That’s it, the NIS Directive has finally been transposed into Belgian law!
Brief outline
The Draft Act transposing into Belgian law the Network and Information Security Directive (the “NIS Directive”) (Directive (EU) 2016/1148 of 6 July 2016) has finally been adopted. As previously reported here, the objective of the Directive is to achieve a high level of cybersecurity in the EU.
The text of the Draft Act provided that the law would enter into force as soon as it was published in the Belgian Official Gazette.
It is now done! Indeed, the law of 7 April 2019 establishing a framework for the security of networks and information systems of general interest for public security (the “NIS law”) was published in the Belgian Official Gazette on 3 May 2019.
Which stakeholders are concerned by the law?
The stakeholders concerned by the law are:
– the Operators of Essential Services (OES)
- operating in the sector of the transport, banking, financial market infrastructures, health, water or digital infrastructure; and
- having at least one establishment on the Belgian territory and actually carrying out an activity related to the provision of at least one essential service in Belgium.
– the Digital Service Providers (DSP)
- such as online marketplaces, online search engines and cloud computing services; and
- having their principal place of business in Belgium or providing services in Belgium and establishing representatives in Belgium for the requirements of the NIS Directive.
Here are some of the important takeways of the NIS law, in particular for the OES. Obligations relating to DSP will be discussed in a future article.
What are the obligations of the OES?
Security requirements of OES
One of the key axes of the NIS law is the obligation for the OES to develop a security policy for their information systems and networks (ISP). To address this point, the law obliges the OES, amongst other things, to:
- provide a description of the network and information systems they depend on;
- take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risks posed;
- take appropriate measures to prevent and minimise the impact of incidents;
- designate a contact point; and
- conduct a yearly internal audit and a three-yearly external audit.
Furthermore, the law explicitly states that, until proven otherwise, the ISP meeting the standard ISO 27001 shall be considered as complying with the security requirements.
Incident notifications for OES
Under the NIS law – The OES shall notify the competent authorities, without undue delay, all incidents that have a significant impact on the availability, continuity, confidentiality, integrity or authenticity of the network and information systems on which the essential service(s) it provides depend.
A Royal Decree should determine the procedures for notification and create a digital platform for this purpose.
Under the GDPR – When the breach concerns personal data, the GDPR also provides for a notification process.
In the case of a personal data breach, the controller shall notify it to the Data Protection Authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. This notification shall be made without undue delay and not later than 72 hours after having become aware of the incident.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall aslo communicate the personal data breach to the data subject without undue delay.
Sanctions
Breaches of the relevant legal provisions are punishable with criminal sanctions (prison sentences ranging from 8 days to 2 years and/or fines ranging from 26 to 75,000 euros (to be multiplied by 8)) and administrative sanctions (fines ranging from 500 to 200,000 euros).
Timeline for OES
1° By November, the authorities must have designated the first OESs.
2° The OES will have 12 months from the date of notification of their official designation to adopt/adapt their ISP.
3° The OES will have 24 months from the date of notification of their official designation to implement the measures provided for in their ISP.
4° The first internal security audit will be realized within 3 months of the elaboration of the ISP. The first external security audit will take place within 24 months of the first internal audit.