The NIS2 Directive aims to achieve a high common level of cybersecurity across the EU. On 18 April 2024, the Belgian Parliament has adopted an Act transposing the NIS2 Directive into Belgian law (the Transposition Act), which will enter into force on 18 October 2024. The Transposition Act has been published in the Belgian Official Gazette on 17 May 2024 (see here). We set out the key considerations on the Transposition Act below.
Which organisations fall within the scope of the NIS2 Transposition Act?
The Transposition Act applies to organisations that meet a certain size cap and/or provide services in certain sectors:
- Size cap: medium-sized enterprises and large enterprises may fall within the scope of the Transposition Act:
- Medium-sized enterprises employ at least 50 persons and have an annual turnover and / or an annual balance sheet which exceeds EUR 10 million.
- Large enterprises employ more than 250 persons and have an annual turnover which exceeds EUR 50 million and / or a balance sheet which exceeds EUR 43 million.
- Type of services provided: organisations that provide services in sectors of high criticality or other critical sectors may fall within the scope of the Transposition Act:
- Sectors of high criticality are energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management (B2B), public administration, and space.
- Other critical sectors are postal and courier services; waste management; manufacture, production and distribution of chemicals; production, processing and distribution of food; certain manufacturing sectors; digital providers; and research.
The Transposition Act distinguishes between organisations that are considered “essential entities” and “important entities”.
- Essential entities are large enterprises which provide services in sectors of high criticality.
- Important entities are (i) medium-sized enterprises that provide services in sectors of high criticality and (ii) medium-sized and large enterprises that provide services in other critical sectors.
Certain organisations are considered essential entities regardless of the size cap (e.g. qualified trust service providers). Member States may also identify organisations as essential or important entities regardless of their size.
Both essential and important entities are subject to similar obligations. The main difference relates to the authorities’ supervisory and enforcement powers in relation to them (see below).
What are the key obligations for organisations?
The key obligations for essential and important entities consist of the following:
- Cybersecurity risk-management measures: entities should take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services. These measures should ensure a level of security of network and information systems appropriate to the risks posed, thereby taking into account the state-of-the-art and, where applicable, relevant European and international standards, as well as the cost of implementation. The management bodies of essential and important entities must oversee and approve the implementation of those measures.
In addition, essential entities are required to subject their cybersecurity risk-management measures to regulatory conformity assessments. Important entities may do so voluntarily. Essential and important entities that perform regular conformity assessments are presumed to have complied with their respective obligations.
- Notifying significant incidents: entities should notify significant incidents to the national computer security incident response teams (CSIRT). A significant incident is an incident that has significant impact on the provision of the services in the highly critical and other critical sectors and that (i) has caused or may cause substantial operational disruption to the services in the highly critical and other critical sectors, or financial loss for the entity concerned, or (ii) has affected or may affect other natural or legal persons by causing considerable material or non-material damage. Notifications should be done as follows:
- An early warning within 24 hours of becoming aware of the significant incident, which should indicate whether the incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact.
- An incident notification 72 hours of becoming aware of the significant incident, which provides an update to the early warning and an initial assessment of the incident.
- A final report within one month after submitting the incident notification, which sets out (i) a detailed description of the incident, including its severity and impact, (ii) the type of threat or root cause that is likely to have triggered the incident, (iii) applied and ongoing mitigation measures and (iv) where applicable, the cross-border impact of the incident.
What are the risks for non-compliance?
Supervisory authorities have several powers, which include on-site or off-site inspections, targeted audits, security scans, information requests and data access requests. With respect to important entities, supervisory authorities can only exercise those powers if they have been provided with evidence, indication or information that such entity does not comply with its obligations.
Supervisory authorities may impose on essential and important entities administrative sanctions such as warnings, binding instructions, orders to cease certain conduct or to ensure compliance with their obligations, and administrative fines. Essential entities may face administrative fines up to EUR 10 million or 2% of their worldwide annual turnover of the undertaking (whichever is higher). Important entities may face fines up to EUR 7 million or 1.4% of the worldwide annual turnover (whichever is higher) of the undertaking. The undertaking (whose worldwide annual turnover is taken into account for the calculation of the administrative fine) may comprise of different companies belonging to the same group, if such companies form one economic unit within the meaning of EU law.
Please reach out to the authors for more advice on whether your organisation may fall under the Transposition Act and the specific obligations your organisation may be subject to.