Implementation of the NIS-Directive: the draft Belgian Act establishing a framework for the security of network and information systems is finally published (Lydian)
Publication date: 06/02/2019
On 12 November 2018, the Belgian government submitted a Draft Act establishing a framework for the security of network and information systems of general interest for public security (the Draft Act), which aims at implementing the Network and Information Security (NIS) Directive (Directive (EU) 2016/1148 of 6 July 2016) (the NIS-Directive). The Directive establishes a minimal level of security of network and information systems but allows Member States to adopt or maintain provisions with a view to achieving a higher level of security. The Belgian government has asked the Chamber for an emergency treatment, which does not come as a surprise since the NIS-Directive required the EU Member States to adopt the implementing laws, regulations and administrative provisions by 9 May 2018.
Here are some of the important takeaways of the Draft Act for private-sector companies.
Which authorities will be competent?
The Draft Act states that the Belgian competent authorities will be established or assigned by Royal Decree, except if they are already established by law (e.g. certain sectoral authorities such as the Belgian Institute for Postal Services and Telecommunications (BIPT), the National Bank of Belgium (NBB) and the Financial Services and Markets Authority (FSMA). Specific details will therefore primarily be disclosed in the said (future) Royal Decree(s). The Draft Act specifies that these competent authorities include:
- a national authority, entrusted with the follow-up and coordination of the implementation of the Draft Act and serving as a central point of contact;
- a national Computer Security Incident Response Team (CSIRT);
- sectoral authorities entrusted with the follow-up and coordination of the implementation of the Draft Act in a specific sector;
- an authority that assists the national authority with the coordination of the identification of the operators of essential services; and
- inspection services, entrusted with the surveillance of compliance with the Draft Act.
Which operators will be considered as operators of essential services?
The Draft Act obliges operators of essential services to take certain measures in order to secure their network and information systems. Such operators are public or private entities of a type referred to in Annex I of the Draft Act (which is very similar to Annex II of the NIS-Directive and includes the energy sector (electricity, gas, oil), the transport sector (air, rail, water and road transport), the banking sector, financial market infrastructures, the health sector, the drinking water supply and distribution sector and the digital infrastructure sector) which meet the following criteria:
- the entity provides a service which is essential for the maintenance of critical societal and/or economic activities;
- the provision of that service depends on network and information systems (this condition is presumed to be fulfilled but entities are allowed to prove the contrary); and
- an incident would have significant disruptive effects on the provision of that service, taking into account at least the following cross-sectoral factors: (a) the number of users relying on the service provided by the entity concerned; (b) the dependency of other sectors referred to in the Draft Act; (c) the impact that incidents could have, in terms of degree and duration, on economic and societal activities or public safety; (d) the market share of that entity; (e) the geographic spread with regard to the area that could be affected by an incident; and (f) the importance of the entity for maintaining a sufficient level of the service, taking into account the availability of alternative means for the provision of that service.
The Draft Act entrusts the sectoral authorities with the task of identifying the operators of essential services on the basis of the criteria mentioned above, but keeping in mind that the Draft Act only applies to operators which have an establishment in Belgium. As mentioned above, not all competent sectoral authorities are known yet. Therefore, operators of essential services still have to be identified.
What are the obligations of the operators of essential services?
Network and information systems are crucial in a modern society and many entities that provide essential services for maintaining critical social or economic activities in Belgium depend on such systems. An incident that affects network and information systems could have a significant disruptive effect on the provision of such essential services. Therefore, the Draft Act obliges operators of essential services to, amongst other things:
- provide a description of the network and information systems they depend on;
- take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of the network and information systems which they use, including the development of a security policy (the Draft Act explicitly states that the ISO/IEC 27001 norm or a recognised equivalent norm shall be deemed to conform to the security requirements until proven otherwise);
- designate a contact point;
- notify the competent authorities of incidents having a significant impact on the essential services they provide (a Royal Decree should specify the modalities of such notification and establish a platform for this purpose);
- prevent and minimise the impact of incidents; and
- organise a yearly internal audit and a three-yearly external audit at their own expense.
What are the risks in case of non-compliance? Sanctions and penalties
The Draft Act foresees both criminal and administrative sanctions for operators of essential services that do not comply with the obligations in the Draft Act. The criminal sanctions set forth are (other than in exceptional circumstances such as repetition) fines (ranging from 26 to 75,000 EUR (to be multiplied by eight)) and prison sentences (ranging from 8 days to 2 years). Administrative sanctions generally range from 500 to 200,000 EUR.
Waiting for the draft Royal Decree
Even though the Draft Act is a step in the right direction, Belgium is far from ready with the implementation of the NIS-Directive. It remains to be seen which companies will be labelled as operators of essential services.
To be continued…