Global Data and Cyber Handbook

Belgium

Select a Topic
Start Comparison
Regulators, Enforcement Priorities and Penalties
Jump to
Regulators, Enforcement Priorities and Penalties Start Comparison
Who are the main data privacy, non-personal data and/or cybersecurity regulator(s) in the jurisdiction?

Last reviewed: January 2025

Data privacy

Belgium has one federal data protection authority:

A regional authority also exists for the Flemish Region/Community and is competent to oversee the processing of personal data by Flemish authorities:

Cybersecurity:

  • The Belgian Centre for Cybersecurity (“CCB”)
  • Sectoral authorities designated by the Belgian NIS 2 Act of 26 April 2024 and NIS 2 Royal Decree of 9 June 2024 for certain sectors
  • The National Crisis Centre (NCCN) (especially for critical infrastructures operators and critical entities)

Under the Belgian NIS 2 Act of 26 April 2024, government entities at national and sectoral level are tasked to oversee compliance with the said Act. The national authority for cybersecurity is the Belgian Centre for Cybersecurity which also serves as Belgium's national CSIRT. Sectoral authorities charged to monitor specific cyber-related matters (such as the registration of sectoral entities for the purposes of the NIS 2 legal framework, analysis and management of cybersecurity incident consequences for the sector, etc.) include the federal Minister of Energy for the energy sector, the federal Minister for Transport for the transport sector (save for limited exceptions), the federal Minister of Economy for the digital providers sector, the Belgian Institute for Post and Telecommunications (“BIPT”) for the digital infrastructure sector, and the federal Minister of Public Health or the Federal Agency for Medicines and Health Products (as applicable) for the health sector. Lastly, the National Crisis Centre also plays a role in the implementation of the Belgian NIS 2 Act, in particular with respect to critical infrastructures operators and critical entities (under the upcoming implementation into Belgian law of the Critical Entities Directive).

In addition, an Information Security Committee constituted of two chambers has been created by the Act of 5 September 2018 and is competent to grant certain authorizations in relation to the processing and communication of specific categories of personal data (national registry number, health data).

Lastly, it is worth noting that the BIPT, in addition to its new role as sectoral authority under the Belgian NIS 2 Act, oversees, among other things, compliance with the Electronic Communication Act (including notification of incidents by telecommunication operators).

How active is each of the regulator(s)?

Last reviewed: January 2025

Moderately active

What are each of the regulator's anticipated enforcement priorities for the next 12 months?

Last reviewed: January 2025

Belgian Data Protection Authority

Processing of sensitive personal data, the legitimacy of the processing, transfers of personal data outside the EEA, processing of biometric data, and online collection of personal data using cookies and similar technologies, especially in the context of the adtech industry and Artificial Intelligence systems have been particularly recently scrutinized by the Belgian Data Protection Authority.

On 12 December 2019, the Belgian Data Protection Authority published a draft Strategic Plan 2019-2025, highlighting its priorities and areas of focus, which include the following five main sectors: telecommunications and media, public authorities, direct marketing, education, and SMEs. Three important social topics will also benefit from particular attention from the authority: online data, sensitive data and images/CCTV.

Lastly, the Belgian Data Protection Authority has released its 2025 management plan (available in French and Dutch), which outlines its key sectors of enforcement for 2025: the position of the Data Protection Officer ("DPO") (including the correct or incorrect appointment of a DPO and whether the DPO has in practice sufficient time and resources to properly perform its tasks), direct marketing ( especially the involvement of data brokers), transparent and accessible information about data processing activities, cookies (including investigations based on the Cookie Checklist recently released by the Belgian Data Protection Authority) and lastly personal data processing activities in the school environment (especially with respect to “smart” applications).

The Centre for Cybersecurity Belgium (CCB)

In its 2021-2025 cybersecurity strategy (available here), the CCB outlines its priorities, including strengthening the digital environment and increasing confidence in the digital environment, protecting organizations against all cyber threats (e.g. ransomware and DDos attacks), responding to the cyber threat, improving public, private and academic collaboration and establishing a clear commitment to international cooperation. Over the next 12 months, the CCB's main focus is likely to be on the enforcement and implementation of the NIS 2 legal framework in Belgium (e.g. focus on compliance with the registration obligation; identification of entities as essential or important entities; annual cybersecurity certification reviews for essential entities). The CCB is currently working on a new document outlining its strategy for the period 2025-2030, which should provide more insight into its future strategy.

Belgian Institute for Postal Services and Telecommunications

The Belgian Institute for Postal Services and Telecommunications has released a strategic plan for 2024-2026 and held a public consultation for its 2025 operational plan opened up to 6 January 2025. The BIPT's strategic priorities are competition and market development (fostering innovation and sustainable development), user interests (including transparency of information, social inclusiveness and safeguarding of the users’ rights), security of digital infrastructures (such as ensuring a reliable and safe digital environment and overseeing the implementation and registration obligation under the NIS 2 Act), effective control, monitoring and support and efficient operation. The draft 2025 operational plan indicates that BIPT will pay particular attention in 2025 to, among other things, product cybersecurity compliance (in light of the future application of the Cyber Resilience Act), implementation of the Data Act, and critical infrastructure identification and control in the digital infrastructure sector.

In 2024, the BIPT was also appointed as the competent authority for the enforcement of the DSA in Belgium with respect to federal competences. It is therefore expected that the BIPT will invest in this role in the coming future.

What trends are you seeing in regulatory investigations relating to data & cyber?

Last review date: January 2025

Regulatory investigations or direct enforcement activity by data or cyber regulators are:

         Staying the same

Direct enforcement by the Belgian Data Protection Authority remains stable and is usually triggered by investigations following data subjects’ complaints or data breach notifications. With the recent transposition of the NIS 2 Directive into Belgian law, direct enforcement by the Belgian Centre for Cybersecurity and/or competent sectoral activities is expected to start in 2025, although the authorities are first focusing on providing tools to organizations in their compliance efforts.

Class actions/group actions under data or cyber regulation are:

         Staying the same

Collective redress actions may be initiated by authorised Belgian consumer group representatives under Title 2 of Book XVII of the Belgian Economic Law Code for alleged infringements of the GDPR and the Belgian Data Protection Act of 30 July 2018. Collective redress actions are however not currently possible for alleged infringements of the Belgian NIS 2 Act.

What are the potential penalties/remedies for non-compliance with the key data and cybersecurity laws in the jurisdiction?

Last reviewed: January 2025

There are:

☒         administrative remedies /civil penalties applied by regulators and law enforcement

Non-compliance with the GDPR may lead to administrative fines up to EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year, whatever is higher.

In accordance with the Belgian DPA (Art. 221), Art. 83 of the GDPR does not apply to public authorities and their servants or agents, except where these are legal persons governed by public law that offer goods or services on a market.

Other sanctions for GDPR non compliance are possible, such as warnings, reprimands, order to comply, order to communicate, temporary or definitive limitation of - including a ban on - processing, withdrawal of certification, order to suspend data flows.

Non-compliance with the Belgian NIS 2 Act may lead to fines of up to €10,000,000 or 2% of the total annual worldwide turnover for essential entities and up to €7,000,000 or 1.4% of the total annual worldwide turnover for important entities. In addition, warnings and corrective administrative measures may be imposed. Specific infringements of the Belgian NIS 2 Act may lead to direct liability of management bodies and, for management bodies of essential entities only, even temporary prohibitions to exercise managerial responsibilities.

☒         criminal penalties from regulators and law enforcement

Criminal sanctions (fines from EUR 2,000 to EUR 240,000) may be imposed on data controllers, processors or persons acting under their authority under Articles 222 to 230 of the DPA in case of violation of certain provisions of the DPA (such as where personal data are processed without a legal basis or in violation of the principles relating to processing of personal data; a corrective measure imposed by the DPA is not complied with; personal data have been transferred to a third country in violation of appropriate safeguards or derogations; a certification has been obtained on the basis of false documents, etc.).

         private remedies

In case of alleged GDPR infringement, individuals may, for example:

  • lodge complaints with the data protection authorities
  • claim compensation for their damage suffered in accordance with the contractual or extra contractual liability laws (Art. 82 GDPR and Art. 216 Belgian DPA)
  • appoint a non-profit body, organization, or association to lodge a complaint on their behalf and to lodge administrative or judicial remedies on their behalf, either to the competent supervisory authority or the judiciary as provided for in special legislation, the Judicial Code and the Code of Criminal Procedure (Art. 220 Belgian DPA)
  • bring an action for an injunction with the president of the court of first instance, in summary proceedings (Art. 209 Belgian DPA)
  • bring an action against controllers or processors in case of infringement of GDPR rights (Art. 79 GDPR)
If data subjects have private remedies, what form can these remedies take?

Last reviewed: January 2025

☒         individual personal actions

         representative actions (e.g., brought by a consumer / data privacy body or the supervisory authority)

{{ $store.state.loadingScreen.message }} ...