BELGIUM Trends and Developments Contributed by: Stéphanie De Smedt, Virginie de France, Bram Goetry and Olivier Verhasselt, Loyens & Loeff
Introduction As digital transformation accelerates and cyber - space becomes increasingly complex, cyber - security has emerged as a critical concern for organisations. The deep interconnectivity of the cyber-ecosystem means that a breach in a single entity can trigger a chain reaction, compromising entire networks with far-reaching consequenc - es. Even the smallest vulnerabilities in digital systems can lead to significant disruptions, from financial losses to reputational damage. For many organisations, cybersecurity is no longer merely an operational concern – it is also a legal imperative. In 2024, Belgium was the first EU member state to transpose Directive (EU) 2022/2555 (the “NIS2 Directive”) into national law (the “NIS2 Law”). As a direct consequence thereof, 2025 is set to be an intense year as this landmark legislation is expected to impact over 2,500 entities across a wide range of sectors. In addition to implementing risk management measures, organisations will need to review their contracts with suppliers and subcontractors and ensure that future agreements explicitly include cybersecurity warranties. Management bodies will also be heavily involved, as the law imposes numerous obligations and responsibilities on them. Compliance with the NIS2 Law is over - seen and enforced in Belgium by the Centre for Cyber Security (the CCB). Below is an overview of the main cybersecurity trends the authors see for 2025. CyberFundamentals as a Cybersecurity Framework Originating in Belgium, but Potentially With Much Broader Recognition Under the NIS2 legislation, certain entities are required to undergo periodic compliance assess - ments, which result in certification. In Belgium, only two certifications are recognised by law:
• the International Organization for Standardi - zation/International Electrotechnical Commis - sion (ISO/IEC) 27001 certification; and • the Belgium-specific CyberFundamentals (“CyFun”) certification scheme. The latter is a certification granted by a conform - ity assessment body approved by the CCB. The framework is based on commonly used cyber - security frameworks, namely the National Insti - tute of Standards and Technology Cybersecurity Framework (NIST CSF), ISO 27001/ISO 27002, Center for Internet Security (CIS) Controls and IEC 62443. To address the varying levels of risk organisations face, the framework offers four assurance levels: small, basic, important and essential. The CyFun framework is generally deemed to be less burdensome (and less expen - sive) to implement than ISO certification, and the CCB has also published a multitude of online guidance notes and tools to aid implementation thereof by Belgian companies. Interestingly, Romania has already implemented the NIS2 Directive, and has explicitly recognised the Belgian CyFun certification scheme as a valid compliance framework under its local law. Following the Romanian example, CyFun, although initially a local Belgian initiative, could receive broader international recognition, with more countries expected to follow Romania’s lead. Cybersecurity Clauses as a “Must Have” for Both Current and Future Contracts In cases where IT services are outsourced, the legal responsibility under cybersecurity legisla - tion (eg, NIS2 and DORA) remains with the in- scope organisation itself. Therefore, it is crucial for these organisations to properly map the various contactors, suppliers, service provid -
55
CHAMBERS.COM
Powered by FlippingBook