NIS Law: the new incident notification procedure

Incident notification obligation according to the NIS Directive

The law of 7 April 2019 (the ‘NIS law’) states that the Operators of Essential Services (OES) and the Digital Service Providers (DSP) shall, amongst other things, notify any incident that have a significant impact on their networks and information systems or on the provision of their services.

This law transposes into Belgian law the Directive (EU) 2016/1148 of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (the ‘NIS Directive’). For more information about this law, see our previous news dedicated to it.

Notification procedure

Since July 18, such notification shall be made simultaneously to:

• the Centre for Cybersecurity Belgium (CCB),
• the Directorate-General Crisis Centre (DGCC) of the FPS Internal Affairs; and
• the relevant sectoral authority (as identified in Annex 1 of the Royal Decree of 12 July 2019) or the sectoral CSIRT (Computer Security Incident Response Team).

Furthermore, this notification shall be made:

• through a secure notification platform (accessible by Internet via a secure connection); and
• by using the incident notification form established by the CCB.

This notification must contain all available information to determine the nature, causes, effects and consequences of the incident.

If the OES or DSP does not dispose of all the information contained in the form, it must complete the initial notification as soon as it is in possession of the missing information.

Finally, the CCB, the sectoral authority or its sectoral CSIRT or DGCC may request additional information from the OES or DSP on the notification(s) it has made.

See: Royal Decree of 12 July 2019 implementing the Act of 7 April 2019 establishing a framework for the security of networks and information systems of general interest for public security, as well as the Act of 1 July 2011 on security and critical infrastructure protection.