5. Transposition of NIS2 into Belgian Law
Directive (EU) 2016/1148 (NIS1) was transposed into Belgian law by the law of 7 April 2019 establishing a framework for the security of networks and information systems of vital importance for public security.
The new European text is a directive - and not a regulation [10] - so it must be transposed into national law to have effect. Directive NIS2 must be transposed into Belgian law by 17 October 2024 at the latest and be applicable on 18 October 2024.
Considering the public security nature of the federal state, the government entrusts the national legislator with the competence on this matter, which saves us - if we had had to take into account economic and/or social interests and/or the sectors of public/private activities - the tangle of regionally and/or communally transposed and formulated regulations, sources of disparities and conflicts...
The government therefore submitted a bill on 5 March 2024 entitled "Law establishing a framework for the cybersecurity of networks and information systems of vital importance for public security". This bill was drafted and coordinated by the Centre for Cyber Security Belgium (CCB) and by the services of the Prime Minister.
The bill was adopted by the Chamber on 18 April 2024. The new law was published in the Moniteur on 17 May 2024, under the title: "Law of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of vital importance for public security". Given the many necessary changes, this law completely replaces the provisions of the law of 7 April 2019. It was supplemented by an executive order of 9 June 2024.
Like the directive, the purpose of the law is to strengthen cybersecurity measures, incident management and supervision of entities providing essential services for the maintenance of critical social or economic activities. It also aims to improve the coordination of public policies on cybersecurity.
The law defines the minimum legal requirements for security measures and risk management to which essential and important entities must comply [11]. Account is taken of the entity's degree of exposure to risk, its size, the likelihood of an incident occurring and the severity if an incident does occur.
In addition to an incident notification procedure, the law also provides for a sanctions regime specifying the administrative measures and fines that the competent control authorities may take against essential or important entities, as well as the procedure that must precede them.
[10] An European regulation is, on the other hand, directly applicable, in most cases.
[11] To facilitate the practical implementation of these cybersecurity measures, the CCB has already developed and made available free of charge to the entities concerned a reference framework: the "Cyberfundamentals", comprising four different levels, presented in our article "ANPI à l'heure de la cybersécurité", in: Fire & Security Alert Magazine n° 32, September 2023, p. 40.
