Appropriate and proportionate security measures
Stricter cybersecurity measures apply to operators of essential services and digital service providers. They must take appropriate and proportionate technical and organisational measures.
At the technical level, the organisation must put in place appropriate measures to protect the network and IT system against incidents. What is appropriate depends on the size, importance and nature of your organisation and the state of technical knowledge. For example, the household version of the antivirus software will not be sufficient to protect the IT system used for air traffic controllers or the cooling processes in nuclear reactors.
At the organisational level, the provider must set up internal procedures, measures and training regarding the use of the IT system to prevent incidents (cyberhygiene) and an action plan to be implemented in the event of incidents.
Drawing up a security policy for the network and information systems
Operators of essential services must describe these measures in their "security policy for the network and information systems". Security policies that meet the ISO 270001 standards are considered to comply with the Act in the absence of evidence to the contrary. The security policy must be drawn up by the organisation within 12 months after its designation by the sectoral authority as an OES and must be implemented within 24 months.
Notification of incidents
The Act introduces a notification obligation for OESs and DSPs in case of incidents. Incidents are events with considerable effects on the availability, confidentiality, integrity or authenticity of the information systems on which the services are dependent. Potential OESs may, but are not obliged to, notify incidents.
Incidents must be immediately notified to the Computer Security Incident Response Team ("CSIRT"), the sectoral authority or its sectoral CSIRT, and the national authority that coordinates the identification of OESs, through a notification platform that will be put in place. Providers in the financial sector notify to the National Bank, trading platforms to the FSMA. It should be noted that this notification obligation is distinct from the notification obligation under the General Data Protection Regulation in the event of a personal data breach.
What is the risk?
The legislator has established firm sanctions and has provided far-reaching enforcement powers to ensure compliance with the obligations in the new Act. Violations of the Act, in particular with regard to the notification obligation, can be punished with administrative sanctions of up to EUR 200,000, and criminal sanctions with imprisonment of up to 3 years and fines of up to EUR 1,200,000.
When does the Act come into effect?
The Act entered into force on 3 May 2019, the day of its publication in the Belgian Official Gazette. A number of important royal decrees still have to be adopted for its implementation, inter alia to designate the sectoral authorities.
Cyberincidents occur every day. Investing in good cybersecurity and follow-up pays off. Eubelius is happy to assist you with advice, preparation of security policies, training for your staff, audits, and your preparation for and approach to cyber incidents.