BELGIUM Law and Practice Contributed by: Joan Carette, Philippe De Prez and Thomas Derval, Simont Braun
• have a written outsourcing policy in place, contain - ing a minimum set of mandatory provisions; and • supervise and control the outsourced activities (including through audits), record all outsourcing arrangements in a specific register and inform the NBB beforehand of critical or important outsourc - ing arrangements, on an ongoing basis. The NBB and the FSMA generally apply the same principles to other regulated entities, with some dif - ferences depending on their activities and the risks they pose for the market. In addition to the outsourcing rules, since 17 January 2025 regulated entities are subject to EU Regulation 2022/2554 of 14 December 2022 on digital opera - tional resilience for the financial sector (DORA), which introduces, among other things, new rules regarding the use of information and communication technol - ogy (ICT) services provided by third-party ICT service providers. In principle, the requirements under DORA apply in parallel to the outsourcing requirements. However, according to the European Supervisory Authorities (ESAs), if the ICT service is regulated, it should not be considered as an ICT service under DORA. In July 2025, the EBA launched a public consultation on draft guidelines on the sound management of third- party risk, which revise and update the EBA Guide - lines on outsourcing published in 2019, aligning them with the requirements of DORA. The draft guidelines address arrangements for non-ICT services provided by third-party service providers and their subcontrac - tors, with a particular focus on critical or important functions. The consultation closed on 8 October 2025, and the outcome is still awaited. 2.9 Gatekeeper Liability No specific “gatekeeper” liability regime has been established in Belgium for fintechs regarding the activities on their platform; in practice, this will mainly depend on who is actually/legally providing the ser - vices to customers through the platforms. At the EU level, certain fintechs may, depending on their business model, be subject to the horizontal framework of the Digital Services Act (DSA) where
they qualify as online intermediaries or online plat - forms (for example, where the platform hosts third- party content or facilitates transactions between third parties). However, the DSA does not establish a fintech-specific “gatekeeper” regime and generally does not affect core financial services provided in the fintech’s own name. 2.10 Significant Enforcement Actions Belgian regulators may take various measures against non-compliant entities, including: • imposing (significant) fines; • issuing public statements of non-compliance; • requesting a change of the board and/or the (effec - tive) management; • appointing a temporary administrator; or • in extreme cases, withdrawing the licence. The Belgian regulators are consistent in their approach across the different verticals, and generally discuss the matter with the financial entity concerned to try and agree on a settlement before imposing any sanc - tion. 2.11 Implications of Additional, Non- Financial Services Regulations Certain additional non-financial regulatory regimes may be of particular importance to fintech companies, given their greater susceptibility to certain abuses or exposure to certain risks. Data Protection Regulations With regard to privacy laws, the most important regu - lations are EU Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and EU Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive) and the provisions transposing this directive into Belgian law. The Belgian legislature also adopted the Belgian Law of 30 July 2018 on data protection (Data Protection Law), partially incorporating the generally applicable GDPR provisions as well as providing for comple - mentary provisions. EU Regulation 2023/2854 of 13 December 2023 on harmonised rules on fair access
82 CHAMBERS.COM
Powered by FlippingBook