Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

Few laws require specific policies or procedures, and even fewer currently require specific measures. Typically, the rule is that the organisation itself must decide what is appropriate – and that can then be challenged by the regulator.

The combination of various data protection principles (including the principles of ‘data protection by design’ and ‘data protection by default’) can be viewed as requiring companies to implement procedures to take cybersecurity into account in relation to personal data at every stage of the lifecycle of a data-related initiative. For instance, security is an important element to take into account when carrying out a ‘data protection impact assessment’ when their processing activity poses a high risk to the rights and freedoms of natural persons (article 35, General Data Protection Regulation (GDPR)).

The Belgian Data Protection Authority’s (BDPA) predecessor, the Belgian Privacy Commission, had issued more specific guidelines on information security (on the need to have access controls (permissions; authentication; …) in place, on the importance of a security policy, etc), but those are no longer available. Instead, the BDPA’s case law suggests specific measures that are required (eg, having SSL for web forms involving the processing of health-related data, and logging mechanisms and access control for managers as well).

Some sector-specific laws go further. For instance, qualified trust service providers (TSPs) must train their staff and subcontractors about security and must use trustworthy systems (article 24(2), eIDAS Regulation). Qualified electronic signature creation devices must be subject to certification that involves a security assessment (article 30, eIDAS Regulation). Moreover, the whole process for validating qualified electronic signatures must allow the person requesting validation to detect ‘any security relevant issues’ (article 32, eIDAS Regulation).

In the NIS and critical infrastructure legislation, security policies are required, but the content remains at the discretion of the organisation (although ISO/IEC 27001 certification is evidence of compliance with this requirement, according to the Belgian NIS Act).

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

Under the GDPR, any controller must document any personal data breaches, including those not notified to an authority or data subject (article 33(5), GDPR). There is no guidance about the specifics of collecting or storing those records, but the BDPA has started to request ever more frequently a copy of such registers of breaches.

In terms of duration, data protection infringements are time-barred after five years in Belgium, as a result of which it is likely organisations will wish to keep such records for at least five years.

Outside of data protection, another statute of limitation may apply, so it is important to bear each situation into account when deciding on the retention period for such records.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

Controllers must notify to the BDPA cybersecurity breaches that are likely to result in a risk to the rights and freedoms of natural persons. Such notification must contain the nature of the breach, the person to contact to obtain further information, a description of the likely consequences and the measures (proposed to be) taken to mitigate the adverse effects of the breach.

When there is a risk of breach of the network security, publicly available electronic communications services (ECSPs) must notify such risk to the Belgian Institute for Postal Services and Telecommunications (BIPT). The notification must contain, if the risk cannot be fully mitigated by the ECSP, the measures allowing such mitigation and an indication of their likely cost. If there is a personal data breach, the ECSPs must notify it to the BDPA. Therein, the ECSP must include their identity and their person of contact; the nature of the breach and the incident that caused it; the scope of the breach; the potential consequences for individuals; and the technical and organisational measures (to be) applied.

In the case of a specific and significant threat of a cybersecurity incident, ECSPs must inform the BIPT thereof and must indicate any protective or remedial action that its users should take and any measures it has taken or plans to take (article 107/3, Belgian Act of 13 June 2005 (BAEC)).

Operators of essential services (OESs), digital service providers (DSPs) and financial services operators (FSOs) must notify incidents having a significant impact on the availability, confidentiality, integrity or authenticity of network and information systems used by the essential service (article 24, Belgian NIS Act). OESs must notify incidents simultaneously to the national CSIRT, the sector-specific authority or sector CSIRT and the national authority for identification of operators of essential services. FSOs must notify breaches to the National Bank of Belgium (article 25, Belgian NIS Act and 96 PSD2). These notification obligations apply even if there is not enough information for the determination of the notion of a ‘significant impact’.

Payment service providers (PSPs) must notify any major operational or security incident to payment service users if the incident may have or has an impact on their financial interests (article 96, PSD2).

TSPs must notify to the BDPA any breach of security or loss of integrity that has a significant impact on the trust service provided or on the personal data maintained therein to their customers if it is likely to adversely affect them, without undue delay (article 19 eIDAS).

Time frames

What is the timeline for reporting to the authorities?

Controllers must notify personal data breaches to the BDPA ‘where feasible, not later than 72 hours after having become aware of it’. Justification is required if this timeline is exceeded.

When a security breach occurs, or when the loss of the integrity of personal data entails a significant impact on the functioning of network and services, public electronic communications networks and ECSPs must notify such breach or loss to the BIPT without delay. If a personal data breach occurs, ECSPs must notify it to the BDPA without delay (article 107/3, BAEC).

OESs and DSPs must notify incidents without delay (article 35, Belgian NIS Act).

PSPs must notify any major operational or security incident without undue delay (articles 53(2) and 96 PSD2). According to the guidelines of the EBA, there must be an initial report of the major incident within four hours of the first detection followed by reports every three business days at the latest. The final report must be made a maximum of two weeks after the situation is back to normal.

Notifications by TSPs must be made without undue delay, but in any event within 24 hours after having become aware of the relevant incident (article 19, eIDAS).

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

Controllers must notify personal data breaches to the person whose data they process (data subject) if such breach is likely to result in a high risk to the data subject's rights and freedoms. If no contact with individuals is possible, a public communication is required.

Organisations that process personal data on behalf of a controller (‘processors’ within the GDPR) must communicate personal data breaches to controllers ‘without undue delay’. The parties are free to decide how the communication takes place.

ECSPs must notify a personal data breach to individuals when such breach is likely to adversely affect their data or privacy, unless technological protection measures rendered the data unintelligible to anyone not authorised to access it. In addition, in the case of a specific and significant threat of a cybersecurity incident, the ECSP must inform any users that are potentially affected by such an incident.

DSPs providing services to OESs must inform them of any incident with a significant impact on the continuity of those essential services (article 27, Belgian NIS Act). ENISA has published a report to help determine if the incident has a significant impact.

PSPs must notify any major operational or security incident to payment service users if the incident may have or has an impact on their financial interests (article 96, PSD2).

TSPs must notify any breach of security or loss of integrity that has a significant impact on the trust service provided or on the personal data maintained therein to their customers if it is likely to adversely affect them, without undue delay. The supervisory authority may also require TSPs to issue a public communication (article 19, eIDAS).

Law Stated Date

Correct On

Give the date on which the information above is accurate.

16 February 2021