On 3 may 2019, the new ‘NIS legislation’ entered into force. This cybersecurity legislation is the implementation of the European NIS directive of 6 July 2016 and relates to the security of network and information systems of service providers that are considered essential for certain social and economic activities in the country.
Scope of application
The new law is applicable to providers of ‘essential services’ in six different sectors: transport, energy, finance, drinkable water, healthcare and digital infrastructure. Specifically, it concerns the suppliers of electricity, mineral oil and gas. Furthermore, the law states that it also applies to the transport sector, in particular to aviation and transport by rail, water or road. Subsequently, it concerns financial institutions and trading venues, healthcare providers, supply or distribution of drinking water and digital infrastructures (IXP – internet exchange point, DNS service providers and TLD name registries). Finally the law applies to digital services such as cloud computing services, online marketplaces and online search engines.
Essential service providers are considered entities providing services that are essential for the maintenance of critical societal and economic activities using a network- and information system (NIS) and where a potential incident would have a significant disruptive effect on the provision of the service. The competent sectoral government will apply the concept of being an essential service provider in order to determine the relevance of the legislation and to supervise certain providers. Consider, for example, companies such as Telenet, Electrabel or Belfius.
Content of the legislation
In other words, the NIS legislation is applicable to critical infrastructures in Belgium. Those infrastructures have to take strict security measures and a notification obligation to CERT (Computer Emergency Response Team). The underlying motivation can be found in the fact that these entities are more than ever depending on network- and information systems, thereby necessitating a better security. The purpose here is to ensure continuity of these services. The legislation imposes the obligation on providers of essential services to take technical and organizational measures in order to prevent and limit the effects of incidents. These measures need to be adequate and proportional.
The provider is granted a period of 12 months to elaborate a security policy and a period of 24 months to implement this in practice. The standard to be achieved is the ISO/IEC 27001 standard (or equivalent).
In addition, the provider shall appoint a contact point within his company for the security of the network and information system that is available at all times and whose data are communicated to the sectoral government.
A third obligation is a reporting obligation on the part of the national CSIRT, the competent sectoral government and a national monitoring and coordination authority. Financial institutions also have to report incidents to the National Bank of Belgium. The provider shall immediately report all incidents that have a significant impact on the availability, confidentiality, integrity or authenticity of the network- and information systems on which the essential service provided by the provider depend. A Royal Decree will determine what can be understood by “significant consequences”.
The regime for digital service providers deviates partly from the three obligations stated above. Micro and small businesses are excluded from the scope of the legislation. This can be seen as some sort of de minimis threshold (in accordance with Directive 2003/361/EC).
In addition, providers must identify the risks to their network and information systems, at least for the systems they use to offer their services within the European Union. They should also take appropriate and proportional technical and organizational measures. Finally, they should appoint a contact point for computer security while being the subject to a similar reporting obligation.
In order to keep an eye on the provider’s compliance with the new legislation, an inspection service for every sector or subsector will be appointed. These inspection services can perform checks at any time to verify that providers are complying with the essential services of the security measures and the incident reporting rules. Experts can also be called in during this check.
When a provider of essential services violates the law or its implementing decrees, the inspection service will notify this provider of its obligations within a certain period. If the provider does not respond to the notice of default, an official report will be drawn up, which has probative value. The breaches of legislation can also give rise to criminal or administrative sanctions.
Relation to the GDPR
The NIS legislation can be distinguished from the GDPR. NIS concerns the security of network and information systems as well as the digital data included, while the GDPR focuses on the processing of personal data. Data protection and security go hand in hand, but are not the same. Digital data is a much broader concept than personal data. Conversely, the GDPR does apply to non-digital data, such paper employee records where NIS does not apply. The scope of application of the NIS law is limited to certain sectors, while the GDPR has a general scope. There is nevertheless an overlap between the two instruments. Organizations that fall under NIS will usually also qualify as controller in the sense of the GDPR. In addition, a NIS incident can also perfectly constitute a personal data breach. In any case, they both contribute to stronger cybersecurity.
Geschreven door Ester Vandendaele en Laurens Nijs