Following the publication of a royal decree dated 12 July 2019, the notification obligation for cyberincidents has become applicable to all organisations that offer "essential services", with effect from 18 July 2019. This is an important first step in implementing the NIS Act to safeguard the cybersecurity of our society and economy.

In a previous Eubelius Flash we informed you about the publication of the Act of 7 April 2019 establishing a framework for the security of network and information systems of general interest for public security (the Act). It transposed the European NIS Directive (2016/1148/EU) into Belgian legislation. The Act introduced a mandatory obligation for the notification of incidents for organisations that offer an essential service, such as energy, healthcare or transport, etc. and organisations that offer digital services.

A royal decree was awaited to specify the application of certain rules. This royal decree of 12 July 2019 (the RD) was published in the Belgian Official Gazette on 18 July 2019 and entered into force immediately.

The RD is important because it answers the following three questions:

  • Who is responsible for notification in case of an incident, when, and to which authorities?
  • Which competent authorities have to be notified, generally and per sector?
  • Which conditions apply to institutions performing external audits for providers of essential services?

Who is responsible for notification in case of an incident, when, and to which authorities?

Which competent authorities have to be notified, generally and per sector?

Which conditions apply to institutions performing external audits for providers of essential services?

The Act provides for the establishment of external audits. Primarily, the institutions performing such audits have to fulfil the accreditation criteria of ISO/IEC 17021 or ISO/IEC 17065. These rules lay down specific requirements for any organisation wishing to perform cybersecurity audits and certification of management systems. Furthermore, the Act imposes conditions to ensure that the certification is conducted in a competent, consistent and impartial manner.

In addition, these institutions have to comply with operating procedures of the accreditation system that are applicable to the accredited institutions. The RD does not go into the specific sectoral or optional measures which could be regulated by forthcoming royal decrees. Inevitably, additional royal decrees will be adopted over time.

The European Union recently adopted a new Regulation (2019/881 of 17 April 2019) for an increased level of cybersecurity. The Regulation instructs the European institution which monitors cybersecurity, ENISA, to develop additional certification standards. These standards will be a determining factor for the auditing and certification of systems as being safe in terms of cybersecurity.