BELGIUM Trends and Developments Contributed by: Stéphanie De Smedt, Virginie de France, Bram Goetry and Olivier Verhasselt, Loyens & Loeff
practices and understand their impact on the services provided by their organisation (this entails an obligation for management to follow regular cybersecurity awareness train - ings); and • ensure the organisation’s compliance with the law. As the concept of “management body” is not defined in the NIS2 Directive, the explanatory memorandum to the Belgian NIS2 Law defines a “member of a management body” as “Any natu - ral or legal person who: 1. exercises a function within or in relation to an entity which authorises him or her (a) to administer and represent the entity in ques - tion or (b) to take decisions in the name and on behalf of the entity which are legally binding on it or to participate, within a body of that entity, in the taking of such decisions, or 2. has control over the entity, meaning the power, in law or in fact, to exercise deci - sive influence over the appointment of the majority of the entity’s directors or manag - ers or over the direction of the entity’s man - agement”. Where the entity is a company governed by Bel - gian law, this control is determined in accord - ance with Articles 1:14 to 1:18 of the Belgian Code of Companies and Associations. Moreover, if an organisation that is in-scope of NIS2 fails to comply with the NIS2 Law, then its management body may be held accountable and face not only director’s liability, but also a tempo - rary ban from holding executive responsibilities within the organisation. It remains to be seen how this liability will be assessed in practice, and
in which situations (likely only very extreme ones) the CCB would impose such a temporary ban. While 2025 will likely still be a year of transi - tion, enforcement of the NIS2 Law by the CCB is expected to gradually increase, especially in case of major cybersecurity incidents in critical or public sectors. The Role of the CCB and the Data Protection Authority in Cybersecurity Compliance The CCB has been designated by the NIS2 Law as the national authority responsible for the monitoring, supervision and enforcement of the NIS2 Law on Belgian territory. However, entities may also have to face another author - ity in the context of cybersecurity: the Belgian Data Protection Authority (DPA), which oversees the enforcement of the GDPR and national leg - islation concerning personal data protection. Indeed, the DPA is often called upon to examine IT systems and their use within companies, par - ticularly due to the risks of personal data breach - es, becoming a valuable asset in the event of cybersecurity incidents. The NIS2 Directive itself acknowledges in its recitals that personal data protection and cybersecurity are closely linked. As a result, when a company suffers a cyber- attack leading to a personal data breach – a common occurrence – it often finds itself engag - ing with multiple authorities, sometimes includ - ing sectoral regulators, while also adhering to tight deadlines and different formal require - ments. Firstly, companies subject to the NIS2 Law must notify significant incidents to the CCB without undue delay, at the latest within 24 hours of becoming aware of the incident. Addi - tionally, these companies must also notify the DPA if the incident constitutes a personal data breach under data protection law, and this must
57
CHAMBERS.COM
Powered by FlippingBook