3 May 2019, the "Act establishing a framework for the security of network and information systems of general interest for public security" (“the Act”) entered into force. This Act is the long-awaited Belgian implementation of the European Directive (EU) 2016/1148 of 6 July 2016 laying down measures for a high common level of security of network and information systems in the Union. The implementation comes almost one year after the actual deadline for member state implementation, which expired on 9 May 2018.
Aim and consequences
The implementation Act aims to guarantee a high level of security of essential network and information systems in order to safeguard the continuity and public security of critical social or economic services.
In order to achieve this aim, the Act obliges the providers of such services:
- To take technical and organizational security measures that can avoid incidents or limit their impact. The law defines incident as any event that has or may have a real negative impact on the security of network and information systems;
- To develop a security policy ("I.B.B.") in accordance with ISO/IEC 27001;
- To report an incident as soon as it occurs. This reporting obligation should be exercised towards the national Computer Security Incident Response Team (CSIRT), the sectoral government or CSIRT and the authority that will be designated as NIS contact point by the King. The latter authority will most likely be the CCB (Centre for Cyber Security Belgium);
- To carry out an annual internal audit of the network and information systems on which the provision of essential services depends, as well as an external audit every three years, both at its own expense;
- To designate a contact point, which can be contacted directly by the competent authorities for any question relating to the security of the network and information systems on which the provision of essential services depends. Apart from the contact points of digital service providers (see below), this contact point must be available at all times.
Providers of essential services
The law applies to:
- Providers of specific essential services, such as electricity suppliers, airlines, railway infrastructure operators and financial institutions. These providers should be designated by the competent authority. Such a list must be drawn up within six months after the implementation, a period which, in view of the late implementation, has already expired.
- Digital service providers, which according to the Act, includes all providers of online marketplaces, online search engines and cloud services, which have their headquarters in Belgium or, if they are not established in the EU, which provide services in Belgium and have a representative in Belgium. Such a representative is defined by the Act as any natural or legal person established in Belgium who is expressly designated to act on behalf of a digital service provider who is not established in the Union and who can be contacted by the national authority, the competent sectoral authority or the competent inspection service instead of the digital service provider. Micro and small enterprises are excluded from the scope of the Act.
Relationship with GDPR
Given that the NIS Directive and Act impose mandatory security measures, they overlap with the General Data Protection Regulation (GDPR) where the latter imposes obligations aimed at the security of personal data. Regardless of the overlap, both instruments remain valid alongside each other, as is also confirmed by the NIS Act. However, the two instruments have a different material and personal scope:
- Whereas the GDPR applies only to personal data, the material scope of the NIS Act is broader since the personal nature of the data contained in the network and information system, on which the essential services depend, is irrelevant to decide whether there is a NIS incident. For example, if the networks of a provider subject to the NIS Act are hacked and data are obtained, then the hacking constitutes an incident under the NIS if the incident has a negative impact on the security of these networks, regardless of whether or not personal data has been leaked. On the other hand, there is only a data breach under the GDPR when personal data has been leaked.
- On the other hand, the entities which are targeted by the NIS are much more limited than those targeted by the GDPR. If we take the example of hacking, where we assume that personal data has been leaked, a reporting obligation arises under the GDPR. However, there is not necessarily a reporting obligation under the NIS, as the data controller must be on the list of essential service providers or must be a provider of digital services under the NIS Act.
In other words, a NIS incident may be a GDPR data breach, but a GDPR data breach is only linked to an incident under the NIS Act if it occurs at a provider targeted by the NIS Act.
It is therefore important to determine whether an entity is covered by the NIS Act or not, which is determined by the competent authority for essential service providers. If you fall under the NIS Act and an incident occurs, it is necessary to check specifically for this incident whether personal data has been leaked (and whether the other conditions under the GDPR have been met). If no personal data was leaked, there is only an obligation to report under the NIS Act. If personal data has been leaked, there is also a reporting obligation under the GDPR.
The implementation of the NIS Directive is to be cheered upon as the Act expands the group of entities targeted by the security measures when compared to the former law of 1 July 2011 which protects critical structures. Furthermore, Belgium will contribute to a high level of security of network and information networks in the EU.
Nevertheless, the competent authorities and the essential service providers concerned must be designated as soon as possible, in order for these actors to know where they stand after a one-year delay and accordingly take the necessary steps to comply with the obligations imposed by the law. It is important for digital service providers to determine whether they meet the criteria laid down in the law and, as such, are subject to the law.
Do you have any questions or doubts about the applicability of the NIS Act to your company and the obligations which follow from it? Do not hesitate to contact us.