BELGIUM Law and Practice Contributed by: Joan Carette, Philippe De Prez and Thomas Derval, Simont Braun
to and use of data (Data Act) has applied since 12 September 2025, adding a new layer of rules regard - ing the use of data generated by the use of a product or service. In addition, Regulation (EU) 2024/1183 amending Regulation (EU) No 910/2014 (eIDAS 2) introduces a harmonised framework for European Digital Identity wallets and trust services, which is particularly rel - evant for fintechs relying on electronic identification, authentication and qualified trust services in customer onboarding and digital contracting processes. Anti-Money Laundering Laws Belgian anti-money laundering (AML) laws transpos - ing the AMLD5 are applicable to fintech companies that carry out regulated activities (such as banks, insurance companies, crypto-asset service provid - ers, EMIs and PIs). Cybersecurity EU Directive 2022/2555 of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS2 Directive) was transposed into Belgian law by the Law of 26 April 2024 estab - lishing a framework for the cybersecurity of networks and information systems of general interest for public security (NIS2 Law) (in force since October 2024). This law requires financial institutions to take technical and organisational measures to manage risks to the secu - rity of the network and information systems on which these institutions’ financial services depend. Furthermore, there is the (slightly outdated) Law of 28 November 2000 on computer-related crime and the international Budapest Convention of 23 Novem - ber 2001 (including its Protocol) and the Lanzarote Convention of 25 October 2007, to which Belgium is a party. These regulations do not make a distinction between fintech companies and legacy players. Regulated fintechs must also comply with specific requirements issued at the European level. Since 17 January 2025, they are subject to DORA, relating to ICT risk management, operational resilience testing, incident reporting and third-party ICT risk monitoring, amongst other matters. In addition, they must comply with the Guidelines EBA/GL/2019/04 of 29 November
2019 on information and communications technology and security risk management, prescribing how finan - cial institutions should manage ICT and security risks, and outlining the supervisory authorities’ expectations of ICT and security risk management. At the EU level, further horizontal cybersecurity and resilience legislation has recently entered into force or been adopted. Regulation (EU) 2024/2847 on hori - zontal cybersecurity requirements for products with digital elements (Cyber Resilience Act) introduces mandatory security-by-design, vulnerability manage - ment and life cycle cybersecurity obligations for soft - ware and connected products, with full application expected from 11 December 2027; this is particularly relevant for fintechs developing proprietary software or digital infrastructure. In addition, Directive (EU) 2022/2557 on the resilience of critical entities (Critical Entities Resilience Directive), applicable since 18 October 2024, establishes obliga - tions to identify and mitigate risks to the continuity of essential services, including in the financial sector, extending beyond pure cybersecurity considerations. Finally, Regulation (EU) 2025/38 (Cyber Solidarity Act) strengthens EU-level cyber preparedness and co-ordinated incident response mechanisms, form - ing part of the broader cybersecurity environment in Advertising, marketing documents and any other type of communication (including verbal communication) distributed within the context of the professional mar - keting of financial products (eg, relating to all types of savings, insurance and investment products) to retail clients in the Belgian territory are regulated by the Royal Decree of 25 April 2014 concerning certain information requirements for the offering of financial products to non-professional clients, regardless of the media channels through which these communications take place. Such communications are subject to infor - mation requirements relating, on the one hand, to the provision of an information sheet and, on the other hand, to the advertising of financial products. The FSMA has also developed specific marketing rules on the commercialisation of virtual currencies. which regulated fintechs operate. Marketing and Communications
83 CHAMBERS.COM
Powered by FlippingBook