Cybersecurity 2025

BELGIUM Trends and Developments Contributed by: Stéphanie De Smedt, Virginie de France, Bram Goetry and Olivier Verhasselt, Loyens & Loeff

ers, etc, that have access to their IT systems, provide cloud-based software solutions or may otherwise impact the organisation’s cybersecu - rity risk profile. In Belgium, the authors are seeing a clear trend towards companies requesting additional cyber - security-related guarantees and certifications from their suppliers. Since past cyber-attacks have highlighted the intrinsic link with various ecosystems, cybersecurity clauses are becom - ing a key concern in supply chain risk manage - ment. More specifically, the authors see an increased focus on the following types of clauses in various types of commercial (supply/services) contracts, not only in the IT sector: • clauses setting minimum standards and obligations of result in relation to cybersecu - rity (obtaining and maintaining certifications, annexes with detailed lists of technical and organisational measures to implement, etc) for the supplier; • clauses ensuring swift incident reporting by suppliers, in order for the client – which may be a regulated entity under NIS2 or the Digital Operational Resilience Act (DORA) – to meet its own legal reporting obligations, often detailing reporting deadlines, mandatory information to be provided and co-operation obligations; • clauses providing extensive cybersecurity audit rights for the client; • liability and exoneration clauses (a higher or no liability cap for cyber-incidents, indemnifi - cation obligations for third-party claims, etc); and • termination clauses in case of serious cyber- incidents or material non-compliance, etc.

While the arrangements for cybersecurity are in some cases set out in a lot of detail in the legisla - tion itself (see DORA), this is not always the case (see NIS2), which leaves a lot of room for diverg - ing practices and tough negotiations. In 2025, the authors expect more common practices and standards to develop in this respect – as it did for data processing agreements under the General Data Protection Regulation (GDPR), for example. The focus on supply chain risk management will in any event remain in 2025. Noteworthy in this respect is the finding that, of all large organisa - tions, 54% identified supply chain challenges as the biggest barrier to achieving cyber-resilience. The increasing complexity of supply chains, coupled with a lack of visibility and oversight regarding the security levels of suppliers, has emerged as the leading cybersecurity risk for organisations. Key concerns include software vulnerabilities introduced by third parties and the propagation of cyber-attacks throughout the ecosystem, as noted in the World Economic Forum’s Global Cybersecurity Outlook 2025. Leaders Must Adopt a “Security-First” Mindset The NIS2 legislation requires management bod - ies to play an active role in cybersecurity, mak - ing their involvement not only beneficial but also legally mandatory. The authors expect this to become a board-level priority in 2025. More specifically, management bodies of NIS2- in-scope entities must: • approve risk management measures related to cybersecurity and oversee their implemen - tation; • complete training to ensure they possess the necessary knowledge and skills to identify risks, assess cybersecurity risk management

56

CHAMBERS.COM

Powered by