Following the recent entry into force of the Network and Information Security Directive 2 (NIS 2), the Belgian cybersecurity authority (CCB) has issued guidelines (available in English, Dutch and French) detailing the notification obligations for entities under the Belgian NIS 2 Law. The guidelines set out strict criteria for reportable incidents and impose short deadlines for reporting. Organisations must be fully aware of these obligations to ensure compliance.

1. What is the Belgian NIS 2 Law about?

For a comprehensive overview of the Belgian NIS 2 obligations, and answers to questions such as "What's the applicable legislation in Belgium?" and "How to determine if your organisation falls under the scope of NIS 2 in Belgium?", refer to our previous article on the subject.

2. Which incidents must be reported?

Entities under the Belgian NIS 2 Law must report incidents considered "significant". This requires two criteria: an incident must occur, and it must be significant. Note the following definitions:

o severe operational disruption to one of the services provided;

o financial losses for the entity concerned;

o a considerable material, physical or moral damage to other natural or legal persons.

3. How to determine the significance of an incident?

Before deciding if an incident (as defined above) is significant (as defined above) and requires notification, your company should consider the following:

The CCB has identified the following concrete situations in which the significant character of an incident should be considered as established by an entity:

A suspected malicious event compromising the authenticity, integrity, or confidentiality of data on the entity's networks or information systems, which causes or is likely to cause severe operational disruption.

An event compromising the availability of data on the entity's networks or information systems, which causes or is likely to cause severe operational disruption.

An event causing or likely to cause financial loss to the entity, such as costs associated with internal and external communication; advisory costs, including costs associated with legal counselling; forensic services and remediation services; or staff costs.

An event causing or likely to cause material, physical or moral damage affecting other natural or legal persons

Notifications should be made to the CCB by filling an online form (available in English, Dutch and French). Unlike GDPR data breach notifications to the Belgian Data Protection Authority (BDPA), incident reporting can be done in English, which may be beneficial for international organisations.

If the form is unavailable or if it is technically impossible to fill in the form, a notification can be made by phone (+32 2 501 05 60). This phone number can also be used to contact the CCB when their immediate support is needed.

5. When should these incidents be reported?

The notification deadlines begin the moment the entity becomes "aware" of such significant incidents. The CCB emphasises that an entity is considered to be "aware" of a breach when it has detected a suspicious event, or after a potential incident has been brought to its attention by a third party (e.g. an individual, a customer, an entity, an authority, a media organisation). The entity should assess in a timely manner the suspicious event to determine whether it constitutes an incident and, if so, determine its nature and severity. The entity is regarded as being "aware" of the significant incident when, after such initial assessment, that entity has a reasonable degree of certainty that a significant incident has occurred.

There are several stages in the notification process:

The term "without undue delay" means that the entity must notify the incident as soon as possible, without waiting for the maximum deadlines of 24 or 72 hours. According to the CCB, only duly justified special circumstances may warrant waiting until the end of these deadlines. Compliance with a company's internal procedures must not cause an unreasonable delay in notifying an incident.

If the significant incident is likely to affect the provision of services listed in the annexes to the Belgian NIS 2 Law, the entity must also inform the recipients of its services (if identifiable) without undue delay. This information obligation can be fulfilled by any available means, such as information on the website, mailing lists, messages in an application, or paper communications. The same goes for any measures or corrections in response to a significant cyber-threat.

6. Additional considerations

These guidelines apply solely to Belgium. Other EU member states may adopt slightly different rules.

This new notification obligation does not remove the requirement to notify the national data protection authority (e.g. the BDPA), as prescribed by the GDPR, in the event of a personal data breach.

The specific rules established by the EU Commission for the notification of incidents in the digital infrastructure and ICT service management (B2B) sectors, as well as by digital providers (as defined in the NIS 2 Law), have also taken effect. In case of conflict with CCB guidelines, these specific EU rules will take precedence. Additionally, specific notification procedures for the financial sector are outlined in the EU Digital Operational Resilience Act (Regulation 2022/2554).

7. Key takeaways

For more information on the NIS 2 Directive and how it could affect your business operations, contact your usual CMS advisor or local CMS experts. Did you know our tech & data practice is recognised as tier 1 (best-in-class) by Chambers and Legal 500?