Cybersecurity 2025

BELGIUM Trends and Developments Contributed by: Stéphanie De Smedt, Virginie de France, Bram Goetry and Olivier Verhasselt, Loyens & Loeff

be done no later than 72 hours after becoming aware of the breach. The NIS2 Law does not provide amendments or exemptions to the GDPR in this regard. For initial notification, many companies will therefore first notify the CCB and then prepare their noti - fication to the DPA. A late notification can lead to sanctions for non-compliance, as well as a broader investigation by the relevant regulatory authority. The only exemption to the obligation to notify in the case of a personal data breach is provided by Article 74 of the NIS2 Law. According to this article, the data controller may be exempted from notifying a personal data breach to certain affected individuals, as provided in Article 34 of the GDPR. This exemption is possible subject to the CCB’s approval, where such individual notification could jeopardise the control and supervision of the entities, as well as the prepa - ration, organisation, management and follow-up of administrative measures and fines. However, it is important to note that this exemption only applies to the obligation to notify the affected individuals, not the authorities. Therefore, it is essential that entities systemati - cally notify incidents involving personal data to both relevant authorities, in accordance with the requirements and procedures of both pieces of legislation. This approach also aligns with the “cyber incident response plan” model published by the CCB, which explicitly mentions the CCB and the DPA among the entities that should receive a report. The next natural question is whether, following a notification and any subsequent investigation by the CCB and the DPA, a company could face two fines, one under the NIS2 Law and another

under the GDPR. The fourth Title of the NIS2 Law states that the CCB or any competent sectoral authority will not impose an administrative fine for an infraction resulting from the same behav - iour for which an administrative fine has already been imposed by the DPA. Instead, they may decide to impose alternative sanctions for the same actions (eg, requiring the entities involved to make certain aspects of the violations public). However, neither the NIS2 Law nor the GDPR or its implementing legislation provide a solution where the CCB first imposes an administrative fine, and the DPA then decides to do the same. However, it is reasonable to expect that a simi - lar approach will be applied in such a case, by analogy with the criminal law principle of non bis in idem. Ethical Hacking in Belgium Is Legal, Under Certain Conditions Since 15 February 2023, in the context of the entry into force of a new whistle-blower law, the Belgian legislator has legalised “ethical hack - ing”. Under certain conditions, ethical hack - ers are protected against criminal liability, even where the hacked organisation did not consent to being subject to such “testing” of their cyber - security standards. Traditionally, the term “hacker” evokes individu - als who exploit security flaws in IT systems for malicious purposes, such as extortion, sabotage or data theft. However, there are also hackers with good intentions, known as “ethical hack - ers”. “Ethical hacking” refers to the practice of testing an organisation’s systems and networks to identify and fix potential vulnerabilities without any fraudulent intent. Until 18 October 2024, any natural or legal per - son was allowed to search for and report secu - rity vulnerabilities, even outside a co-ordinated

58

CHAMBERS.COM

Powered by