BELGIUM Law and Practice Contributed by: Joan Carette, Philippe De Prez and Thomas Derval, Simont Braun
was transposed into Belgian law by the Law of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security (the “NIS2 Law” ) (in force since October 2024). This law requires financial institutions to take technical and organisational measures to man - age the risks to the security of the network and information systems on which these institutions’ financial services depend. Furthermore, there is the (slightly outdated) Law of 28 November 2000 on computer-related crime and the international Budapest Convention of 23 November 2001 (including its Protocol) and the Lanzarote Con - vention of 25 October 2007, to which Belgium is a party. These regulations do not make a dis - tinction between fintech companies and legacy players. In addition, regulated fintechs must also comply with specific requirements issued at the European level. Since 17 January 2025, they are subject to the DORA, relating amongst others to ICT-risk management, operational resilience testing, incident reporting and third- party ICT risk monitoring. In addition, they must comply with the Guidelines EBA/GL/2019/04 of 29 November 2019 on information and com - munications technology and security risk man - agement, prescribing how financial institutions should manage ICT and security risks, and what the supervisory authorities’ expectations of ICT Advertising, marketing documents and any other type of communication (including verbal com - munication) distributed within the context of professional marketing of financial products (eg, relating to all types of savings, insurance and investment products) to retail clients in the Bel - gian territory, are regulated by the Royal Decree of 25 April 2014 concerning certain information requirements for the offering of financial prod - and security risk management are. Marketing and Communications
ucts to non-professional clients, regardless of the media channels through which these com - munications take place. These are subject to information requirements relating, on the one hand, to the provision of an information sheet and, on the other hand, to the advertising of financial products. The FSMA has also devel - oped specific marketing rules on the commer - cialisation of virtual currencies. The general information requirements ( “cor- rect, easily understandable and in clear, concise and comprehensible terms” ) apply as well to all communications, whether through social media or other media, generally in a stricter way with regard to regulated products and services (eg, consumer credit). 2.12 Review of Industry Participants by Parties Other than Regulators The activities of industry participants are reviewed (to a certain extent) by accounting and auditing firms. Their tasks are set out in the pru - dential framework of each of the regulated enti - ties. Auditors must be certified by the competent regulator prior to servicing regulated companies. 2.13 Conjunction of Unregulated and Regulated Products and Services There is no general rule under Belgian law pro - hibiting regulated financial entities from provid - ing unregulated products and services. In cer - tain cases, the formal approval of the regulator is required before implementing such activities. In that case, the regulator will, however, assess the impact of these unregulated services on the regulated activity and may impose certain requirements, or demand that these services or products are offered through a separate legal entity. This is notably the case for certain PIs and EMIs offering unregulated services. The combination of regulated services with crypto
57
CHAMBERS.COM
Powered by FlippingBook