Security of networks and information systems

Telecom Act

By “Telecom Act” we mean the Act of 13 June 2005 on electronic communications. 

The Telecom Act (see Article 114) defines the security measures the telecom operators must take to ensure the continued operation of their networks and services and to protect (personal) data which are processed within the framework of the provision of these networks and services.

Pursuant to Article 114/1 a telecom operator must notify (see also section “Practical information”): 

• The BIPT in case of a particular risk of network security breach;
• The BIPT of a security breach or loss of integrity that has had a significant impact on the operation of its networks or services. What is meant by “significant impact” and the procedures of notification were clarified in the BIPT Council Decision of 14 December 2017 (see section “Practical information”);
• The Belgian data protection authority in case of a breach of personal data which were transferred, stored or processed in a different way in connection with the provision of electronic communications services. That authority shall inform the BIPT without delay. In some cases, the subscriber concerned by the breach must also be informed. The BIPT and the Belgian data protection authority discuss together concerning the management of the incident.

In addition to the Act on the status of the BIPT (Act of 17 January 2003 on the status of the regulator of the Belgian postal and telecommunications sectors), the legal framework is the following:

• Articles 2, 68°; 114 to 114/2 of the Telecom Act;
• The Commission Regulation (EU) of 24 June 2013 on the measures applicable to the notification of personal data breaches;
• BIPT Decision of 14 december 2017 regarding the thresholds and terms and conditions for reporting of security incidents within the electronic communications sector. 

NIS Act

By “NIS Act” we mean the Act of 7 April 2019 laying down a framework for the security of networks and information systems of general interest for public safety.

In order to implement this Act the BIPT has been designated as the sectoral authority and inspection service responsible for the digital infrastructure sector. This sector includes at least the following entities: the IXPs (Internet exchange points), the DNS service providers and the registers of top-level domain names.

One of the missions of the sectoral authority is to designate the operators of essential services (OES) of its sector, in consultation with the Centre for Cybersecurity Belgium (CCB) and the Crisis Centre of the FPS Internal Affairs (NCCN).

The NIS Act lays down obligations on the OES regarding security measures (Articles 20 to 23), incident notification (Articles 24 and 25, also see section “Practical information), and audit (Article 38).

An entity of the digital infrastructure sector operating in Belgium and which has not been designated by the BIPT as an OES may notify, on a voluntary basis, any incident with a significant impact on the continuity of the services it provides (see section “Practical information”). This voluntary notification does not result, for the notifying entity, in obligations to which it would not have been subjected, had it not made the notification. While handling notifications, the CCB, the BIPT and the NCCN may give priority to mandatory notifications imposed by the NIS Act against voluntary notifications. Voluntary notifications are only handled when their handling does not create a disproportionate or unnecessary burden on the above-mentioned authorities.

The legal framework is the following:

• Act of 17 January 2003 on the status of the regulator of the Belgian postal and telecommunications sectors; 
• Act of 7 April 2019 laying down a framework for the security of networks and information systems of general interest for public safety; 
• Royal Decree of 12 July 2019 implementing the Act of 7 April 2019 laying down a framework for the security of networks and information systems of general interest for public safety and the Act of 1 July 2011 on the security and protection of critical infrastructures.

You will find more information on the CCB website.

Risk analysis

The BIPT has implemented a risk analysis tool regarding the security of networks and information systems via the online platform SERIMA.be (which stands for Security Risk Management).

The BIPT intends to ask certain telecom operators and operators of essential services (OES) it has designated based on the NIS Act to submit an annual risk analysis via this platform.

The other telecom operators may use the platform upon request to the BIPT. More information is available in the draft communication of the BIPT on risk analyses regarding the security of networks and information systems (see section “Documents”). 

Critical Infrastructures Act 

By “Critical Infrastructures Act” we mean the Act of 1 July 2011 on the security and protection of critical infrastructures. 

In order to implement this Act, the BIPT has been designated as the sectoral authority and inspection service responsible for the electronic communications sector (including the digital infrastructures sector). 

As a sectoral authority, the BIPT must designate critical infrastructure operators within its sector and identify their critical infrastructures, and this in consultation with the Crisis Centre of the FPS Internal Affairs (NCCN) and the Centre for Cybersecurity Belgium (CCB). 

The main obligation of a critical infrastructure operator (see Article 13 of the Act) is to design and implement a security plan, which includes at least the permanent internal security measures (applicable in all circumstances) and graduated internal security measures (to be applied depending on the threat).

The operator must report any event which may threaten the security of the critical infrastructure (see Article 14 of the same Act).

The BIPT conducts inspections of the critical infrastructures. 

The legal framework is the following: 

• Act of 17 January 2003 on the status of the regulator of the Belgian postal and telecommunications sectors; 
• Act of 1 July 2011 on the security and protection of critical infrastructures; 
• Royal Decree of 27 May 2014 implementing in the electronic communications sector Article 13 of the Act of 1 July 2011 on the security and protection of critical infrastructures; 
• Royal Decree of 14 June 2017 appointing for the electronic communications sector the inspection service established by the Act of 1 July 2011 on the security and protection of critical infrastructures; 
• Royal Decree of 3 December 2017 pertaining to the setting of the model of the identification card referred to in Article 24, paragraph 3, of the Act of 1 July 2011 on the security and protection of critical infrastructures for the electronic communications sector.

Act on security advices 

By “Act on security advices” we mean the Act of 11 December 1998 on classification and security clearances, security certificates and security advices. 

To implement this Act, the BIPT has been designated as the competent authority for the “electronic communications and digital infrastructures sector”, except for the security advices for the members of the telecom operators’ (Justice) coordination cell. The Minister of Justice is the competent administrative authority for these advices. 

The BIPT has the responsibility, as the competent administrative authority, to propose to the ANS (“Autorité nationale de sécurité” or National Seucurity Authority) the positions which should be subject to a security advice as well as the operators to which this measure is applicable. The ANS takes the decision in this matter. Once the decision is taken, the advice requests must be transmitted via the BIPT.  

The legal framework is the following: 

• Act of 11 December 1998 on classification and security clearances, security certificates and security advices; 
• Act of 11 December 1998 establishing an appeal body regarding security clearances, security certificates and security advices; 
• Royal Decree of 24 March 2000 implementing the Act of 11 December 1998 on classification and security clearances, security certificates and security advices; 
• Royal Decree of 8 May 2018 laying down the areas of activity and the competent administrative authorities referred to in Article 22quinquies, § 7, of the Act of 11 December 1998 on classification and security clearances, security certificates and security advices; 
• Royal Decree of 8 May 2018 laying down the list of data and information which may be accessed within the framework of a security check;
• Royal Decree of 8 May 2018 laying down the payments for security clearances, security certificates and security advices issued by the National security authority and for the security certificates issued by the Federal Agency for Nuclear Control, as well as the distribution keys referred to in Article 22septies, subparagraphs 6 and 8, of the Act of 11 December 1998 on classification and security clearances, security certificates and security advices.