BELGIUM Law and Practice Contributed by: Wim Nauwelaerts, Alston & Bird LLP
2. Critical Infrastructure Cybersecurity 2.1 Scope of Critical Infrastructure Cybersecurity Regulation The NIS2 Directive and the Belgian NIS2 Act transposing it apply to public or private entities that are established in Belgium and that provide one of the services listed in Annex I or II to the NIS2 Act within the EU. An entity will be subject to the NIS2 Act if it car - ries out one of the activities listed in Annex I or II to the NIS2 Act – as an “essential” or “important” entity – within the EU, and if it is at least consid - ered to be a medium-sized enterprise within the meaning of European Commission Recommen - dation 2003/361/EC of 6 May 2003 (concerning the definition of micro, small and medium-sized enterprises). “Essential entities” are those that provide a ser - vice listed in Annex I and meet the definition of a large enterprise within the meaning of Recom - mendation 2003/361/EC. “Important entities” are organisations that pro - vide a service: • listed in Annex I and meet the definition of a “medium-sized enterprise” within the mean - ing of Recommendation 2003/361/EC; or • listed in Annex II and meet the definition of a “medium-sized or large enterprise” within the meaning of Recommendation 2003/361/EC. For the purposes of calculating the size of the entity, the European Commission has published guidance as well as a calculation tool. In addi - tion, the CCB has issued guidelines specifying that the scope of the NIS2 Act covers the whole
of the entity concerned and not just the activities listed in the Annexes to the NIS2 Act. Moreover, an entity will be considered in scope of the NIS2 Act even if the essential service it provides is only an ancillary part of all its activi - ties – unless the definition of the service in the Annex takes into account the principal or inci - dental nature of the activity. In terms of territorial scope, the NIS2 Act applies in principle to entities established in Belgium that provide their services or carry out their activi - ties within the EU. The concept of establishment consists of the actual pursuit of an activity by means of a permanent installation, irrespective of the legal form adopted, whether this is a reg - istered office, a local branch or a subsidiary with legal personality. It should also be noted that the operator of one or more critical infrastructure(s) identified under Critical Infrastructures Act will be considered to be an essential entity within the meaning of the NIS2 Act. The NIS2 authorities and the compe - tent authorities under the Critical Infrastructures Act are expected to work together to supervise these entities. 2.2 Critical Infrastructure Cybersecurity Requirements The main cybersecurity requirements for entities in scope of the NIS2 Act can be summarised as follows: • register with the relevant (sectoral) authorities – this can be done by completing an online form on the Safeonweb@Work registration platform, provided that the entity is already registered with the Belgian Crossroads Bank for Enterprises;
44
CHAMBERS.COM
Powered by FlippingBook