The law of 26 April 2024 establishing a framework for the cybersecurity of network and information systems of general interest for public security (the "NIS2 law") transposes EU directive 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (the "NIS2 directive") into Belgian law and shall enter into force on October 18th this year.

This law contains in particular the obligation for all entities falling into its scope to notify the CCB about any incident that can be considered as a "significant" incident. Such an incident is defined as follows in the law:

“Any incident that has a significant impact on the provision of any service listed in the sectors or sub-sectors in annexes I and II of the law and which:

1. has caused or is likely to cause severe operational disruption to any of the services provided in the sectors or sub-sectors listed in annex I and II or financial loss to the entity concerned; or
2. has affected or is capable of affecting other natural or legal persons by causing considerable material, personal or non-material damage.”

As soon as an NIS2 entity encounters such an incident, it must notify the CCB of it. This notification takes place in several stages (also see the visual below):

1. without undue delay and in any event within 24 hours of becoming aware of the significant incident, the entity submits an early warning;
2. without undue delay and in any event within 72 hours (24h for trust service providers) of becoming aware of the significant incident, the entity submits an incident notification;
3. upon the request of a CSIRT or, where applicable, the competent authority, the entity submits an intermediate report;
4. not later than one month after the submission of the incident notification under point 2, the entity submits a final report;
5. in the event of an ongoing incident at the time of the submission of the final report, the entity concerned submits a progress report and then, within one month of the handling of the incident, a final report.

Depending on the extent of the incident, the entity must also inform the recipients of its service of the existence of the incident and of the measures and corrections that the recipients can take to respond to it.

To find out what NIS2 is, whether it applies to you and what your obligations are under this new legal framework, please have a look at our explanatory web page. For even more detailed information on the law, please visit our page dedicated to NIS2 on Safeonweb@Work.

This article is part of a series of articles published on the transposition of the NIS2 Directive in Belgium. The other articles can be accessed here.