Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

Few laws require specific policies or procedures, and even fewer currently require specific measures to protect data or information systems. Typically, the rule is that the organisation itself must decide what is appropriate, which can then be challenged by the regulator.

The combination of various data protection principles (including the principles of data protection by design and data protection by default) can be viewed as requiring companies to implement procedures to take cybersecurity into account in relation to personal data at every stage of the life cycle of a data-related initiative. For instance, security is an important element to consider when carrying out a data protection impact assessment when the data processing activity poses a high risk to the rights and freedoms of natural persons (article 35, General Data Protection Regulation 2016/679 (GDPR)).

The Data Protection Authority’s (DPA) predecessor, the Belgian Privacy Commission, had issued more specific guidelines on information security (on the need to have access controls such as permissions and authentication in place, on the importance of a security policy, etc), but they are no longer available.

Some sector-specific laws go further. For instance, qualified trust service providers (TSPs) must train their staff and subcontractors about security, and must use trustworthy systems (article 24(2), eIDAS Regulation (Regulation (EU) No. 910/2014)). Qualified electronic signature creation devices must be subject to certification that involves a security assessment (article 30, eIDAS Regulation). Moreover, the whole process for validating qualified electronic signatures must allow the person requesting validation to detect any security-relevant issues (article 32, eIDAS Regulation).

Under the Act of 7 April 2019 (the Network and Information Systems Act (the NIS Act)) and the Act of 1 July 2011 (the Critical Infrastructures Act), security policies are required, but the content remains at the discretion of the organisation (though ISO/IEC 27001 certification is evidence of compliance with this requirement, according to the NIS Act).

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

Controllers must document all personal data breaches, including those not notified to an authority or data subject (article 33(5), GDPR). There is no guidance about the specifics of collecting or storing those records, but the DPA has been requesting copies of this register of breaches with increasing frequency.

In terms of duration, data protection infringements are time-barred after five years in Belgium. As a result, it is likely organisations will keep these records for at least five years. Outside data protection, another statute of limitations may apply, so it is important to take each situation into account when deciding on the retention period for data protection infringement records.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

Controllers must notify to the DPA cybersecurity breaches that are likely to result in a risk to the rights and freedoms of natural persons. The notification must contain:

  • the nature of the breach;
  • the person to contact to obtain further information;
  • a description of the likely consequences; and
  • the (proposed) measures to mitigate the adverse effects of the breach.

 

When there is a risk of breach of the network security, an electronic communications services provider (ECSP) must notify the risk to the Belgian Institute for Postal Services and Telecommunications (BIPT). If the risk cannot be fully mitigated by the ECSP, the notification must contain measures that would allow mitigation and an indication of their likely cost. If there is a personal data breach, the ECSP must notify it to the DPA and must include:

  • the ECSP’s identity and its person of contact;
  • the nature of the breach and the incident that caused it;
  • the scope of the breach;
  • the potential consequences for the individuals affected; and
  • the technical and organisational measures to be applied.

 

Operators of essential services (OES), digital services providers (DSPs) and financial services operators (FSOs) must notify incidents having a significant impact on the availability, confidentiality, integrity or authenticity of network and information systems used by the essential service (article 24, NIS Act). OES must notify incidents simultaneously to: the national computer security incident response team (CSIRT); the sector-specific authority or sector CSIRT; and the national authority for identification of operators of essential services. FSOs must notify breaches to the National Bank of Belgium (article 25, NIS Act; article 96, Payment Services Directive (Directive (EU) 2015/2366) (PSD2); and article 53, PSD2 Act of 11 March 2018 (implementing PSD2) (the PSD2 Act)). Those notification obligations apply even if there is not enough information for the determination of the notion of a significant impact.

Payment service providers (PSPs) must notify any major operational or security incident to payment service users if the incident has or may have an impact on their financial interests (article 96, PSD2).

TSPs must notify the DPA of any breach of security or loss of integrity that has a significant impact on the trust service provided or on the personal data maintained therein to their customers if it is likely to adversely affect them, without undue delay (article 19, eIDAS Regulation).

Time frames

What is the timeline for reporting to the authorities?

Controllers must notify personal data breaches to the DPA where feasible, not later than 72 hours after having become aware of the breach. Justification is required if this time frame is exceeded.

When a security breach occurs, or when the loss of the integrity of personal data has a significant impact on the functioning of network and services, electronic communications network providers and ECSPs must notify the breach or loss to the BIPT without delay. If a personal data breach occurs, ECSPs must notify it to the DPA without delay or within 24 hours, where feasible.

OES and DSPs must notify incidents without delay (article 35, NIS Act).

PSPs must notify any major operational or security incident without undue delay (article 96, PSD2 and article 53, PSD2 Act). According to the European Banking Authority guidelines, the PSP must submit an initial report of the major incident within four hours of the first detection, then must submit reports at least every three business days. The final report must be made no later than two weeks ‘after business is deemed back to normal’.

Notifications by TSPs must be made without undue delay, but in any event, within 24 hours of having become aware of the relevant incident (article 19, eIDAS Regulation).

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

Controllers must notify personal data breaches to the person whose data they process (the data subject) if that breach is likely to result in a high risk to the data subject's rights and freedoms. If no contact with individuals is possible, a public communication is required.

Organisations that process personal data on behalf of a controller (‘processors’ under the GDPR) must communicate personal data breaches to controllers without undue delay. The parties are free to decide how the communication takes place.

ECSPs must notify a personal data breach to individuals when that breach is likely to adversely affect their data or privacy. However, notification is not required if technological protection measures rendered the data unintelligible to anyone not authorised to access it.

DSPs providing services to OES must inform them of any incident that has a significant impact on the continuity of those essential services (article 27, NIS Act). The European Union Agency for Cybersecurity published a report in February 2017 to help DSPs determine whether an incident has had a significant impact.

PSPs must notify any major operational or security incident to payment service users if the incident has had or may have an impact on their financial interests (article 96, PSD2).

TSPs must notify any breach of security or loss of integrity that has a significant impact on the trust service provided or on the personal data maintained therein to their customers if it is likely to adversely affect them, without undue delay. The supervisory authority may also require TSPs to issue a public communication (article 19, eIDAS Regulation).

Law Stated Date

Correct On

Give the date on which the information above is accurate.

16 February 2021