NIS

UPDATE: NIS will be replaced at the end of 2024 by NIS2.

The European Directive No. 2016/1148 of July 6, 2016 laying down measures for a high common level of security of network and information systems in the Union (abbreviated NIS Directive). This directive had to be transposed into Belgian law by May 9, 2018, which was done through the law of April 7, 2019 establishing a framework for the security of network and information systems of public interest for public security (abbreviated NIS Act). This law should be read together with the royal decree of April 7, 2019 establishing a framework for the security of network and information systems of general interest for public security, and of the law of July 1, 2011 on the security and protection of critical infrastructures (abbreviated: the NIS RD).

The NIS regulations aim to provide a response to cyber threats and make companies aware of better cybersecurity through legal means. The law imposes information obligations on many Belgian companies, such as taking preventive (information) security measures and reporting incidents. It also introduces government oversight and a mechanism for cooperation in cybersecurity.

Below we provide an overview of the NIS regulations.

To which companies does the NIS law apply?

The NIS Act applies to : (1) essential service providers and (2) digital service providers.

1. Providers of essential services.

The NIS Law only applies to companies that offer essential services in Belgium. This is the case when the company has its establishment in Belgium or - failing that - offers an essential service on Belgian territory.

The NIS Act only targets providers of essential services in the following sectors: [i] energy (electricity, oil and gas), [ii] transportation (air, rail, water and road), [iii] finance (financial institutions and financial trading platforms), [iv] healthcare (healthcare institutions such as hospitals and healthcare providers), [v] drinking water and [vi] digital infrastructures.

Not all enterprises within these sectors are covered by the NIS Act. These are enterprises that are essential to maintaining critical social and/or economic activities, use a network and information systems, and have a significant disruptive effect would have when an incident occurs.

Such an incident refers to an event that has an effective negative impact on the security of the enterprise's network and information systems (think networks, servers, hard drives, terminals, routers, firewalls, sensors, software and data).

Importantly, an enterprise is only considered an essential services provider when the sectoral authority has formally designated the enterprise. It is that same authority that will also determine whether an incident has a significant disruptive effect on the company.

2. Digital service providers

The NIS Act also applies to digital service providers that have their headquarters in Belgium, or failing that, offer digital services in Belgium and have designated a representative in Belgium.

These are only providers of digital services that offer an information society service, being [i]an online marketplace, [ii]an online search engine; or [iii]a cloud computing service.

An online marketplace is a digital service that allows consumers and/or businesses to enter into online sales or service agreements with businesses on the online marketplace's website or on the website of a business using information technology services provided by the online marketplace.

An cloud computing service is a digital service that enables access to a scalable and elastic pool of sharable computing capacity. This includes not only Infrastructure-as-a-Service (IaaS) providers, but also Software-as-a-Service (SaaS) providers.

Unlike providers of essential services, no designation of a (sectoral) authority is necessary.

What obligations does the NIS law impose?

Appropriate and technical organizational measures

Providers of essential services should appoint a point of contact for the security of their network and information systems. These contact details shall be provided to the sectoral authority within 3 months of designation as an essential service provider.

Next, these providers should identify the potential risks to the security of their network and information systems. These risks relate to any form of activity that could compromise the availability, authenticity, integrity or confidentiality of the stored, transmitted or processed data or related services offered or accessible through those network and information systems.

Finally, such providers should implement (and also test) measures necessary to mitigate risks to their systems. These measures must conform to the state of technical knowledge and must be integrated into the company's security policy. Moreover, this security policy must be drawn up within 12 months of becoming an essential service provider and implemented within 24 months.

Sectoral authorities may also issue practical guidance on potential risks and measures to be taken by providers of essential services.

Also digital service providers should designate a point of contact for their computer systems and notify the sectoral authority. They should also take appropriate and technical and organizational security measures.

Importantly, this requirement does not apply to micro or small businesses.

The European Commission, in a implementing regulation provided more detailed guidance on how digital service providers can identify risks and take action.

Reporting incidents

Providers of essential services and digital service providers are required to report incidents.

Providers of essential services must report incidents when they significantly affect the availability, confidentiality, integrity or authenticity of network and information systems on which the essential services depend. These incidents must be reported to the Cybersecurity Centre for Belgium (CCB) and the competent (sectoral) government.

Aanproviders of digital services should report incidents to the extent that certain thresholds are exceeded that entail or an incident has significant consequences, defined in the implementing regulation. This obligation does not apply to micro and small enterprises.

These incidents should be reported to the Cybersecurity Centre for Belgium (CCB) through a electronic platform.

Appointment of data protection officer (DPO)

The NIS Act requires all providers of essential services and digital services to appoint a data protection officer (DPO). This is an expansion of the number of data controllers required by Section 37 GDPR be designated.

Do you have questions about the NIS Act? Are you looking for legal advice as a provider of essential services or digital services. Contact our specialists.

To which companies does the NIS law apply?

1. Providers of essential services.

2. Digital service providers

What obligations does the NIS law impose?

Appropriate and technical organizational measures

Reporting incidents

Appointment of data protection officer (DPO)

Contact

Recent posts

Can Belgium still introduce its own AI rules?

Where does the court have jurisdiction in cases of mass damage caused by Big Tech?

Is your commercial cooperation agreement null and void in the event of tacit renewal?

E-invoicing from 2026: the end of invoice disputes or a new legal trap?

Errors in JustRestart: Is the software vendor liable for delays in your case?

May you call a drink ‘non-alcoholic gin’?

Is a goodwill fee due upon termination of the commercial agency due to exceptional circumstances?

Is the bank liable for phishing if I passed on the codes myself?

Topics

Topics

ICT Legal Guide

Contact details

Where to find us

Disclaimers