BELGIUM Law and Practice Contributed by: Wim Nauwelaerts, Alston & Bird LLP
2.4 State Responsibilities and Obligations
• institutions for occupational retirement provi - sion (IORPs). DORA also applies to institutions that are under the supervision of the NBB, such as credit insti - tutions, insurance and reinsurance companies and payment institutions. 3.2 ICT Service Provider Contractual Requirements DORA defines information and communication technology (third-party) service providers (ICT TPSPs) as undertakings providing ICT services to financial entities in scope of DORA. ICT ser - vices in the context of DORA should be under - stood in a broad manner, encompassing digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis. This may include providers of cloud computing services, software, data analyt - ics services and data centre services. If financial entities delegate critical or important functions to ICT TPSPs, more stringent requirements will apply. To ensure the conformity of their ICT risk man - agement framework, financial entities are expected to maintain and update a specific information register (register of information or ROI) that lists the relevant contracts relating to the use of ICT services provided by ICT TPSPs. The agreements with ICT TPSPs will have to be properly documented and clearly distinguish those applicable to ICT services in support of critical functions. Upon request, financial entities will have to make the entire ROI or certain parts of it available to the FSMA, together with all information that is considered necessary to enable effective super - vision of the financial entity.
The CCB is responsible for co-ordinating and monitoring the NIS2 Act. Under the NIS2 Act, the CCB will be in charge of supervising essential and important entities (in co-operation with sec - toral authorities), in addition to being the central contact point for NIS2 implementation. Belgium’s CSIRT is also part of the CCB. Entities in scope of the NIS2 Act are required to report significant incidents to this CSIRT. In addition, the NCCN is involved in the implementation of the NIS2 Act, in particular as regards incident notification, cybercrisis management and physi - cal security measures implemented by opera - tors of critical infrastructures and critical entities (subject to the Critical Infrastructures Act). 3. Financial Sector Operational Resilience Regulation 3.1 Scope of Financial Sector Operational Resilience Regulation DORA applies to the following types of financial entities, which are under the supervision of the FSMA: • asset management and investment advisory companies (investment firms); • authorised managers of alternative invest - ment funds; • management companies of collective invest - ment undertakings and self-managed collec - tive investment undertakings; • trading platforms; • crowdfunding service providers (crowdfund - ing platforms); • insurance and reinsurance intermediaries and ancillary insurance intermediaries; and
46
CHAMBERS.COM
Powered by FlippingBook