The NIS2 law
Obligations
The NIS2 law imposes a number of obligations on essential and important entities. These include cybersecurity risk management measures, notification of significant incidents, registration and cooperation with the authorities.
1. Cybersecurity risk management measures
Essential and important entities must take appropriate and proportionate measures to manage the risks that threaten the security of the networks and information systems they use in the course of their activities or in the provision of their services, and to eliminate or mitigate the consequences of incidents for the recipients of their services and for other services.
These measures are based on an "all-hazards" approach and aim to protect networks and information systems and their physical environment against incidents.
They shall include at least the following 11 measures
(1) Risk analysis and information system security policies |
(2) Incident handling |
(3) Business continuity and crisis management |
(4) Supply chain security |
(5) Security in the acquisition, development and maintenance of networks and information systems, including the handling and disclosure of vulnerabilities |
(6) Policies and procedures for assessing the effectiveness of cybersecurity risk management activities |
(7) Cyber hygiene and cyber security training |
(8) Policies and procedures on the use of cryptography and, where appropriate, encryption |
(9) Personnel security, access control policies and asset management |
(10) The use of multi-factor authentication or continuous authentication solutions, secure communications and secure emergency communication systems within the entity, as appropriate | (11) A coordinated vulnerability disclosure policy |
The Centre for Cybersecurity Belgium has developed a reference framework, known as CyberFundamentals (CyFun®), which covers all these points and can be used for conformity assessment. For more information, please visit the CyFun page on Safeonweb@work.
2. Notification of incidents
The law stipulates that essential and important entities must notify the competent authorities of any significant incident affecting the provision of their services in the (sub)sectors listed in the annexes to the law, including, where appropriate, information that makes it possible to determine whether the incident in question has a cross-border impact.
A significant incident is any incident which has a significant impact on the provision of services in the sectors or subsectors listed in Annexes I and II to the Law and which
has caused or is likely to cause serious disruption to the operation of any of the services in the sectors or subsectors listed in Annexes I and II or financial loss to the undertaking concerned; or
has caused, or is likely to cause, significant material, personal or non-material damage to other natural or legal persons.
This notification shall be made to the national CSIRT (the CCB). Where appropriate, the entities concerned shall inform the recipients of their services of significant incidents that may affect the provision of the aforementioned services. The entities also inform the recipients of their services that may be affected by a significant cyber threat of all the measures and corrections that may be taken to respond to it, and even of the cyber threat itself.
The notification of significant incidents shall take place in several stages:
- Without undue delay and in any event within 24 hours of becoming aware of the significant incident, the entity shall submit an early warning;
- without undue delay and in any event within 72 hours (24 hours for trust service providers) of becoming aware of the significant incident, the entity shall submit an incident notification;
- submit an interim report if requested to do so by a CSIRT or, where applicable, the competent authority;
- submit a final report no later than one month after the submission of the incident notification referred to in point 2;
- if the incident is ongoing at the time of the final report, the entity shall submit a progress report and then, within one month after the handling of the incident, a final report.
In practice, notification is made through the procedure set out on the CCB website.
3. Registration of entities
NIS2 entities regulated in Belgium are required to register with the CCB. In practice, entities must fill in a registration form on Safeonweb@Work.
The deadline for registration depends on the type of entity. In principle, essential and important entities, as well as domain name registration service providers, have 5 months from the entry into force of the law to register. With the entry into force scheduled for 18 October 2024, registration must be completed by 18 March 2025 at the latest.
When registering, companies must provide the following information
- Their name and Crossroads Bank for Enterprises (CBE) registration number or equivalent registration in the European Union;
- Their current address and contact details, including email address, IP address and telephone number;
- where applicable, the relevant sector and subsector referred to in Annex I or II of the Law;
- where applicable, a list of the Member States in which they provide services falling within the scope of the Law.
There is an exception for entities that have already provided this information to a NIS2 sectoral authority. In this case, the information only needs to be updated where necessary. If the information changes, all entities must inform the CCB immediately.
There is a slightly adapted regime for the following types of entities:
- DNS service providers;
- TLD name registries;
- entities providing domain name registration services;
- Cloud computing service providers;
- data centre service providers;
- Content delivery network providers;
- Managed service providers;
- Managed security service providers;
- online marketplace providers;
- online search engine providers; and
- social networking service platform providers.
They must register within 2 months of the law coming into force (i.e. by 18 December 2024 at the latest) and provide the following information
- Their name;
- their sector, sub-sector and type of entity, as listed in Annex I or II, as applicable;
- the address of their principal place of business and of their other legal establishments in the Union or, if they are not established in the Union, of their representative;
- their current contact details, including e-mail addresses and telephone numbers, and, where applicable, those of their representative;
- the Member States in which they provide their services falling within the scope of the Law;
- their IP ranges.
Each entity, whether covered by the waiver or not, is required to inform the CCB immediately of any changes to this information.
In practice, some of this information is obtained directly from the Crossroads Bank for Enterprises (CBE) during the registration process.
4. Obligations and responsibilities for management
The management bodies of NIS2 entities must approve cybersecurity risk management measures and oversee their implementation. If the entity breaches its obligations with regard to risk management measures, the management body is liable.
Members of the management bodies are obliged to follow training to ensure that their knowledge and skills are sufficient to identify risks and assess cybersecurity risk management practices and their impact on the services provided by the entity concerned.
The responsible persons and/or legal representatives of an entity must have the power to ensure that the entity complies with the law. They are liable for their failure to do so.
The liability of management bodies, responsible persons and legal representatives is without prejudice to the rules on liability applicable to public institutions, as well as the liability of civil servants and elected or appointed officials.
5. Cooperation with the authorities
The NIS2 law requires entities falling within its scope to cooperate with the national authorities responsible for its implementation, in particular the CCB and the sectoral authorities.
This cooperation generally takes the form of an exchange of information on the security of networks and information systems, but also includes cooperation between the entity and the CCB's inspection service.