This Friday, 18 October 2024, the Belgian Act of 26 April 2024 and the accompanying Royal Decree of 9 June 2024, transposing the NIS2 Directive (together the “Belgian acts transposing the NIS2 Directive”), will come into effect. In a previous Legal Eubdate, we informed you about the key implications of NIS2 for your organisation. On the occasion of the entry into force of these acts, we now take the opportunity to reiterate the main takeaways.
Entry into force of the Belgian acts transposing the NIS2 Directive
The obligations of the Belgian acts transposing the NIS2 Directive will enter into force on 18 October 2024. The application of the different obligations over time can be outlined as follows:
Registration requirement or designation by CCB
You should check and analyse for your organisation whether it falls within the scope of the Belgian acts transposing the NIS2 Directive and whether it qualifies as an essential or important entity. If this is the case, you must register with the competent authority, namely the Centre for Cybersecurity Belgium (“CCB”) through its online tool.
Designation by the CCB as an essential or important entity is only possible under certain strict conditions. This can be the case where the entity (i) is the sole provider, (ii) is critical because of a specific interest, (iii) may cause a disruption to public safety, public security or public health, or (iv) when a disruption may cause a significant systemic risk or critical specific interest having cross-border impact.
Considerations for corporate groups
The size of an entity generally determines whether it falls within the scope of NIS2. As a rule, NIS2 applies only to large and medium-sized entities (based on the thresholds set by Recommendation 2003/361/EC). The size of an entity is determined by thresholds based on the number of employees and a financial parameter. The latter includes either the annual turnover or the annual balance sheet total. An entity employing at least 50 FTEs is automatically classified as a medium-sized entity. If the workforce is smaller, the financial parameters become decisive.
It is important to remember that this assessment is generally not made on a stand-alone basis: the so-called “partner enterprises” and “linked enterprises” are also taken into account. However, for certain types of investors (including venture capital companies), there is an exemption from these consolidation rules, provided they do not exert dominant influence over the entity concerned. Note that in the event of a merger or acquisition, the size of an entity is re-evaluated at the time of closing. An entity that was previously not covered may still fall within the scope due to the size of the group it becomes part of.
For group entities that do not qualify as medium-sized or large enterprises on a stand-alone basis and that retain a high degree of independence in relation to their partner enterprises or linked enterprises, the qualification may be adjusted. The national cybersecurity authority must take into account the degree of independence the entity enjoys, particularly in relation to the network and information systems it uses to provide its services, and the services it provides. This means that an entity could be reclassified as an important (rather than essential) entity, or even fall outside the scope of NIS2 altogether.
Reporting obligations
Your organisation should prepare to report cyberincidents and make the necessary internal preparations (including, for instance, drafting a policy). The reporting obligation follows a tight schedule; significant incidents must be reported to the national CSIRT, the CCB, according to the following timeline:
In certain cases, you may also be required to report significant incidents and significant cyberthreats to recipients of your services.
Supply chain management
When determining the necessary cybersecurity risk-management measures, you should consider supply chain security. This requires an analysis and evaluation of the cybersecurity measures of your service providers and suppliers within your supply chain. This represents an opportunity to pass on security obligations and measures to parties within your supply chain. Therefore, you should consider implementing the necessary contractual clauses in agreements with your supply chain.
Role of an entity’s management bodies
Under the NIS2 rules, the “management bodies” of the relevant entity are responsible for approving and monitoring the implementation of appropriate and proportionate risk-management measures. Additionally, members of the management body must follow training to acquire the necessary skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.
The law also places greater emphasis on the liability of management bodies and their members. However, the extent to which the legislator intended to impose liability is not always clear from the legal text or its preparatory works. This will undoubtedly remain a topic of discussion. What is clear, however, is that some obligations are not limited to management bodies in the strict sense, and that certain members of (senior) management are also targeted.
Recent developments
On 17 October 2024 the European Commission has published the long-awaited implementing regulation for the NIS2 Directive. The implementing regulation will apply specifically to certain entities including DNS service providers and cloud computing service providers. It contains rules on the concept of “significant incident” and technical and methodological requirements for risk-management measures as stipulated in Article 21(2) NIS2 Directive.
The CCB’s work has also been gaining momentum leading up to the entry into force on 18 October 2024. The CCB published a NIS2 FAQ in July 2024. In addition, BSI Group The Netherlands B. V. and Vinçotte were recently announced as the first accredited and authorised conformity assessment bodies (CABs) to certify entities under the Belgian acts transposing the NIS2 Directive.
Cyberincidents happen every day. Investing in good cybersecurity and follow-up pays off. The NIS2 Act imposes penalties for non-compliance, with administrative fines of up to EUR 10 million or 2% of the entity’s total worldwide turnover in the previous fiscal year. In addition, various administrative measures can be imposed including warnings, binding instructions, and temporary suspension of a certification or licence.
Eubelius will be happy to assist you with advice, preparation of security policies, training your staff, audits, and your preparation for and handling of cyberincidents.