Cybersecurity 2025

BELGIUM Law and Practice Contributed by: Wim Nauwelaerts, Alston & Bird LLP

6. Cybersecurity in Other Regulations

6.2 Cybersecurity and AI The AI Act requires that high-risk AI systems must achieve suitable accuracy, robustness and cybersecurity levels, and that they perform con - sistently in those respects throughout their life cycle. The technical solutions aiming to ensure the cybersecurity of high-risk AI systems must be appropriate to the relevant circumstances and the risks. They can include measures to pre - vent, detect, respond to, resolve and control for attacks trying to manipulate the training data set (data poisoning), pre-trained components used in training (model poisoning), inputs designed to cause an AI model to make a mistake (adver - sarial examples or model evasion), confidential - ity attacks and model flaws. The European Commission has requested the European Committee for Standardisation (CEN) and the European Committee for Electrotech - nical Standardisation (CENELEC) to draft the new European standards or European stand - ardisation deliverables on AI by 30 April 2025, including European standard(s) and/or European standardisation deliverable(s) on cybersecurity specifications for AI systems. High-risk AI systems that have been certified, or for which a statement of conformity has been issued under a cybersecurity scheme pursuant to the Cybersecurity Act, will be presumed to comply with the cybersecurity requirements set out in the AI Act (in so far as the cybersecurity certificate or statement of conformity, or parts thereof, cover those requirements). 6.3 Cybersecurity in the Healthcare Sector Regulation (EU) 2017/745 of the European Par - liament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/ EC, Regulation (EC) 178/2002 and Regulation

6.1 Cybersecurity and Data Protection The GDPR provides that controllers have a legiti - mate interest in processing personal data to the extent that such processing is strictly necessary and proportionate for the purposes of ensuring network and information security. The GDPR further specifies that permitted practices and tools for network and information security could include those that focus on: • preventing unauthorised access to electronic communications networks and malicious code distribution; and/or • stopping “denial of service” attacks and dam - age to computer and electronic communica - tion systems. The GDPR also includes a notification regime for personal data breaches. The concept of “personal data breach” is broadly defined in the GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, altera - tion, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. Controllers whose processing of personal data is subject to Belgian law may be required to notify personal data breaches to the Belgian DPA and, in some cases, to the individu - als whose personal data is affected. A personal data breach is a type of data security incident. While all personal data breaches are data security incidents, not all data security inci - dents are necessarily personal data breaches. The GDPR, and hence the notification duties to the DPA and affected individuals, only apply where there is a personal data breach.

51

CHAMBERS.COM

Powered by