BELGIUM Trends and Developments Contributed by: Stéphanie De Smedt, Virginie de France, Bram Goetry and Olivier Verhasselt, Loyens & Loeff
vulnerability disclosure policy, without risking criminal prosecution, provided that they comply with certain conditions: • there is no intent to cause harm or to obtain illegitimate benefits (eg, they cannot request payment, unless this has been agreed upon in advance, such as in the context of bug bounty programmes); • the vulnerabilities they discover must be reported to the CCB without delay, as well as to the organisation they “hacked” – to gain some control over this process and safe - guard both confidentiality and a streamlined notification process, several companies have already set up ethical hacking policies and dedicated communication channels; • the hacker cannot do anything that goes beyond what is necessary and proportionate in order to uncover a cybersecurity vulner - ability; and • the hacker is prohibited from publicly disclos - ing the discovered vulnerabilities without prior authorisation to do so from the CCB. However, in 2024, the NIS2 Law narrowed the previous general liability exemption for ethical hacking to a specific list of defined offences: • interception of private communications (Arti - cle 314bis of the Criminal Code); • violation of professional secrecy (Article 458 of the Criminal Code); • hacking (Article 550bis of the Criminal Code); • IT sabotage (Article 550ter of the Criminal Code); and • offences related to telecommunications leg - islation. Other offences, such as breaking and entering, are not included.
In other words, ethical hacking is now only per - mitted for conventional cyber-attacks involving remote access to IT systems. Physical attacks on these systems are no longer legally pro - tected and require prior authorisation from the competent authorities. Otherwise, perpetrators face criminal prosecution, including charges of breaking and entering. Furthermore, the four conditions established in 2023 remain in effect and are further clarified by the NIS2 Law, which entered into force on 18 October 2024. • Proportionality and necessity: The hackers must limit themselves to the actions strictly necessary to demonstrate the existence of a vulnerability, without exceeding what is needed to prove the security flaw. This also means they are prohibited from disrupting the target organisation’s services, even if an investigation is ongoing. • No harm or blackmail: The hacker must never intend to cause harm or obtain sensitive infor - mation from the targeted company. Any form of blackmail, such as threatening to disclose vulnerabilities in exchange for benefits, is strictly prohibited. • Reporting vulnerabilities: The hacker must promptly submit a simplified notification that includes the identification of the affected system and a brief description of the potential vulnerability, no later than 24 hours after its discovery, to both the organisation responsi - ble for the system and the CCB. The hacker must submit a complete notification, without delay and no later than 72 hours after its dis - covery, to both the organisation responsible for the system (if applicable, in accordance with the reporting procedures established by that organisation) and the CCB. It is also important to note that disclosing information
59
CHAMBERS.COM
Powered by FlippingBook