New security obligations for companies

On 18 October 2024, the Belgian NIS2-law entered into force. This law, the implementation of the NIS2-directive, aims to strengthen cybersecurity in critical industries. This blog post gives an indication as to who is in scope for this law.

1.  Fines and liability of board members

The NIS2 law concerns important and essential entities. An entity refers to either a natural or legal person. If an entity is considered important or essential, they will have to adhere to obligations in the NIS2-law. This includes taking cybersecurity measures, reporting significant cybersecurity incidents, and organizing training. Important and essential entities are also required to register with the Centre for Cybersecurity Belgium (CCB) by mid-March 2025. Failure to meet these obligations could lead to fines or liability of board members or representatives. The obligations for essential entities are more far-reaching than those for important entities. It is thus crucial to know what entities are in scope to discover the obligations of any specific entity. The next section will go over essential entities. Afterwards, important entities will be discussed.

2.  Essential entities

Generally, the approach taken in the NIS2-law is based on the economic sector of an entity. Essential entities are often entities of a larger size active in a specific field. Exceptions do exist. In total, there are six different possibilities for an entity to become essential. These will be elaborated below.

The NIS2 law targets companies in certain economic sectors, namely: energy; transportation; financial services; healthcare; water treatment; digital infrastructure; government agencies; and spaceflight. Large enterprises active in these sectors should take a closer look at annex 1 of the NIS2 law to discern whether they are included in the scope of the law, as the law does not cover everyone in these sectors. A large enterprise is an enterprise with more than 250 employees or both a higher annual turnover than 50 million euros and a balance sheet total of more than 43 million euros.

Providers of public electronic communications networks or publicly available electronic communications are also designated as essential entities if the entity has more than 50 employees or an annual turnover and balance sheet which exceed 10 million euros (medium-sized enterprise).

To keep the digital infrastructure more secure, the NIS2 law also denotes trust service providers, top-level domain registries and domain name system (DNS) service providers as essential, regardless of their size.

Federal government agencies are equally labeled as essential entities.

Entities exploiting critical infrastructure in the energy and transport sectors are also included in the category of essential entities, regardless of size. Critical infrastructure is defined as infrastructure which is of great importance for the functioning of society, health, safety or economic welfare.

Finally, the CCB can choose to designate any entity as essential. This way, the CCB can expand the scope of the law.

3.  Important entities

Whereas larger entities active in specific sectors are essential, their smaller counterparts are often included in the NIS2-law scope as important. There are three categories of important entities, which will be discussed below.

The first category of important entities concerns entities in the specified sectors of energy, transportation, financial services, healthcare, water treatment, digital infrastructure, government agencies and spaceflight, when they are not essential entities. This is the same list of sectors as the list of sectors for essential entities mentioned above. An entity could be important, and not essential, when they are active in one of these sectors and are a small or medium-sized enterprise, yet do not meet the requirements for a large enterprise.

Additionally, entities in several other sectors are also seen as important. These other sectors are: postal and courier service providers; waste management; manufacture, production and distribution of chemicals; production, processing and distribution of food; manufacturing of medical, electronic or electrical equipment; manufacturing of machinery; manufacture of motor vehicles or other transport equipment; digital providers of online marketplaces, search engines or social networking platforms; and research organizations.

Thirdly and finally, the CCB can designate any entity as important. When an entity is not in scope of the law yet still has high societal value, this designation can be used to push this entity to higher cybersecurity standards.

4.  What about (sub)contractors and outsourcing?

The scope of the NIS2-law is broad. Entities active in a slew of sectors have new or more rigid cybersecurity obligations, ranging from healthcare to waste management to social media. Additionally, even in cases where a company is not itself in scope of the NIS2-law, their business partners may require them to implement higher cybersecurity standards on a contractual basis. This stems from the obligation of important and essential entities to have cybersecurity measures throughout the supply chain. To ensure compliance and avoid high fines, it is crucial to review whether an entity is in scope and to take appropriate action.

Timelex provides in-depth expertise in assisting organizations with cybersecurity compliance. If you have inquiries or require assistance, please feel free to reach out to us (edwin.jacobs@timelex.eu).

Edwin Jacobs  -  Wout Platteau