Regulation

The Law of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security ("NIS2 Law") transposes into Belgian law, Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 ("NIS2 Directive").

The NIS2 law aims to strengthen cybersecurity, incident management and oversight measures for entities that provide services that are essential for the maintenance of critical social or economic activities. It also aims to improve the coordination of public policies on cybersecurity.

The EU Cyber Solidarity Act, was officially published on January 15, 2025. It is a new key step in strengthening Europe’s cybersecurity. Set to take effect in February, this legislation aims to help EU countries, including Belgium, better detect, prepare for, and respond to serious cyber incidents that can affect businesses and citizens alike, and to foster solidarity between Member States in times of crisis. It’s all about making sure Europe is more resilient in today’s digital world. Contrary to the NIS2 Directive or Cyber Resilience Act, the Cyber Solidarity Act does not introduce obligations on providers. It is a purely voluntary legislation that sets up tools and especially funding. Member States can make use of these if so desired, to support their detection, information sharing or crisis response capabilities, especially for NIS2 entities.

Belgium, and specifically the Centre for Cybersecurity Belgium, played a pivotal role in the development and adoption of the Cyber Solidarity Act during its Presidency of the Council of the EU in the first half of 2024. The Centre for Cybersecurity Belgium will keep on playing a central role in implementing the Act’s provisions. Read more about the Belgian Presidency in this comprehensive article.

The Cyber Resilience Act (CRA) was published on 20 November 2024. This new EU regulation contains “horizontal cybersecurity requirements for products with digital elements”. In other words, it imposes minimum cybersecurity requirements for all connected products put on the EU market, making the so-called “internet of things” (IoT) more secure. 

The new rules will apply in all EU countries and will be implemented in phases. Ultimately, the CRA is expected to contribute to the CCB’s vision of making Belgium more cyber-secure by ensuring that its citizens and organisations, whether public or private, are less vulnerable to cyberattacks.

A Coordinated Vulnerability Disclosure Policy (CVDP) is a set of rules determined in advance by an organisation responsible for IT systems that allows participants (or "ethical hackers") with good intentions to identify potential vulnerabilities in its systems or to provide it with all relevant information about them.

A vulnerability rewards program (or "bug bounty" program) covers all rules set by a responsible organization to give rewards to participants who identify vulnerabilities in the technologies it uses. This is a type of coordinated vulnerability disclosure policy which includes rewards for participants based on the amount, importance or quality of the information provided.

Under the NIS2 directive, the Centre for Cybersecurity Belgium is responsible for developing, disseminating and ensuring the implementation of security standards, directives and norms for the various types of information systems.