BELGIUM Law and Practice Contributed by: Steven De Schrijver, Allegiance Law
to their relevance, whether or not certain clauses may remain in force, and whether others can be changed thanks to new options under the new law. Cybersecurity The Belgian Network and Information Systems Act of 26 April 2024 (the “NIS2 Act”), which transposes the EU’s Network and Information Security (NIS) 2 Directive (the “NIS2 Directive”), came into force on 18 October 2024. Given that its text includes fines similar to the EU’s General Data Protection Regulation (GDPR), it may be a first step towards forcing essential and important organisations to focus more on cybersecurity. However, the most important innovation is the extension of its scope. The NIS2 Act mandates 12 additional sectors to implement cybersecurity risk management measures and follow incident notification obligations. It enhances and stream- lines security and reporting requirements by establishing a minimum list of key elements all entities must consider, including incident man- agement, supply chain security, and vulnerability handling and disclosure. This means that it not only applies to “critical sectors” but also to other important sectors, such as digital services and digital infrastructure (telecommunications, data centres, cloud services, etc). This means that it will also become more impor- tant to review a target’s compliance with the NIS2 Act, whenever applicable, during a due diligence. Cybersecurity may be the next hot topic in M&A after privacy became much more relevant in transactions. New Digital EU Regulation The impact of the Digital Services Act and the Digital Markets Act will have to be assessed dur-
ing the due diligence on targets subject to these new regulations. Attention should be paid to the EU’s Regulation 2024/1689 of 13 June 2024 laying down har- monised rules on artificial intelligence (the “EU AI Act”). Adopted on 13 June 2024, the EU AI Act entered into force on 1 August 2024, with a phased implementation schedule. The regulation focuses on specific AI applications in particular contexts and categories based on risk to health, safety and fundamental rights. The impact of the EU AI Act will have to be assessed during the due diligence on targets subject to the new regulation. IP and privacy compliance will vary based on the risk level posed by AI, determining the specific obligations got providers and users alike. 9. Due Diligence/Data Privacy 9.1 Technology Company Due Diligence Public M&A In the context of a recommended bid, it is advis- able – albeit not mandatory – to undertake due diligence before initiating a public takeover bid, particularly to validate the bid price. This pro- cess includes releasing an information memo- randum on the target, conducting management presentations, and reviewing specific docu- ments accessible through a data room. The target board has the authority to decide when and what information about the target will be disclosed, taking into account factors such as the corporate interest of the target, confiden- tiality obligations, equal treatment of sharehold- ers, and considerations related to insider dealing and competition. If the target board is hesitant to disclose sensitive information, it can opt for ven- dor or third-party due diligence, ensuring that
31
CHAMBERS.COM
Powered by FlippingBook