BELGIUM Law and Practice Contributed by: Wim Nauwelaerts, Alston & Bird LLP
• adopt appropriate cybersecurity risk-manage - ment measures – these are technical, opera - tional or organisational measures that allow the entity to manage the risks relating to the security of their network and information sys - tems, and to prevent or minimise the impact of cyber-incidents; • provide training to their management bodies to ensure that their knowledge and skills are sufficient to identify risks and assess risk- management measures in terms of cyber - security and their impact on any services provided to the entity; • ensure supply chain security, which refers to security-related aspects of the relationships between entities and their direct suppliers or service providers – the NIS2 Act does not explain in detail how NIS2 entities should manage this supply chain security obligation, but the CCB recommends that covered enti - ties contractually impose a label or certifica - tion obligation on their suppliers, such as those included in the CCB’s CyberFundamen - tals (CyFun®) framework, in order to demon - strate compliance with this requirement; and • notify significant (cybersecurity) incidents to the CCB (see 2.3 Incident Response and Notification Obligations ). 2.3 Incident Response and Notification Obligations Entities in scope of the NIS2 Act are required to notify the national CSIRT (ie, the CCB) in the event of a significant (cybersecurity) incident. A significant incident is defined as any incident that has a significant impact on the provision of services in the sectors or subsectors listed in the Annexes to the NIS2 Act, and which has caused or is likely to cause:
• serious disruption to the operation of any of the services in the sectors or subsectors listed in Annexes I and II or financial loss to the concerned entity; or • significant material, personal or non-material damage to other natural or legal persons. Notification takes place through the following steps: • first, an early warning is submitted, within 24 hours of becoming aware of the significant incident; • a formal incident notification is subsequently filed within 72 hours of becoming aware of the significant incident; and • a final report is ultimately submitted, no later than one month after the initial notification – in the meantime, the CCB may request interim reports, and the CCB will also provide recommendations on when notification is required and on the procedure to follow. In principle, NIS2 entities are expected to notify incidents to the CCB only. The CCB will subse - quently forward notifications to the relevant sec - toral authorities and to the NCCN (for essential entities). However, the notification regime is different for entities in the banking and financial sectors that are in scope of DORA. Those types of entities should notify incidents, as appropriate, to the National Bank of Belgium (NBB) or the Financial Services and Markets Authority (FSMA), which will forward the incident notification to the CCB. In some cases, entities that have suffered a sig - nificant incident will also be required to notify the recipients of their services.
45
CHAMBERS.COM
Powered by FlippingBook