Up until May 2019, Belgium didn’t have a complete legislation on cyber security. This changed on 3 May 2019 when the Belgian Network and Information Systems (NIS) law was finally published in the Belgian official journal. Based on the European Directive 2016/1148, the law is designed to improve the security of Network and Information Systems critical to the economy, society and public safety. Its objective is to achieve a common level of security for the critical systems of all Member States.
The Belgian NIS law expects Member States to identify and appoint Operators of Essential Services (OES) and to ensure that these operators have implemented adequate information security measures using a risk-based approach. Furthermore, OES are expected to report any significant incidents, for example cyber security attacks, to a national authority.
Operators of Essential Services
The NIS law covers operators of essential services in six different sectors: energy, transportation, finance, healthcare, drinking water and digital infrastructure. In Belgium, a Sectoral Authority (SA) is appointed for each of the different sectors. These SAs are responsible for identifying and appointing the operators of essential services within their sector and for performing the follow-up and coordination of the NIS law implementation for these providers.
OES in the finance sector are not subject to all requirements of the Belgian NIS law. The applicable requirements are: (1) they should be identified and appointed, (2) they should report incidents and (3) they may be liable to NIS violation sanctions. The information security measures that should be in place are determined in other regulations imposed by the National Bank of Belgium; such as the circulars. The telecom sector is out of scope of the NIS law, as the law of 13 June 2005 on electronic communication dictates several security requirements which are in line with the requirements of the NIS law.
Where are we now?
As the deadline for identification was November 2019, all operators should, in principle, have been identified and appointed by now. In the Royal Decree of 12 July 2019, the SAs have been assigned to the corresponding Ministry for all but one sector. According to an article of the Centre for Cyber Security Belgium (CCB), priority was given to the identification of the operators of essential services for the energy, transportation and finance sector. However, the list of identified OES is not publicly available and, therefore, the current status of the identification of the operators of essential services is generally unknown. For the drinking water sector no SA has been assigned as of this date.
In the pre-NIS time, an incident reporting platform for telecom operators was already available and operated by the ‘Belgisch Instituut voor Postdiensten en Telecommunicatie’ (BIPT), the Belgian watchdog for telecommunication. This platform was extended for the NIS law to serve as the notification platform of all sectors. In addition, data breaches can be reported on this platform as well. To this date, no information has been shared by the authorities on the number or extent of reported incidents.
What are the next steps?
After an OES has been formally identified and appointed, the clock starts ticking and several activities should be performed within the timeframe defined by the law. It is important to note that the deadlines for OES are relative to the date on which they were designated.
In view of this timeframe, organizations should already be drafting their information security policies and implementing the corresponding measures, including incident notification procedures.
Below is an overview of the ultimate NIS deadlines (i.e. starting from the identification deadline of 3 November 2019).
- November 2020: one year after the identification and appointment of the OES by the sectoral authorities, the information security policy should be developed;
- February 2021: three months after the security policy is established, an initial internal audit is performed. The outcome is reported to the sectoral authority after 30 days. Internal audits are repeated on a yearly basis and should verify that the measures and processes defined in the policy are correctly applied and checked in a timely manner;
- November 2021: two years after the OES is identified, the measures of the established policy should be implemented;
- February 2023: two years after the first internal audit, the first external audit on the implemented measures is performed. The outcome is reported to the sectoral authority after 30 days. External audits should be repeated every three years. The Royal Decree of 12 July 2019 defines requirements to ensure that the organization performing the external audit is capable of doing so. In practice, this will most likely be ISO/IEC 27001:2013 certification through bodies accredited by BELAC.
Organizations that are not compliant with the NIS law could face sanctions varying from monetary penalties to imprisonment, depending on the type and extent of the violation. However, it should be noted that the intention of the NIS law is not to fine organizations, but rather to improve the collaboration of organizations with the government from an information security perspective.
Where can KPMG assist?
Identifying which business processes and systems support the essential services is not always straightforward. Certain decisions have to be made on whether a process is or is not needed to provide the essential service. KPMG has extensive experience in this and can help you identify and understand what is actually needed to provide the essential service.
To adhere to the Belgian NIS law, the OES needs to adapt a risk-based approach to managing security. One way to do this is to use the ISO/IEC 27001:2013 standard as a basis to set up an Information Security Management System (ISMS). The ISMS is a framework of processes, documents, controls and measures to manage information security in a continuous, risk-based way. The use of ISO 27001 is also recommended by the Belgian NIS law. The Law states that an OES will benefit from the presumption of conformity if the essential services and its underlying processes and systems are covered by an ISO 27001 certificate. KPMG has extensive knowledge and expertise in implementing an ISMS. We can assist you as a coach, accelerator or with the entire ISMS implementation.
In the next article, we will cover some of the challenges associated with the local implementation of the NIS law, while examining the scattered regulatory landscape.