A first approach to the Belgian transposition law of NIS 2 Directive

As cybersecurity threats continue to evolve in complexity and scale, the European Union (EU) has responded with different legislative frameworks aimed at strengthening the cyber resilience of companies, especially of critical infrastructure and essential services. Consequently, the EU adopted a revised version of the NIS Directive. The NIS 2 Directive enhances cybersecurity measures, streamlines reporting procedures, establishes uniform regulations and penalties across the EU, as well as extending guidelines to novel sectors and entities to further increase the resilience responsiveness of public and private organisations, competent authorities, and the EU as a whole.

Belgium understood the assignment and published a new Belgian transposition law in compliance with NIS 2 directive. The Belgian NIS 2 bill (transposing the European NIS2 directive) was approved by the federal parliament on April 19th in plenary session. The next step will be the implementation of a Royal Decree that will appoint authorities and specify practical procedures related to the supervision of entities.

To help you be prepared to its entry into force in October 18th 2024, here is an overview of important elements to keep in mind for all Belgian entities.

In this article, the goal is to share all relevant changes and new requirements Belgian entities must respect to comply with this new piece of legislation.


1. A comprehensive upgrade

NIS 2, an extended scope

One of the key differences between the NIS-D and NIS2 is the expanded scope of the second one. While NIS-D only applies to operators of essential services in specific sectors (such as energy, transport, healthcare and finance), under NIS2 and the Belgian transposition law, harmonised rules are introduced for medium sized and large entities, categorised as either “important” or “essential”. Additional industries and digital service providers have been included such as those in the water supply and distribution sector, the food supply sector, and the digital infrastructure sector. Digital service providers that offer online marketplaces, search engines, and cloud computing services are now also within the NIS2 scope.

Furthermore, Belgian entities will not be designated anymore by the competent authorities as falling under NIS 2 scope, but they now will have to register themselves to the CCB on a specific platform that still needs to be implemented. Stay tuned.

Cybersecurity requirements, management accountability and supply chain due diligence

Under NIS 2, entities management bodies are accountable for cybersecurity measures implementation,  as they must approve the cybersecurity risk-management measures taken, oversee its implementation and can be held liable if the entity fails to comply with security obligations.

Moreover, NIS 2 also provides a minimum of appropriate technical and organisational measures that the entities in scope need to implement. These include for example policies on risk analysis and information system security; incident handling; backup management and crisis management; cyber hygiene practices; policies and procedures regarding the use of cryptography and encryption; and the use of multi-factor authentication. The Belgian law adds the obligation to implement a Coordinated vulnerability disclosure policy.

Finally, NIS2 and its transposition law require entities to mitigate cybersecurity risks within the IT supply chain. Entities in scope are required to undertake due diligence when assessing the level of cybersecurity of suppliers. In practice, this provision therefore broadens the scope of NIS 2 to organisations that are outside its direct scope.

Reporting obligations

Any “significant incident” must be reported to the Belgian’s computer security incident response teams (“CSIRT”, notably the Centre for Cybersecurity Belgium at a national level).

Entities must notify that an incident occurred to the CSIRT within 24 hours, before submitting an incident notification within 72 hours evaluating its severity and impacts, produce an intermediate report if the authorities request to do so, and a final report no later than within one month with a detailed description of the incident, the type of threat or root cause, the mitigation measures and cross-border impacts.

Entities are also required to be fully transparent and notify the clients that are likely to be impacted by the incident: the affected services, the type of cyber threat that caused the incident and the correctives and remediation measures taken must be communicated to them.

The Belgian law also establishes a voluntary notification process following the same steps as of the mandatory one, however not creating any obligation.

Supervision and enforcement

NIS2 also contains stricter and more extensive provisions relating to monitoring and enforcement.

Member States must ensure that competent authorities effectively supervise and take the measures necessary to ensure compliance. To do so, supervisory authorities – the CCB for Belgium as well as the sector-specific ones – must be empowered to conduct on-site inspections and targeted security audits, and request information to access data or to request evidence of implementation of cybersecurity policies. When enforcement measures are ineffective, the CCB can take follow-up measures, including the suspension of a certification or authorisation and, upon obtaining a court order, the prohibition for the CEO or legal representative to perform certain duties. Financial penalties can also be imposed and can be up to 10 million euros or 2% of the annual turnover – it can be doubled in case the entity relapses.


Compliance and enforcement mechanisms

To navigate the complexities of the NIS2 Directive and the Belgian transposition law, companies must take proactive steps toward compliance.

Implementing a risk-based strategy is essential. Once it is determined whether the company falls within the obligated parties, it is necessary to define, through a gap analysis, what technical, operational, and organizational measures are appropriate to protect computer systems and networks by adopting a multi-risk approach.

The NIS 2 Directive provides clearer indications of possible measures, including:

  • 1) Risk analysis and security policies for computer systems;
  • 2) Incident management;
  • 3) Business continuity, backup management, and restoration in case of a disaster;
  • 4) Supply chain security, including aspects related to security concerning relationships between each entity and its direct suppliers or service providers;
  • 5) Security of acquisition, development, and maintenance of computer and network systems, including vulnerability management and disclosure;
  • 6) Strategies and procedures to assess the effectiveness of cybersecurity risk management measures;
  • 7) Basic cyber hygiene best practices and cybersecurity training;
  • 8) Policies and procedures regarding the use of encryption and, if necessary, anonymization or pseudonymisation;
  • 9) Human resource security, access control strategies, and active breach management;
  • 10) Use of multi-factor authentication or continuous authentication, protected voice, video, and textual communications, and emergency communication systems internally, if applicable.

It is also crucial to establish a Data Breach Recovery Plan. The regulations stipulate that in the event of a significant incident, a notification process to the competent authorities must be followed, organised into multiple phases, as specified in section 2.

In addition, the Data Breach Recovery Plan should also include the following organisational measures:

  • 1) Appointment of a cybersecurity officer;
  • 2) Defining the roles and responsibilities of staff involved in incident management;
  • 3) Defining procedures to follow in case of a data breach;
  • 4) Continuous Monitoring and Updates.

Lastly, the NIS 2 Directive requires a continuous approach to cybersecurity management, through the definition of clear objectives and constant monitoring of the results achieved. It is crucial to be able to update the measures adopted based on vulnerabilities and actual threats, both internal and external, that could compromise security.


Conclusion

The NIS2 Directive and Belgium’s transposition law mark a significant evolution in the EU’s cybersecurity framework, aiming to protect critical infrastructure and ensure the continuity of essential services. By understanding the directive’s requirements and the specific provisions of the Belgian law, companies can not only comply with the regulations but also strengthen their resilience against cyber threats. The journey towards cybersecurity is ongoing, and staying informed, prepared, and collaborative is key to navigating this landscape successfully.

Lorenzo GIORDANO & Blandine LUPINACCI
Lab Compliance Brussels