Following the publication of a royal decree dated 12 July 2019, the notification obligation for cyberincidents has become applicable to all organisations that offer "essential services", with effect from 18 July 2019. This is an important first step in implementing the NIS Act to safeguard the cybersecurity of our society and economy.
In a previous Eubelius Flash we informed you about the publication of the Act of 7 April 2019 establishing a framework for the security of network and information systems of general interest for public security (the Act). It transposed the European NIS Directive (2016/1148/EU) into Belgian legislation. The Act introduced a mandatory obligation for the notification of incidents for organisations that offer an essential service, such as energy, healthcare or transport, etc. and organisations that offer digital services.
A royal decree was awaited to specify the application of certain rules. This royal decree of 12 July 2019 (the RD) was published in the Belgian Official Gazette on 18 July 2019 and entered into force immediately.
The RD is important because it answers the following three questions:
- Who is responsible for notification in case of an incident, when, and to which authorities?
- Which competent authorities have to be notified, generally and per sector?
- Which conditions apply to institutions performing external audits for providers of essential services?