BELGIUM Trends and Developments Contributed by: Steven De Schrijver and Carl Dotremont, Allegiance Law
on-premises, virtual private cloud or vendor private instances with contractual prohibitions against train- ing on client data and enforceable audit rights. Legal privilege should be maintained by defining approved tools in engagement letters and internal protocols, and by channelling privileged analyses through counsel- controlled environments. For international transfers in cross-border data rooms, valid transfer mecha- nisms such as the EU-U.S. Data Privacy Framework or standard contractual clauses with transfer impact assessments should be ensured, and log retention should be limited. EU AI Act readiness is now a core consideration. The Act entered into force in 2024 with phased application through 2025–27, with prohibited practices applying first and transparency duties for general purpose and GenAI models and high-risk obligations following on a staggered basis. See 9.1 Due Diligence Process in the Belgian Law & Practice chapter in this guide for further detail of the EU AI Act’s implementation. Parties should expect governance, risk management, data quality, technical documentation, post-market monitoring and incident reporting requirements. Dili- gence should therefore request an AI system inventory and classification, conformity assessment status for high risk use cases, model and system cards, data governance evidence including provenance, copyright compliance and bias testing, measures for human oversight, and alignment with harmonised standards or applicable codes of practice. Cybersecurity and NIS2 obligations also require atten- tion. NIS2 expands the scope and depth of security and incident reporting duties for essential and impor- tant entities and their supply chains. Diligence should assess maturity against frameworks such as ISO 27001 and NIST, ransomware resilience, third-party risk and regulatory notification history, and should contract for uplift plans where gaps are material. The EU Data Act, applying from late 2025, strengthens data sharing frameworks and cloud switching, so diligence should test data access rights, portability, egress fees, lock-in risk and compliance roadmaps for connected products and services. Competition and antitrust risks must be managed through strict clean team protocols, particularly for model weights, proprietary data sets and pricing algorithms, and par-
ties should avoid exchanging competitively sensitive information outside approved structures, especially given the increased risk of referrals under Article 22 of the EU Merger Regulation and a focus on data and AI capabilities even below traditional thresholds. Regulatory process checkpoints (where progress might be halted) affecting Belgian tech deals have become more pronounced. The Belgian foreign direct investment screening regime is now firmly embedded, with sensitive targets in AI, semiconductors, biotech, critical infrastructure and large data sets routinely requiring notification. Standstill obligations apply, pre- notification and Q&A can be extensive, and parties should build buffers into long stop dates. The Foreign Subsidies Regulation notification regime is fully opera- tional, so transactions involving non-EU financial con- tributions should be screened early, with information requests that can be burdensome and may run in parallel with merger control. EU merger control itself reflects closer scrutiny of data consolidation and eco- system effects, including an increased use of Article 22 referrals; internal documents on AI strategy and monetisation are frequently requested. Intellectual property and open-source questions are equally significant. Copyright in the EU requires human authorship, meaning ownership claims over purely machine-generated outputs may be weak. Buy- ers should validate training data licensing, check for text and data mining opt-outs, secure vendor indem- nities, and confirm appropriate geofencing of data sets. Open-source software scans should be run to surface copyleft or restrictive licences and to remedi- ate issues. Belgian employment and social dialogue considerations arise where monitoring or productivity AI tools are deployed, as these may trigger informa- tion and consultation duties with the works council or employee representatives and must comply with Bel- gian privacy and labour law principles such as propor- tionality and transparency, with data protection impact assessments where needed. Trade secrets should be protected in and beyond the data room by marking and tracking exports, restricting model access to syn- thetic or minimised data, and maintaining audit trails for prompts and outputs used in decision-making.
35 CHAMBERS.COM
Powered by FlippingBook