Best practice
Increased protectionDo the authorities recommend additional cybersecurity protections beyond what is mandated by law?
The Belgian Privacy Commission, predecessor of the Belgian Data Protection Authority (BDPA), had issued guidelines on information security. Unfortunately, those guidelines are no longer available and the BDPA has not issued any guidance of its own. The BDPA’s own case law suggests best practices for compliance with the General Data Protection Regulation’s (GDPR) general obligation regarding cybersecurity (article 32, GDPR), such as having a Secure Sockets Layer (SSL) for web forms involving the processing of health-related data (decision No. 117/2021 of 22 October 2021) and logging mechanisms and access control for managers as well (decision No. 56/2021 of 26 April 2021).
Beyond regulator publications, it is common practice in Belgium to refer to guidelines from the European Union Agency for Cybersecurity (ENISA) (see notably the recent Railway Cybersecurity – Good Practices in Cyber Risk Management or its Cybersecurity guide for SMEs) and the ecoDa Handbook on Cybersecurity for European Board Members (which provides useful guidance for organisations on how to integrate cybersecurity considerations at board level) as well as the National Institute of Standards and Technology (NIST) Cyber Security Framework.
How does the government incentivise organisations to improve their cybersecurity?
The government incentivises organisations to improve their cybersecurity through cybersecurity cheques, tax cuts and fines.
First, the Walloon government created a ‘cybersecurity cheque’, allowing SMEs to receive up to €60,000 in three years, to help them with cybersecurity audits and diagnostics and the creation of a cybersecurity policy. Similar to the cybersecurity cheque, the ‘digital maturity cheque’ aims to help SMEs to transition into digital and cybersecure organisations.
Second, the Flemish side of the country allows several tax schemes to promote cybersecurity innovations. For instance, they allow up to 85 per cent tax cuts on income generated by innovations related to cybersecurity.
Third, sector-specific legislation often imposes fines following the non-compliance of their provisions. For instance, the BDPA has the ability to give administrative fines of (in theory) up to €10 million or 2 per cent of the total worldwide annual turnover for violations of the GDPR. To date, the amount of fines has been significantly lower, but there is a trend towards increasing fines.
In addition, non-compliance with other legislation can lead to fines and other sanctions:
- criminal fines of up to €400,000 for non-compliance with the Belgian Act of 13 June 2005;
- fines between €500 and €100,000 as well as criminal penalties up to €240,000 for non-compliance by operators of essential services (OESs) and digital service providers (DSPs) with security measures obligations under the Belgian NIS Act, double in the case of recidivism;
- in the case of payment service providers (PSPs), administrative fines between €10,000 and 10 per cent of yearly net turnover (based on the previous accounting year) or penalty fines of maximum €2.5 million per infringement of PSD2 (or both) or a maximum of €50,000 per (further) day of non-compliance; and
- (non-qualified) trust service providers (TSPs) may lose their ability to provide (non-)qualified trust services. The service provider losing its ‘qualified’ status must inform the users of its services about it (article XV.26, Belgian Code of Economic Law (BCEL)). If the service provider falsely claims having a ‘qualified’ status, he may face up to €800,000 of criminal penalties.
Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?
Payment service providers (PSPs) must comply with the guidelines and standards issued by the European Banking Authority ((EBA) article 52, the Payment Services Directive Two (PSD2 Act)). Other useful industry standards include those issued by the European Telecommunications Standards Institute (ETSI), such as those on consumer internet of things cybersecurity (ETSI EN 303 645 v2.0.0 [European standard] and ETSI TS 103 645 [technical specification]). Moreover, the European Union Agency for Cybersecurity (ENISA) published a report about Standards Supporting Certification and is working to facilitate European standards. Finally, the ecoDa Handbook includes various references to useful standards and guidance.
Are there generally recommended best practices and procedures for responding to breaches?
In terms of compliance with legal obligations, in Belgium, reference is often made to the guidance by the former article 29 Working Party (WP29) on personal data breach notification to notify personal data breaches, the EDPB’s Guidelines 01/2021 on Examples regarding Personal Data Breach Notification (as modified in December 2021) and ENISA’s methodology to assess risks in case of personal data breaches, as well as ENISA’s reports on incident notifications for DSPs and TSPs.
PSPs also have the obligation to ensure monitoring, handling and follow-up of security incidents and customer claims linked to security (article 53(1) PSD2 Act), and the EBA’s guidelines regarding incident notifications are important for PSPs in this respect.
More generally, regarding the handling of breaches (and not limited to official guidance on notifications), the ecoDa Handbook includes best practices that are increasingly referred to (eg, involvement of third-party forensic firms, sometimes via legal counsel to better protect confidentiality of the findings; regular tests of response to data breaches through simulations; etc).
Voluntary information sharingDescribe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?
Data breaches or specific cyberthreats entail various notification obligations. However, voluntary notifications are also possible. For instance, potential operators of essential services (OES)s can voluntarily notify cybersecurity incidents to the national Computer Security Incident Response Team (CSIRT), the sector-specific authority or sector CSIRT, and to the national authority for identification of operators of essential services (article 30, the Belgian Act of 7 April 2019 (Belgian NIS Act)), although there are no clear incentives in the event of such notifications. More generally, at the level of the Belgian Data Protection Authority (BDPA), voluntary notifications are also possible outside of the cases where a notification is required, and this is generally well perceived by the BDPA.
Other voluntary information-sharing initiatives include for example Quarterly Cyber Threat Report events, organised by the Cyber Threat Research and Intelligence Sharing (CyTRIS) Department of the CCB, which bring together different stakeholders at least once a quarter and inform all participants about active cyber threats.
However, there is also a risk to even voluntary notifications, given that any indication that the breach was due to security failings or that the surrounding circumstances suggest an infringement of applicable requirements (eg, data protection principles) could give rise to an investigation.
How do the government and private sector cooperate to develop cybersecurity standards and procedures?
The Cybersecurity Certification by the CCB allows companies to evaluate and certify the security of ICT products, services and processes. It aims at maximum alignment with existing European and international reference frameworks. All certificates are published by the EU Agency for Cybersecurity (ENISA) and are valid within the European Union. This certification therefore incentivises companies to demonstrate that cybersecurity requirements, best practices and policies are in place.
Apart from that, there is no true structure for cooperation and the development of cybersecurity standards and procedures. From time to time, actors from the private sector act as consultants for the government regarding cybersecurity, but it typically depends on whether the government is prepared to start a (public or private) consultation process. This lack of interaction can lead to enforcement issues, as cybersecurity and data protection laws are often difficult to implement perfectly from a practical and business point of view.
InsuranceIs insurance for cybersecurity breaches available in your jurisdiction and is such insurance obtainable for most organisations? How common is it?
Cyber risk insurance is available in Belgium and adoption thereof is increasing. Most of the insurance offerings provide coverage in case of loss or damage caused by cybercrime, hacker-related damage, cyber-extortion and data theft. Many of the insurances also offer 24/7 (helpdesk) assistance in the event of a cyber-attack or data breach, and/or reimburse costs for legal, IT and PR services that are necessary to limit any damage to the company and its reputation. However, the exclusions and conditions accompanying some insurances – in particular, exclusions of acts of war, given that some cyberattacks can be linked to disputes between nation states – have often given rise to discussions. Moreover, coverage is sometimes conditional upon demonstration of appropriate security measures put in place by the organisation, and insurers often send detailed questionnaires regarding the level of security prior to any premium being calculated. Finally, in practical terms, such insurance policies often require evidence in the form of a complaint with the police before they cover a breach, and although they cover certain costs there are frequently limitations in terms of which service providers can be covered and up to what amount (or for how many hours or days after an incident occurs all qualifying costs are covered – eg, with the first 24 hours of legal support being covered).
