BELGIUM Trends and Developments Contributed by: Thibaut D’hulst, Ilham Irgiou and Ossama M’Rini, Van Bael & Bellis
panies must design their solutions with robust data protection and privacy measures. Com- plementing this, the EU Data Governance Act facilitates data altruism and the creation of com- mon data spaces, including in health. The EHDS Regulation, adopted in January 2025, will further revolutionise the landscape by governing cross- border health data exchange and secondary use for research and policy. Belgium’s strong position in clinical research (approximately 20% of all European clinical trials for cancer drugs occur in Belgium, with compa- nies investing EUR15 million daily in R&D) high- lights the importance of understanding these evolving regulatory frameworks. Challenges such as participant mobility and ensuring trust in medical research persist. Cybersecurity: a critical imperative Cybersecurity is another critical component of digital health regulation and a growing concern. The enactment of the NIS2 Belgian law (Law of 26 April 2024, effective 18 October 2024), align- ing with the EU’s NIS2 Directive (2022/2555), mandates stricter cybersecurity risk manage- ment measures, incident management, and supervision for entities in critical sectors, includ- ing healthcare. In-scope entities were required to identify themselves using tools like the Scope Test Tool and register via the Safeonweb@work platform by 18 March 2025. The Belgian Fed- eral Agency for Medicines and Health Products (AFMPS/FAGG – FAMHP) acts as a sectoral authority for relevant health entities under this law. This framework is closely linked to the EU Directive on the resilience of critical entities (CER Directive, 2022/2557); entities designated as critical under the future Belgian CER law (for which the FAMHP will also be a sectoral author- ity) will automatically be considered essential
under NIS2, even if they are not caught within the NIS2 scope. As digital health technologies proliferate, ensur- ing strong cybersecurity protocols and manda- tory notification of significant incidents to the Centre for Cybersecurity Belgium (CCB) are essential for protecting patient data, maintain- ing trust, and adhering to the evolving regulatory framework. Further supporting these efforts, the European Commission launched an action plan in January 2025 to strengthen cybersecurity in hospitals and healthcare providers across the EU, proposing that the EU Agency for Cyberse- curity (ENISA) establish a pan-European support centre. The Belgian Data Protection Authority (DPA) stressed the importance of adequate security measures in a decision of 17 December 2024, imposing a EUR200,000 fine on a Belgian hospi- tal. This fine followed a 2021 ransomware attack that compromised the personal data of 300,000 people. The DPA found significant deficien- cies in the hospital’s data protection measures, including a lack of an appropriate data protec- tion impact assessment (DPIA) and inadequate technical security. The Belgian healthcare sector remains a prime target for cyberattacks, with reports in the sec- ond quarter of 2024 indicating a 31% increase compared to the same period in 2023, and the healthcare sector being the most targeted. High- profile incidents at various hospitals in recent years illustrate the persistent threat and the sub- stantial financial and operational impact of such attacks, with recovery costs sometimes running into millions of euros.
18
CHAMBERS.COM
Powered by FlippingBook