Security of networks and information systems

Telecom Act

By “Telecom Act” we mean the Act of 13 June 2005 on electronic communications. 

The operators have to:

• analyse the risks regarding the security of their networks and services (Article 107/2, § 1, subparagraph 1). See the section on the risk analysis below;
• take appropriate and proportionate technical and organisational measures, including encryption if applicable, to appropriately manage the risks as well as to prevent and minimise the impact of security incidents both on users and other networks and services (Article 107/2, § 1, subparagraph 2);
• take all the necessary measures, including preventive ones, to ensure the fullest possible availability of voice communications services and internet access services in the event of exceptional network breakdown or in cases of force majeure (Article 107/2, § 3).

An operator must notify (see also section “Practical information”): 

• the BIPT in case of a particular and significant threat of a security incident in a public electronic communications network or a publicly available electronic communications service, and inform their users potentially affected by such a threat (Article 107/3, § 1);
• the BIPT in case of a security incident that has had a significant impact on the operation of the networks or services. What is meant by “significant impact” and the procedures of notification were clarified in the Decision of 14 December 2017 (see section “Practical information”);
• the Belgian data protection authority in case of a breach of personal data which were transferred, stored or processed in a different way in connection with the provision of electronic communications services. That authority shall inform the BIPT without delay. In some cases, the subscriber concerned by the breach must also be informed. The BIPT and the Belgian data protection authority discuss together concerning the management of the incident (Article 107/3, §§ 3 and 4).

In addition to the Act on the status of the BIPT (Act of 17 January 2003 on the status of the regulator of the Belgian postal and telecommunications sectors), the legal framework is the following:

• Articles 2, 68°; 107/2 to 107/4 of the Telecom Act;
• The Commission Regulation (EU) of 24 June 2013 on the measures applicable to the notification of personal data breaches;
• BIPT Decision of 14 december 2017 regarding the thresholds and terms and conditions for reporting of security incidents within the electronic communications sector. 

NIS Act

By “NIS Act” we mean the Act of 7 April 2019 laying down a framework for the security of networks and information systems of general interest for public safety.

In order to implement this Act the BIPT has been designated as the sectoral authority and inspection service responsible for the digital infrastructure sector. This sector includes at least the following entities: the IXPs (Internet exchange points), the DNS service providers and the registers of top-level domain names.

One of the missions of the sectoral authority is to designate the operators of essential services (OES) of its sector, in consultation with the Centre for Cybersecurity Belgium (CCB) and the Crisis Centre of the FPS Internal Affairs (NCCN).

The NIS Act lays down obligations on the OES regarding security measures (Articles 20 to 23), incident notification (Articles 24 and 25, also see section “Practical information), and audit (Article 38).

An entity of the digital infrastructure sector operating in Belgium and which has not been designated by the BIPT as an OES may notify, on a voluntary basis, any incident with a significant impact on the continuity of the services it provides (see section “Practical information”). This voluntary notification does not result, for the notifying entity, in obligations to which it would not have been subjected, had it not made the notification. While handling notifications, the CCB, the BIPT and the NCCN may give priority to mandatory notifications imposed by the NIS Act against voluntary notifications. Voluntary notifications are only handled when their handling does not create a disproportionate or unnecessary burden on the above-mentioned authorities.

The legal framework is the following:

• Act of 17 January 2003 on the status of the regulator of the Belgian postal and telecommunications sectors; 
• Act of 7 April 2019 laying down a framework for the security of networks and information systems of general interest for public safety; 
• Royal Decree of 12 July 2019 implementing the Act of 7 April 2019 laying down a framework for the security of networks and information systems of general interest for public safety and the Act of 1 July 2011 on the security and protection of critical infrastructures;
• Royal Decree of 15 December 2021 establishing the identification cards of the statutory agents and contractual agents of the Belgian Institute for Postal Services and Telecommunications.

You will find more information on the CCB website.

Risk analysis

The BIPT has implemented a risk analysis tool regarding the security of networks and information systems, SERIMA.be (which stands for Security Risk Management).

The BIPT intends to ask certain telecom operators and operators of essential services (OES) it has designated based on the NIS Act to submit an annual risk analysis via this platform.

The other telecom operators may use the platform upon request to the BIPT. More information is available in the communication of 5 July 2022 on risk analyses regarding the security of networks and information systems (see section “Documents”). 

Critical Infrastructures Act 

By “Critical Infrastructures Act” we mean the Act of 1 July 2011 on the security and protection of critical infrastructures. 

In order to implement this Act, the BIPT has been designated as the sectoral authority and inspection service responsible for the electronic communications sector (including the digital infrastructures sector). 

As a sectoral authority, the BIPT must designate critical infrastructure operators within its sector and identify their critical infrastructures, and this in consultation with the Crisis Centre of the FPS Internal Affairs (NCCN) and the Centre for Cybersecurity Belgium (CCB). 

The main obligation of a critical infrastructure operator (see Article 13 of the Act) is to design and implement a security plan, which includes at least the permanent internal security measures (applicable in all circumstances) and graduated internal security measures (to be applied depending on the threat).

The operator must report any event which may threaten the security of the critical infrastructure (see Article 14 of the same Act).

The BIPT conducts inspections of the critical infrastructures. 

The legal framework is the following: 

• Act of 17 January 2003 on the status of the regulator of the Belgian postal and telecommunications sectors; 
• Act of 1 July 2011 on the security and protection of critical infrastructures; 
• Royal Decree of 27 May 2014 implementing in the electronic communications sector Article 13 of the Act of 1 July 2011 on the security and protection of critical infrastructures; 
• Royal Decree of 14 June 2017 appointing for the electronic communications sector the inspection service established by the Act of 1 July 2011 on the security and protection of critical infrastructures; 
• Royal Decree of 15 December 2021 establishing the identification cards of the statutory agents and contractual agents of the Belgian Institute for Postal Services and Telecommunications.

Act on security advices 

By “Act on security advices” we mean the Act of 11 December 1998 on classification and security clearances, security certificates and security advices. 

To implement this Act, the BIPT has been designated as the competent authority for the “electronic communications and digital infrastructures sector”, except for the security advices for the members of the telecom operators’ (Justice) coordination cell. The Minister of Justice is the competent administrative authority for these advices. 

The BIPT has the responsibility, as the competent administrative authority, to propose to the ANS (“Autorité nationale de sécurité” or National Seucurity Authority) the positions which should be subject to a security advice as well as the operators to which this measure is applicable. The ANS takes the decision in this matter. Once the decision is taken, the advice requests must be transmitted via the BIPT.  

The legal framework is the following: 

• Act of 11 December 1998 on classification and security clearances, security certificates and security advices; 
• Act of 11 December 1998 establishing an appeal body regarding security clearances, security certificates and security advices; 
• Royal Decree of 24 March 2000 implementing the Act of 11 December 1998 on classification and security clearances, security certificates and security advices; 
• Royal Decree of 8 May 2018 laying down the areas of activity and the competent administrative authorities referred to in Article 22quinquies, § 7, of the Act of 11 December 1998 on classification and security clearances, security certificates and security advices; 
• Royal Decree of 8 May 2018 laying down the list of data and information which may be accessed within the framework of a security check;
• Royal Decree of 8 May 2018 laying down the payments for security clearances, security certificates and security advices issued by the National security authority and for the security certificates issued by the Federal Agency for Nuclear Control, as well as the distribution keys referred to in Article 22septies, subparagraphs 6 and 8, of the Act of 11 December 1998 on classification and security clearances, security certificates and security advices.

Federal emergency phase 

The website of the National Crisis Center (NCCN) summarises the actions taken by the 4 committees that are activated following the activation of the federal emergency phase as follows: 

“During a federal phase, the Minister of the Interior is in charge. When a Minister declares a federal phase, four different committees come together:

• The evaluation committee collects information, evaluates the situation and gives advice to COFECO. This committee is composed of experts and scientists from the various competent authorities or services.
• The Federal Coordination Committee or COFECO assesses the situation and its evolution, proposes measures to protect the population to the policy committee and distributes available supra-local resources. This committee is composed of representatives of disciplines and public services.
• The policy committee endorses the measures proposed by COFECO. This committee is composed of the competent ministers. They have the power to adopt measures and bear the political responsibility for them.
• The information committee communicates about the measures. This committee is made up of the Communications Officers or spokespersons of the departments involved.

The Federal Coordination Committee is always in contact with the provincial crisis cell(s) and departmental or regional crisis centres, which implement the decisions within their own areas of competence.” 

An assessment cell (CELEVAL) has been established for the telecoms sector (“CELEVAL telecoms”). The composition of this cell depends on the type of incident. It generally includes, among others, the telecom operators concerned, the Centre for Cybersecurity Belgium (CCB), the FPS Economy, the BIPT, the National Crisis Center (NCCN), the A.S.T.R.I.D. limited company, the Federal Police and the Directorate-General Civil Security. The BIPT chairs this cell. 

COFECO is chaired by the National Crisis Center (NCCN) and includes, among others, the BIPT if telecom elements are discussed in this cell. 

The BIPT, as chair of CELEVAL telecoms, is responsible for: 

• Reporting to COFECO on the situation of the whole telecoms sector; 
• Following up COFECO’s requests to the telecoms sector.

The legal framework applicable to the federal phase is point 4.4. of the annex to the Royal Decree of 31 January 2003 establishing the emergency plan for crisis events and situations requiring nationwide coordination or management.