Is ethical hacking a criminal offense?

In Belgium, under certain conditions, ethical hacking is not punishable. These conditions can be read in the Belgian NIS2 law which went into effect on Oct. 18, 2024. An important aspect of this law is the tightening of the (older) rules around ethical hacking. Where ethical hackers among the whistleblower act of november 28, 2022 (effective Feb. 15, 2023) enjoyed a full exemption, the NIS2 Act brings a tightening of conditions.

What is ethical hacking?

Ethical hacking, also known as "white hat" hacking, is the process of someone (with or without the owner's permission) performing security and penetration tests on computer systems, networks or Web applications. The goal is to expose security weaknesses and vulnerabilities so that they can be fixed before malicious hackers can take advantage of them.

Ethical hackers use the same techniques and methods as malicious hackers, but with a legitimate purpose: to improve security. They may employ various techniques, such as network scans, vulnerability scans, social engineering, password testing and investigating software leaks.

This practice can be important for ensuring the security of digital systems and data, as it helps to identify and fix potential weaknesses before malicious hackers can take advantage of them.

Whistleblower exemption to be strengthened

Hacking is basically a criminal offense.

However, the Whistleblower Act exempted ethical hackers from criminal liability if they reported a vulnerability to the Centre for Cybersecurity Belgium (CCB). and four cumulative conditions had been met. This exemption was groundbreaking in Belgian law and allowed vulnerabilities to be reported without legal repercussions.

However, the NIS2 Act (Articles 22 and 23) introduces stricter criteria and limits the ground of concealment to a limited and exhaustively listed list of crimes, such as:

Eavesdropping on private communications (Section 314bis Sw.);
Hacking (Section 550bis Sw.);
Breach of professional secrecy (Sw. article 458).
Computer sabotage (Sw. Section 550ter);
Violations of the Telecommunications Act.

So these are classic cyber attacks that occur from a distance. In contrast, they include physical attacks on IT systems no longer covered by the exemption. This means that ethical hackers who discover vulnerabilities through physical manipulation of hardware, for example, can no longer rely on legal protection. Under the Whistleblower Act, there was a ground of concealment for all crimes.

Coordinated Vulnerability Disclosure (CVD) as a standard

Another change (running concurrently with other obligations under NIS2) is the requirement for a coordinated reporting of vulnerabilities (CVD). The Belgian NIS2 law provides for a graduated system:

Inside 24 hours after the discovery of a vulnerability, provide the ethical hacker with a simplified notification and report a simple description of the vulnerability.
Inside 72 hours must be a complete notification shall be submitted.

Moreover, for some entities, such as intelligence, police and judicial agencies, prior written agreement should be concluded on the modalities and methodology of investigating potential vulnerabilities.

Limitations and uncertainties

Although the NIS2 law introduces clearer rules, there remain legal uncertainties for ethical hackers:

Limited scope - The protection only applies to acts against Belgian companies or if the IT infrastructure is located on Belgian territory.
Strict conditions - Only specific crimes are covered by the exemption, while other cyber-related acts, such as computer fraud (Section 504bis Sw.) or computer forgery (Section 210bis Sw.), do remain punishable.
Uncertain legal basis for cross-border hacking - Ethical hackers operating internationally continue to face significant risks and COV operations that rely on corporate consent remain the norm .

What does this mean for ethical hackers and companies?

For ethical hackers The NIS2 law means that they should act more cautiously and should carefully consider whether their activities are still within legal protection. For companies it is important to implement clear CVD procedures and cooperate transparently with ethical hackers.

To ensure legal certainty, a European regulation are desirable.

Do you have questions about the legal implications of the NIS2 Act for your organization or the risks and rights of ethical hacking? Our law firm is ready to advise you on these matters.

Is ethical hacking punishable?

What is ethical hacking?

Whistleblower exemption to be strengthened

Coordinated Vulnerability Disclosure (CVD) as a standard

Limitations and uncertainties

What does this mean for ethical hackers and companies?

Contact

Recent posts

Is your internet provider allowed to advertise “fibre” if you don't get it?

Is a resignation via a digital registered letter legally valid?

Can a defamatory post on X (Twitter) be a ‘printing press crime’?

Can a creditor seize your domain name?

Can an appeal against a DPA decision be inadmissible?

Does an AI model trained on photographs infringe copyright?

MFA disabled and hacked: who pays skyrocketing data bill?

Topics

Topics

ICT Legal Guide

Contact details

Where to find us

Disclaimers