Last reviewed: January 2025

Yes. Please refer to the EU Chapter of the Global Data & Cyber Handbook for obligations under applicable EU legislation, including the GDPR.

☒         general obligation to take appropriate / reasonable technical, physical and/or organizational security measures

Art. 5(1)(f) and 32 GDPR.

☒         obligation to take specific security measures e.g., encryption

Not a strict legal requirement, but encryption is considered by the GDPR as an appropriate technical and organizational measure. In practice, the authorities expect encryption unless specific circumstances justify no encryption. Based on guidance from the Belgian Data Protection Authority and best practices, the processing of sensitive data, including health-related data, should be protected by appropriate encryption methods, both during transmission and storage.

☒         requirement to undertake third party due diligence (security assessment of third party providers)

Under Art. 28 GDPR, data controllers must only use processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the GDPR requirements. Although undertaking processor due diligence is not a GDPR requirement as such, it is strongly recommended as the data controller may be held liable in case the data processor does not comply with GDPR requirements, including data security requirements.

Last reviewed: January 2025

☒         public company obligations (e.g., duties to maintain sufficient information security measures or ensure operational resilience to cyberattacks)

Some public companies may qualify as important or essential entities and fall within the scope of the Belgian NIS 2 Act, which covers, inter alia, the electricity, oil, gas, railway transport, road transport, healthcare and drinking water sectors.

They may also qualify as critical infrastructure operators and fall within the scope of the Belgian Critical Infrastructures Act of 1 July 2011, which covers the energy, transport, healthcare and drinking water sectors.

☒         network information security requirements (broader than telecommunications)

Specific network information security requirements (including the implementation of appropriate and proportionate technical, operational and organizational measures to manage network security risks, incident notification requirements) apply to companies qualifying as essential or important entities and falling within the scope of the Belgian NIS 2 Act. Further network information security requirements apply to companies qualifying as critical infrastructure operators (thus falling within the scope of the Belgian Critical Infrastructures Act).

☒         health regulatory requirements

Healthcare providers may qualify as essential or important entities within the meaning of the Belgian NIS 2 Act . They may also qualify as critical infrastructure operators and fall within the scope of the Belgian Critical Infrastructures Act of 1 July 2011, which covers the health care sector.

☒         financial services requirements

Credit institutions and financial market infrastructures qualify as essential or important entities within the meaning of the Belgian NIS 2 Act. They may also qualify as critical infrastructure operators and fall within the scope of the Belgian Critical Infrastructures Act of 1 July 2011, which covers the financial sector.

Payment service providers in the financial sector are also subject to the Second Payment Services Directive as implemented into the Belgian Act of 11 March 2018 on the statute and supervision of payment institutions and electronic money institutions, access to the business of payment service providers and to the activity of issuing electronic money, and access to payment systems ("PSD2" Act). The PSD2 Act lays down specific cybersecurity obligations, including implementing appropriate security measures for identification and authentication of clients, performing detailed analysis of operational and security risks and incident notification requirements.

Please refer to the EU Chapter of the Global Data & Cyber Handbook for obligations under applicable EU laws, including the DORA Regulation.

☒         telecommunication requirements

Under the Belgian Electronic Communications Act, which transposes the European Electronic Communications Code, digital infrastructure providers must analyze the risks to the security of their information networks and systems. Specific security obligations apply to digital infrastructure providers in case of important cyberthreat (Art. 107/2 to 107/5).

Providers of digital infrastructures (including providers of public electronic communications networks) are also subject to the Belgian NIS 2 Act, which imposes specific cybersecurity requirements.

☒         providers of critical infrastructure

The Belgian Critical Infrastructures Act of 1 July 2011 lays down security requirements for critical infrastructures operators, such as the elaboration of a security plan, as well as incident notification requirements.

☒        digital or connected (IoT) products

Please refer to the EU Chapter of the Global Data & Cyber Handbook for obligations under applicable EU laws, including the upcoming Cyber Resilience Act.

☒         other

The Belgian NIS 2 Act applies to important and essential entities active in various sectors  and lays down security requirements as well as incident notification requirements.

Furthermore, Art. 19a and 24 of the eIDAS Regulation and Art. XII.27 and XII.28 of the Belgian Economic Law Code require qualified and non-qualified trust service providers as well as qualified and non-qualified electronic archiving service providers to take appropriate technical and organizational measures to manage the risks posed to the security of the services they provide.

☒         Data privacy

In its information brochure on Artificial Intelligence Systems and the GDPR, the Belgian DPA analyses how the security requirements set forth by the AI Act build upon and enhance the GDPR data security requirements, in light of the specific risks flowing from AI systems, especially when processing sensitive personal data.

Based on publicly available information, the Belgian Data Protection Authority has issued in 2024 at least seven (7) decisions relating to alleged infringements of data security requirements in 2024. The Authority notably published a warning statement on 21 August 2024 following a reported significant data breach involving users of a major instant messaging app provider. Approximately 3.2 million numbers and user IDs have been collected and put up for sale on a forum, exposing users to cybersecurity risks. The DPA calls users to be vigilant, recommending to be cautious of unknown phishing calls or messages, to avoid sharing sensitive information, and to enable two-factor authentication to enhance security.

☒         financial services

The National Bank of Belgium (which is the competent sectoral authority for financial institutions) issued in July 2024 its  Financial Market Infrastructures and Payment Services Report 2024 which provides an overview of the National Bank's oversight and supervision activities. It follows from this report that cyber resilience of critical market infrastructures and financial institutions as well as the successful implementation of the DORA Regulation (cybersecurity) requirements is currently a key priority for the National Bank of Belgium.

☒         telecommunications

In its 2024 operational report (available in French and Dutch), the BIPT indicated that cybersecurity was a central objective, with particular emphasis placed on the inspection of critical infrastructures, the notification of security incidents, the conducting of risk analyses and the reporting of results, and the enhancement of telecommunications resilience in the event of a power cut.

☒         critical infrastructure

In a document from Digital Wallonia on cybersecurity in the health sector (available in French), the Centre for Cybersecurity Belgium mentioned the increasing number of cyberattacks on Belgian hospitals and the crucial role of the CCB in addressing these threats. The CCB, particularly its Cyber Emergency Response Team (CERT), provides essential support to hospitals by helping them anticipate, detect, and respond to cyber incidents. The contribution highlights the vulnerabilities in hospital infrastructure, such as outdated systems and insufficient security measures, and emphasizes the need for improved resilience strategies to protect sensitive health data.

Last reviewed: January 2025

Yes

"Personal data breach" is defined under the GDPR as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Last reviewed: January 2025

☒         data protection authorities

Under the GDPR:

• in case of a personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
• without undue delay and, where feasible, not later than 72 hours after having become aware of it

Also note that according to Art. 19a and 24 of the eIDAS Regulation and Art. XII.27 and XII.28 of the Belgian Economic Law Code, qualified and non-qualified trust service providers as well as qualified and non-qualified electronic archiving service providers must, without undue delay but in any event within 24 hours after having become aware of it, notify the supervisory body (in Belgium, the Federal Public Service of Economy) and, where applicable, other relevant bodies, including the Belgian Data Protection Authority, of any breach of security or loss of integrity that has a significant impact on the or on the personal data maintained therein.

☒         cybersecurity authorities

Under the Belgian NIS 2 Act, incident notifications to the competent authorities described below are in addition to the required notification to the Belgian Data Protection Authority in the event of a personal data breach. Two separate notifications will be required. However, the law provides for closer collaboration between the national cybersecurity authority and the data protection authorities, with the potential to develop common tools.

☒         affected individuals

Under the GDPR:

• without undue delay
• if a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, unless any of the following conditions are met:
• the controller has implemented technical and organizational protection measures and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption
• the controller has taken subsequent measures that ensure that the high risk to the rights and freedoms of the data subjects is no longer likely to materialize

Also note that as per Art. 19a and 24 of the eIDAS Regulation and Art. XII.27 and XII.28 of the Belgian Economic Law Code, where a breach of security or loss of integrity (which may involve personal data) is likely to adversely affect a natural or legal person to whom the trusted service or the electronic archiving service has been provided, the trust service provider or the electronic archiving service provider must also notify the natural or legal person of the breach of security or loss of integrity without undue delay.

☒         other

There shall be public communication or similar measure whereby the data subjects are informed in an equally effective manner (instead of informing the data subjects) if the communication to the data subject would involve disproportionate effort. See section "Are there any additional sector-specific or non-personal data security breach notification requirements?" for further obligations.

Last reviewed: January 2025

☒         controller/ owner

• in case of a personal data breach irrespective of a risk to the rights and freedoms of the data subjects
• without undue delay after becoming aware of it

☒         others

See section "Are there any additional sector-specific or non-personal data security breach notification requirements?" for further obligations.

Last reviewed: January 2025

Yes.

☒         public company obligations (e.g., to notify security incidents that may materially affect an investor's decision)

To the extent they qualify as important or essential entities under the NIS 2 Act or critical infrastructures operators.

☒         cybersecurity authorities

☒         health regulatory requirements (e.g., to notify incidents affecting safety of medical devices)

☒         financial services requirements

☒         telecommunication requirements

☒         providers of critical infrastructure

☒         other

• Obligation for anyone to inform the public prosecutor about an attempt to harm - or about actual harm to - public security, or a person's life or property (Art. 30 of the Belgian Criminal Investigation Code).
• Obligation for the controller to notify data breaches to any customer and/or authorities in accordance with the Belgian civil law principles of good faith and fairness and the general duty of care (Art. 6.5 and seq. of the Belgian New Civil Code).

Under the Belgian NIS 2 Act, in the event that an essential or important entity becomes aware of a significant incident, it is required to notify the competent authority without undue delay. An incident is considered significant if it substantially impacts the provision of essential or important services, causing severe operational disruption or financial loss.

• Obligation for critical infrastructures operator to immediately notify police services ("SICAD"), via the emergency numbers 101 or 112, the service designated by the sectoral authority and the National Crisis Center when an event occurs that may threaten the security of the critical infrastructure (Art. 14 of the Critical Infrastructures Act).
• Obligation for digital infrastructure providers to inform the Belgian Institute for Postal Services and Telecommunications ("BIPT") of a significant cyberthreat, of any protective or remedial action that its users may take and of the measures it has taken or intends to take. (Art. 107/3 Belgian Electronic Communications Act).
• Obligation for qualified and non-qualified trust service providers as well as qualified and non-qualified electronic archiving service providers to notify without undue delay but in any event within 24 hours after having become aware of it, the supervisory body (in Belgium, the Federal Public Service of Economy) and, where applicable, other relevant bodies of any breach of security or loss of integrity that has a significant impact on the service provided or on the personal data maintained therein.

Details regarding the identified data security breach notification requirements

• Limited notification obligation for providers of electronic communication services (Art. 107/3, §3 of the Act of 13 June 2005 on Electronic Communications)

This notification obligation applies to operators of electronic communication services (i.e. a person or company that provides a public electronic communications network or a publicly available electronic communications service, e.g., telecom operators, mobile phone communication services providers, internet access providers, etc.).

In case of a personal data breach (i.e., a breach of security accidentally or unlawfully resulting in the unauthorized destruction, loss, alteration, disclosure or access of personal data transmitted, stored or otherwise processed in connection with the provision of publicly available electronic communications services), operators of electronic communication services must notify the Belgian Data Protection Authority without undue delay, which will notify the BIPT without undue delay. The notification to the Belgian Data Protection Authority shall, in addition to the minimal information to be contained in the notification to the subscriber or individual concerned (see below), describe the consequences of the personal data breach and the remedial measures suggested or taken by the operator of electronic communication services.

Besides, where the personal data breach is likely to adversely affect a subscriber or individual's personal data or private life, the operator of electronic communication services shall notify the subscriber or individual concerned without undue delay. The notification to the subscriber or individual shall at least describe the nature of the personal data breach and the contact points where more information can be obtained, and shall recommend measures to mitigate the possible adverse effects of the personal data breach.

Notification of a personal data breach to a subscriber or individual concerned shall not be required if the provider demonstrates, to the satisfaction of the BIPT, that it has implemented appropriate technical protection measures, and that those measures were applied to the data concerned by the security breach. Such technical protection measures shall render the data unintelligible to any person who is not authorized to access it.

Without prejudice to the obligation of the operator of the electronic communications services to inform the subscribers and individuals concerned, if such operator has not already notified the subscriber or individual of the personal data breach, the BIPT may, at the request of the Belgian Data Protection Authority, after examining the potentially negative effects of such breach, require it to do so.

Failure to comply would result in liability in case such failure would contribute, directly or indirectly, in whole or in part, to harm to the affected individual(s) or any person holding an interest in the data which has been breached.

NIS 2 Reporting Obligation

Under the NIS 2 Act, the notification process comprises several stages, namely:

• obligation to submit an early warning without undue delay and, in any event, within 24 hours of becoming aware of the significant incident;
• obligation to submit an incident report without undue delay and, in any event, within 72 hours (24 hours for trusted service providers) of becoming aware of the significant incident (at the request of the national CSIRT or, where appropriate, the competent sectoral authority, the entity is required to submit an intermediate report);
• no later than one month after the notification of the incident referred to in point 2, obligation to submit a final report; if the incident is still ongoing at the time of submission of the final report, the entity concerned is required to submit an additional report.

In addition, entities concerned must inform the recipients of their services of significant incidents that may affect the provision of the services, or if such services may be affected by a significant cyber threat of all the measures and corrections that may be taken to respond to it, and even of the cyber threat itself.

• Obligation to inform the public prosecutor about an attempt to harm - or about actual harm to - public security, or a person's life or property (Art. 30 of the Belgian Criminal Investigation Code)

This provision requires anyone who knows about an attempt to harm - or about actual harm to - public security, or a person's life or property, to immediately inform the public prosecutor thereof; this may then apply to a hacking incident consisting in (or being part of) an attempt to harm (or actual harm to) a person's life or property (including data).

Under this provision, affected individuals must not be notified.

Failure to comply would result in civil liability if such failure contributes, directly or indirectly, in whole or in part, to harm to the affected individual.

• Obligation for the controller to notify data breaches to any customer and/or authorities in accordance with the Belgian civil law principles of good faith and fairness and the general duty of care ( Art. 6.5 and seq. of the Belgian New Civil Code)

In accordance with the Belgian civil law principles of good faith and fairness in contractual relationships, as well as the general duty of care, a controller or a processor should inform its customers or other persons affected (or even the public at large, e.g., for the sake of reaching a large audience when it is not possible to identify precisely the persons affected), and/or authorities of a data breach, where such information could help in mitigating the prejudice suffered by customers or third parties, if any, or address the consequences of a data breach. This notification duty is not limited to personal data and could apply to any type of data or customer (such as data pertaining to legal entities).

The scope and timing of such information mainly depend on what is necessary, in light of the circumstances of the case, to allow the affected individuals or third parties to take any appropriate measures to mitigate or to avoid their (potential) prejudice.

Failure to comply with the general duty of care provisions or principles would result in liability if such failure contributes, directly or indirectly, in whole or in part, to harm to the affected individual.

• Obligation for qualified and non-qualified trust service providers as well as qualified and non-qualified electronic archiving service providers to notify the supervisory body (in Belgium, the Federal Public Service of Economy) and, where applicable, other relevant bodies of any breach of security or loss of integrity (Art. 19a and 24 eIDAS Regulation and Art. XII.27 and XII.28 of the Belgian Economic Law Code)

Qualified and non-qualified trust service providers as well as qualified and non-qualified electronic archiving service providers must, without undue delay but in any event within 24 hours after having become aware of it, notify the supervisory body (in Belgium, the Federal Public Service of Economy) and, where applicable, other relevant bodies, such as the competent national body for information security or the Belgian Data Protection Authority, of any breach of security or loss of integrity that has a significant impact on the service provided or on the personal data maintained therein.

Where the breach of security or loss of integrity is likely to adversely affect a natural or legal person to whom the service has been provided, the trust service provider and electronic archiving service provider must also notify the natural or legal person of the breach of security or loss of integrity without undue delay.

Where appropriate, in particular if a breach of security or loss of integrity concerns two or more Member States, the notified supervisory body will inform the supervisory bodies in other Member States concerned and ENISA.

The notified supervisory body will inform the public or require the trust service provide or the electronic archiving service provider to do so, where it determines that disclosure of the breach of security or loss of integrity is in the public interest.