The EU Network and Information Security (NIS) Directive has been implemented in Belgian law. What does it mean for you?
In this day and age where cyberthreats are everywhere, the national legislator has introduced a new act aimed at fostering a culture of cybersecurity in Belgium.
The new act, dubbed the Network and Information Security Act or NIS Act, dates from 7 April 2019 and was published in the Official Gazette on the 3rd of May, 2019. The Act also entered into force on that date. The NIS Act is Belgium’s transposition of the Network and Information Security Directive, which was adopted by the European legislator in July 2016, a few months after the GDPR.
Many practical aspects foreseen in the new law will be further elaborated in a Royal Decree, a draft of which has been approved in the Council of Ministers and is currently being reviewed by the Council of State.
Next to creating a governmental oversight and collaboration mechanism for cybersecurity matters, this Act imposes upon certain market players information security obligations. These obligations mainly revolve around taking preventive (information) security measures and the reporting of incidents.
The Network and Information Security Act contains obligations for two types of stakeholders:
The two annexes of the Act list in which areas of the market these stakeholders are to be found.
Firstly, you, as an organization, will only be an operator of essential services under this Belgian law, when:
Secondly, all operators of essential services must be active in one of the following sectors:
For each of these sectors Annex 1 of the Act explains which operators within that sector are targeted by the NIS Act. To be considered an operator of an essential service in any sector, your organization must provide a service that:
An incident would be any event that has a real negative impact on the security of your organization’s network and information systems (meaning among others your networks, servers, hard drives, terminal equipment, routers, firewalls, sensors, SCADA systems, applications and data). Note that this is a far broader notion than a personal data breach in the sense of the GDPR.
There must be a risk that such an incident potentially has a significant disruptive effect upon your organization’s service. It is up to the authority competent for your sector to determine the thresholds of what would constitute such a significant disruptive effect.
Note, however, that even if your organization meets the criteria outlined above, it does not automatically become an operator of essential services. The authority competent for your sector must formally appoint you as such an operator.
As long as that has not happened, you remain a potential operator of essential services and the impact of the NIS Act on your organization will be fairly limited.
Digital service providers only fall under the new NIS Act when:
Only when you provide a digital service will you fall under the NIS Act. A digital service is an information society service that is either:
An online marketplace is an information society service that allows consumers and/or traders conclude online sales or service contracts with traders either on the online marketplace's website or on a trader's website that uses computing services provided by the online marketplace.
A cloud computing service is an information society service that enables access to a scalable and elastic pool of shareable computing resources. Please note that this definition does not only cover Infrastructure-as-a-Service (IaaS) models. The NIS Directive clarifies that computing resources are to be interpreted as including “networks, servers or other infrastructure, storage, applications and services”. Companies that provide Software-as-a-Service (SaaS) are therefore also providers of cloud computing services in the sense of the NIS Act.
Contrary to what is the case for operators of essential services, you automatically are a digital service provider in the sense of the NIS Act the moment you meet the legal requirements. There is no need to be appointed as such by the national or a sectoral authority.
As a first step you appoint a single point of contact for the security of your network and information systems and inform your sectoral authority of the contact details of your SPOC within 3 months after having been designated operator of essential services.
As a second step you should identify possible risks to the security of you network and information systems. The risks you are looking for relate to any sort of action that may threaten the availability, authenticity, integrity or confidentiality of the data stored, transferred or processed with your network and information systems as well as of any linked services provided with those systems. Bear in mind that the risks you are looking for include the risks you need to consider under Article 32 of the GDPR but are in fact broader. Indeed, the NIS Act also requires you to take threats to systems and services themselves into account, as well as threats to other types of data than personal data.
As a third step you are to establish, test and implement the measures required to mitigate the risks to your systems. These measures should take the state-of-the-art into account and should be part of a security policy. This security policy must be drafted within 12 months after the appointment as operator of essential services and implemented within 24 months. It would be highly advisable to have your security policy conform with ISO/IEC 27001. A business continuity plan should be a key element of the measures you take.
First of all, if you are a micro- or small company, you do not fall under the obligations of taking security measures and notifying incidents of the NIS Act. You are required to appoint a data protection officer, though.
Similar as for operators of essential services, digital service providers must appoint a single point of contact for its computer systems and inform the sectoral authority. They also must take certain adequate technical and organizational security measures. These measures must consider the state-of-the-art and take the identified risks into account. Hence, in terms of steps to follow, digital service providers go to a similar flow as operators of essential services.
Contrary to the situation for essential service providers, where it is up to sectoral authorities to provide practical guidance on what the risks and measures to take may be, the European Commission has provided in a Regulation more detailed guidance on how digital service providers are to take such appropriate measures.
Both operators of essential services and digital service providers are required to report incidents under the NIS Act. However, the criteria which determine whether an incident is to be reported as well as the modalities of reporting an incident differ greatly for operators of essential services and digital service providers.
For operators of essential services incidents are to be notified when they have a significant impact on the availability, confidentiality, integrity or authenticity of network and information systems on which the essential services are dependent. Specific thresholds to determine whether an incident has such a significant impact can be determined by Royal Decree. If no thresholds are determined, you have to report all incidents with an impact on the availability, confidentiality, integrity or authenticity of network and information systems on which the essential services are dependent. Special notification categories can be created by Royal Decree. Incidents are to be reported to the Cybersecurity Centre for Belgium and the competent sectoral government or authority.
For digital service provider the incident reporting obligation is somewhat different. The European Commission determined the thresholds for whether an incident has significant consequences, and is therefore subject to the reporting obligation, in its executive Regulation. You must report incidents through an electronic platform to be created by Royal Decree. Keep in mind that there are certain things which must be included in your incident report. Good to know is that this platform will also serve to report personal data breaches to the Belgian Data Protection Authority.
The NIS Act requires operators and operators of essential service providers to appoint a data protection officer (DPO). The NIS Act therefore lowers the thresholds for circumstances in which a DPO must be appointed: it does not look at the nature of the processing activity or the nature of the personal data processed, it only looks at what service you provide. If you are subject to the NIS Act, you are required to appoint a DPO.
Comparable to the GDPR, the NIS Act foresees (both administrative and penal) fines when operators of essential services and digital service providers do not comply with its provisions.
Moreover, the competent authorities will have far-reaching supervisory powers to monitor compliance with this new Act. The NIS Act may not have received as much attention as the GDPR, but your compliance with it will be as important.
If you want more information on what this Act will mean for your organization or if you are looking for an external data protection officer, please contact one of our lawyers. We will gladly assist you.