BELGIUM Law and Practice Contributed by: Wim Nauwelaerts, Alston & Bird LLP
requirement will only apply to financial entities selected on the basis of an assessment of the following elements: • impact-related factors, in particular the extent to which the financial entity’s services and activities have an impact on the financial sec - tor; • possible financial stability concerns, includ - ing the systemic nature of the financial entity at the EU or national level, where applicable; and • the specific ICT risk profile, the level of ICT maturity of the financial entity or the techno - logical characteristics at stake. The obligation to conduct advanced threat-led penetration tests does not apply to (i) small and unconnected investment firms, (ii) IORPs that have no more than 100 affiliates, or (iii) financial entities employing fewer than ten people, and whose annual turnover and/or annual balance sheet total does not exceed EUR2 million. The CRA imposes minimum cybersecurity standards for connected products placed on the Belgian market, with a view to making the inter - net of things (IoT) more secure. It contains hori - zontal cybersecurity requirements for products with digital elements (PDEs), which are defined as products that can be connected to a device or network and include: • hardware products with connected features, such as smartphones, laptops, home surveil - lance systems and connected toys; and 4. Cyber-Resilience 4.1 Cyber-Resilience Legislation
• software not embedded in a product and sold on a standalone basis, for example account - ing software and mobile gaming apps. All manufacturers placing PDEs on the Belgian market must comply with the CRA even if they are based outside the EU. For instance, the CRA may apply to a Chinese manufacturer of solar panels that sells its products in Belgium. The CRA primarily imposes obligations on man - ufacturers of PDEs to ensure that their products are secure before they are put on the EU/Bel - gian market, but also afterwards throughout the whole life cycle of the product. Furthermore, it includes provisions affecting other operators of PDEs such as importers, dis - tributors, open-source software stewards, con - formity assessment bodies (CABs) and public authorities. According to the CCB, the CRA is expected to contribute to the CCB’s vision of making Bel - gium more cybersecure by ensuring that its citizens and organisations are less vulnerable to cyber-attacks. 4.2 Key Obligations Under Legislation The CRA imposes a minimum level of cyberse - curity for all PDEs that are placed on the Belgian market and requires manufacturers of PDEs to: • design their PDEs with cybersecurity in mind – eg, by ensuring that data stored or transmit - ted with(in) the product is encrypted, and that the attack surface is as limited as possible; • ensure that the default settings of their PDEs help reduce vulnerabilities – eg, by avoiding weak default passwords or by making sure that security updates are installed automati - cally;
49
CHAMBERS.COM
Powered by FlippingBook