BELGIUM Law and Practice Contributed by: Joan Carette, Philippe De Prez and Thomas Derval, Simont Braun
2.11 Implications of Additional, Non- Financial Services Regulations Certain additional non-financial regulatory regimes may be of particular importance to fin - tech companies, given their greater susceptibil - ity to certain abuses or exposure to certain risks. Data Protection Regulations With regard to privacy laws, the most important regulations are the EU Regulation 2016/679 of 27 April 2016 on the protection of natural per - sons with regard to the processing of personal data and on the free movement of such data (GDPR) and EU Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the elec - tronic communications sector (the “ePrivacy Directive” ) and the provisions transposing this directive into Belgian law. The Belgian legislature also adopted the Belgian Law of 30 July 2018 on data protection (the “Data Protection Law” ), partially incorporating the generally applicable GDPR provisions as well as providing for com - plementary provisions. With the entry into force in January 2024 of the EU Regulation 2023/2854 of 13 December 2023 on harmonised rules on fair access to and use of data (the “Data Act” ), new layer of rules regarding the use of data gen - erated by the use of a product or service can be expected. Anti-Money Laundering Laws Belgian anti-money laundering (AML) laws, transposing the AMLD5, are applicable to fin - tech companies that carry out regulated activi - ties (such as banks, insurance companies, cryp - to-asset service providers, EMIs and PIs). Cybersecurity EU Directive 2022/2555 of 14 December 2022 on measures for a high common level of cyber - security across the Union (the “NIS2 Directive” )
beforehand of critical or important outsourc - ing arrangements. The NBB and the FSMA generally apply the same principles to other regulated entities, with some differences depending on their activities and the risks they pose for the market. In addition to the outsourcing rules, regulated entities are, since 17 January 2025, subject to the EU Regulation 2022/2554 of 14 Decem - ber 2022 on digital operational resilience for the financial sector (DORA), which introduces, among other things, new rules regarding the use of ICT services provided by third party ICT service providers. In principle, the requirements under DORA apply in parallel to the outsourcing requirements. However, according to the Euro - pean Supervisory Authorities (ESAs), if the ICT service is regulated, it should not be considered as an ICT service under the DORA. 2.9 Gatekeeper Liability There is no specific “gatekeeper” liability regime established in Belgium for fintechs regarding the activities on their platform. In practice, this will mainly depend on who is actually/legally pro - viding the services to customers through the platforms. 2.10 Significant Enforcement Actions Belgian regulators may take various measures against non-compliant entities: impose (impor - tant) fines, issue public statements of non-com - pliance, request a change of the board and/or the (effective) management, appoint a temporary administrator or, in extreme cases, withdraw the licence. The Belgian regulators are consistent in their approach across the different verticals and, before imposing any sanction, generally discuss with the financial entity concerned to try and agree on a settlement.
56
CHAMBERS.COM
Powered by FlippingBook