3rd anniversary of the national law transposing the "NIS Directive"
News
In the field of cyber security in Belgium, 7 April is quite a special date.
This date marks the transposition into Belgian law of the EU Directive on "Network and Information System Security" (NIS Directive)*. What is the purpose of this directive? The main purpose of this directive is to ensure a high and common level of security for networks and information systems in the European Union.
This European directive has created the first specific and complete legal framework in Belgium in the field of cyber security. The law of 7 April 2019 establishing a framework for the security of networks and information systems of general interest for public security ("NIS law") has, among other things, strengthened the legal missions and expertise of the Centre for Cybersecurity Belgium (CCB) in this area.
At European level, the NIS Directive has made it possible to structure and improve cooperation between the Member States of the European Union in the field of cybersecurity, both for strategic and operational aspects, in particular through the NIS Cooperation Group and a European network of "CSIRTs" (Computer Security Incident Response Centres). The CCB plays an active role in both these European cooperation bodies.
At national level, the NIS Law has made it possible to identify the Operators of Essential Services (OES) and to subject them to security, incident reporting and control rules.
An "Operator of Essential Services" (OES) is a public or private entity that carries out an activity in Belgium related to the provision of an essential service in one of the sectors listed in Annex I of this law (energy, transport, finance, health, digital infrastructure and drinking water) and that has at least one establishment on Belgian territory, and that is designated by administrative decision of the competent sectoral authority. The other criteria for the designation of an OES are:
- to provide a service that is essential to the maintenance of critical societal and/or economic activities;
- the provision of the service is dependent on networks and information systems (which is presumed to be the case);
- the occurrence of an "incident" relating to the "security of the operator's networks and information systems" would be likely to have a "significant disruptive effect" on the provision of the essential service.
For more information on Operators of Essential Services (OES) see [FR] https://ccb.belgium.be/fr/cadre-l%C3%A9gal-pour-les-op%C3%A9rateurs-de-services-essentiels-ose | [NL] https://ccb.belgium.be/nl/wettelijk-kader-voor-aanbieders-van-essenti%C3%ABle-diensten-aed
We have compiled the most frequent questions about the legal framework applicable to Operators of Essential Services in the form of a
A Digital Service Provider (DSP) is a legal entity that is not a micro or small enterprise, that provides certain digital services (cloud computing service, online marketplace or online search engine) and that has its main office in Belgium.
For more info on Digital Service Providers (DSP) see [FR] https://ccb.belgium.be/fr/cadre-l%C3%A9gal-pour-les-fournisseurs-de-service-num%C3%A9rique-fsn | [NL] https://ccb.belgium.be/nl/wettelijk-kader-voor-digitaledienstverleners-ddv
As the digital sphere is rapidly evolving, the EU is preparing a second version of the NIS Directive ("NIS2")... To be continued!
_____________
* This Directive (n°2016/1148) was adopted by the EU on 6 July 2016. In Belgium, the "Law establishing a framework for the security of networks and information systems of general interest for public security", known as "NIS Law", was adopted on 7 April 2019 and published in the Belgian Official Journal on 3 May 2019 (cf. http://www.ejustice.just.fgov.be/eli/loi/2019/04/07/2019011507/moniteur).