Cybersecurity 2025

BELGIUM Law and Practice Contributed by: Wim Nauwelaerts, Alston & Bird LLP

• implement user transparency via clear disclo - sure, on the PDE or its packaging, of the end- of-support date, namely the date until which the manufacturer commits to provide security updates – this should assist PDE users with making purchasing decisions not only based on price and functionality, but also on the PDE’s level of cybersecurity; and • report actively exploited vulnerabilities as well as severe incidents impacting the secu - rity of PDEs to public authorities, within 72 hours (with an early warning within 24 hours) of becoming aware of the vulnerability or incident – to facilitate the notification pro - cess and enable secure data sharing among European CSIRTs and ENISA, the CRA intro - duces a new single reporting platform with different national “end-points”, where this single reporting platform is different from the European vulnerability database established by the NIS2 Directive. All PDEs, regardless of their cybersecurity risk level, must comply with the CRA’s basic cyber - security standards outlined in the foregoing. PDEs that are considered more sensitive from a cybersecurity viewpoint – which the CRA refers to as “important” or “critical” products (eg pass - word managers, firewalls, smart meters) are sub - ject to additional, stricter obligations. 5. Security Certification for ICT Products, Services and Processes 5.1 Key Cybersecurity Certification Legislation Cybersecurity certification plays an important role in increasing trust and security in IoT-relat - ed products, services and processes, and the Cybersecurity Act has therefore introduced a European cybersecurity certification framework.

ENISA, the EU Agency for cybersecurity, is in charge of in setting up and maintaining the European cybersecurity certification framework by preparing the technical ground for specific certification schemes. It is also responsible for informing the public on the certification schemes and the issued certificates through a dedicated website. In addition, Belgium has created (by Royal Decree dated 16 October 2022), a framework that enables companies to evaluate and cer - tify the security of ICT products, services and processes, in line with the Cybersecurity Act. The CCB has been designated as the national cybersecurity certification authority that will co- ordinate the necessary expertise in cybersecu - rity certification, authorise certificates with high security requirements and establish close col - laboration with the Belgian accreditation organi - sation. To help covered entities demonstrate compli - ance with the NIS2 Act in particular, the CCB has created the CyFun framework, which is based on several commonly used cybersecurity frame - works or standards including the National Insti - tute of Standards and Technology Cybersecurity Framework (NIST CSF), International Organiza - tion for Standardization (ISO) 27001/ISO 27002, Center for Internet Security (CIS) Controls and International Electrotechnical Commission (IEC) 62443. Following a NIS2 conformity assessment, a CyFun certification can be granted by a CAB that is approved by the CCB. CABs are bodies responsible for verifying an entity’s compliance with the requirements set out in the CyFun refer- ence framework.

50

CHAMBERS.COM

Powered by