of general importance for public safety (the NIS 2 Act) was published in the Belgian State Gazette on 17 May 2024. The NIS 2 act requires certain essential and important entities to take appropriate measures to enhance their cybersecurity and provides for reporting obligations, strict penalties, and director liability.

Broader material scope

The NIS 2 Act has enlarged the sectors that were already under the NIS 1 Act, and it has included new ones. The NIS 2 Act applies to ‘entities’, which includes both natural persons and legal entities. Public or private entities generally fall within the scope of the NIS 2 Act as soon as they meet the following cumulative conditions:

• they operate within one of the sectors specified in the two annexes of the law, and
• they have a certain size. This is the case if the entity employs at least 50 employees or has an annual turnover of more than EUR 10 million. Exceptions may apply.

Essential and important entities

The NIS 2 Act differentiates between essential and important entities. These entities usually have to determine their qualification themselves based on the law's guidelines, but the cybersecurity authority (Centre for Cybersecurity Belgium, "CCB") can also designate an entity as such. The qualification matters for the obligations that apply and the possible sanctions. Entities have to register with the CCB within 5 months of the law's enactment or their designation by the CCB.

Cybersecurity risk-management measures

All entities that are essential or important need to protect their network and information systems. The NIS 2 Act outlines the minimum measures that entities have to put in place. How these measures are applied will vary depending on different factors, such as the latest technology, implementation costs, the probability of an incident happening, and its risks.

The NIS 2 Act introduces a notable new provision: the need for ‘supply chain measures’. This means that the entity has to ensure the cybersecurity of its immediate suppliers and service providers. Therefore, even companies that are not covered by the NIS 2 Act may still feel its impact indirectly.

The NIS 2 Act also requires entities to have a policy on risk analysis and the security of information systems. Having a policy alone will not be sufficient: internal training in cybersecurity must also be provided. In particular, members of the governing bodies are required to undergo training to ensure they have sufficient knowledge and skills to identify and manage risks.

Essential and important entities also have a reporting obligation for significant incidents. The entity must make an initial report to the national computer security incident response team (CSIRT) within the CCB without delay, but in any case within 24 hours of becoming aware of the incident.

Sanctions

Failure to comply with the NIS 2 Act can be sanctioned with various administrative measures and fines up to 10 million EUR or 2 percent of the total worldwide annual turnover, whichever amount is higher. The NIS 2 Act also introduces a personal responsibility for the natural persons who represent, control, or make decisions on behalf of the entity. The CCB has confirmed this is meant to increase the awareness at the level of the 'top management.' The top management should verify if their liability insurance covers this.

Anticipate and begin preparations now

Companies and organisations should analyse if the NIS 2 Act applies to them. If so, they should assess what measures they have in place, what measures are still lacking and make a concrete action plan with all the stakeholders involved.

Author: Matthias Vandamme, Attorney – Associate Claeys & Engels