On 14 December 2022, the EU legislator adopted the Directive (EU) 2022/2555 of 14 December 2022 on measures for a high common level of cybersecurity across the Union (the “NIS 2 Directive”), repealing the 2016 NIS 1 Directive (the “NIS 1 Directive”).
The NIS 2 Directive has been transposed in Belgium by the law of 26 April 2024 establishing a framework for cybersecurity of network and information systems of general public security interest (the “NIS 2 Law”), complemented by the Royal Decree of 9 June 2024 implementing the NIS 2 Law (the “NIS 2 Royal Decree”).
The NIS 2 Law entered into force on 18 October 2024, which was the deadline for Member States to apply the transposed measures of the NIS 2 Directive.
GOALS OF NIS 2
NIS 2 has the same objectives as its predecessor, NIS 1, being:
- imposing specific obligations with regard to cybersecurity to:
- EU Member States, regarding their national cybersecurity;
- entities of a critical sector;
- organising cybersecurity information sharing across the EU; and
- providing for specific supervisory and enforcement obligations to national authorities.
SCOPE OF APPLICATION
Since NIS 1, cyber threats have increased, as have our economic and societal connectedness and dependence on the digital world. Therefore, the scope of NIS 2 has been significantly enlarged, regarding both the types of entities and the critical sectors falling in scope.
In principle, any entity meeting the following criteria is subject to the NIS 2 requirements:
- being an entity of a critical sector, as mentioned in the Annexes I and II of the NIS 2 Law;
- being a medium-sized enterprise or bigger, having at least 50 full-time equivalent (FTE) workers or an annual turnover and/or annual balance sheet total of more than EUR 10 million;
- being established in Belgium, providing their services or conducting their activities in the EU.
Some entities are subject to NIS 2 also irrespective of their size, because they are active in specific sectors or services designated in the NIS 2 Law, or have been designated as critical or important by the competent authorities. Finally, operators of a critical infrastructure within the meaning of the Belgian Law of 1 July 2011 on the Security and Protection of Critical Infrastructures are also in scope.
In addition, the impact of NIS 2 extends beyond entities directly within its scope. The NIS 2 Law requires entities subject thereto to ensure the security of their supply chains. As a consequence, the requirements under NIS 2 are indirectly applicable to service providers of NIS 2 entities.
Once an entity falls into scope of NIS 2, it does so for the entire scope of its activities (and not only for the activities considered as critical). This is the case even if the entity concerned provides these services in scope on an ancillary basis or as part of a broader provision of activities.
OBLIGATIONS FOR NIS 2 ENTITIES
The NIS 2 Law distinguishes between important entities and essential entities (both, the “NIS 2 entities”), with more stringent requirements imposed on the last category.
REGISTRATION
NIS 2 entities must register with the Centre for Cybersecurity Belgium (CCB), which has been appointed in the NIS 2 Royal Decree as the national cybersecurity authority for Belgium.
The deadline for such registration depends on the type of entity. In principle, all NIS 2 entities must register by 18 March 2025, but some must register by 18 December 2024.
CYBERSECURITY RISK-MANAGEMENT MEASURES
NIS 2 entities must implement technical, operational and organisational measures to manage the risks which threaten the security of their network and information systems.
Those measures must be approved by the management body of the entity concerned, which must also oversee their implementation on a continuous basis. The management body could be held liable in case the entity breaches its obligations regarding these risk-management measures.
NOTIFICATION OF SIGNIFICANT INCIDENTS
NIS 2 entities must notify, without undue delay, to the CCB, any significant incident affecting the provision of their services in the sectors or subsectors listed in the Annexes of the NIS2 Law.
As is customary, the incident must be reported in different phases, with different levels of details to be provided as part of the report.
Where appropriate, the NIS 2 entities must also promptly notify the recipients of their services of any significant incident that could affect the services provided to them.
SUPERVISION
NIS 2 entities are subject to a supervision regime, the type of which depends on whether the entity concerned qualifies as an essential or important entity:
- Essential entities must undergo a regular conformity assessment of the implementation of their cyber security risk management measures. Entities have a choice between three options:
- A CyberFundamentals (CyFun®) certification or verification with the relevant scope of application granted by a conformity assessment body (CAB) approved by the CCB after accreditation from the National Accreditation Body (BELAC);
- An ISO/IEC 27001 certification with the relevant scope of application, issued by a CAB accredited by an accreditation body that has signed the mutual recognition agreement (MLA) governing the ISO 27001 standard within the framework of the European co-operation for Accreditation (EA) or the International Accreditation Forum (IAF);
- An inspection by the CCB inspection service (or by a sectoral inspection service).
An entity which submits a conformity assessment statement is presumed to have respected their NIS 2 obligations.
Essential entities are also supervised ex post by the inspection service, i.e. after an incident or on the basis of evidence, indications or information that an entity is not complying with the obligations of the law;
- Important entities are in principle only subject to ex post supervision and they are therefore not subject to regular conformity assessments. They may nonetheless voluntarily submit to the same regime as essential entities and as such also receive a presumption of conformity.
The CCB can take a wide range of administrative measures, including (i) warnings, (ii) binding instructions, (iii) order the specific publication of the observed breaches and/or to inform users of the services concerned, (iv) order to cease conduct or to ensure compliance, (v) designate a monitoring officer for a specific period (for essential entities), (vi) order to implement the recommendations provided, (vii) temporarily suspending a certification or authorisation concerning a part or all of the relevant services provide (for essential entities), or (viii) temporarily prohibiting the exercise of managerial functions (for essential entities).
Administrative fines can also be imposed, ranging from 500 EUR to 10,000,000 EUR or 2% of the total worldwide annual turnover in the preceding financial year of the undertaking to which the entity belongs, whichever is higher.
If you have any questions or would like to discuss the potential impact of NIS 2 regulations, feel free to reach out to us at digitalfinance@simontbraun.eu.
***
This newsletter does not constitute legal advice or a legal opinion. Please consult with a legal counsel of your choice before taking any action based on the information provided.