Security of networks and information systems

Act on electronic communications

By “Act on electronic communications” we mean the Act of 13 June 2005 on electronic communications.

Regarding the notion of “operator”, you will find more information by clicking on this link.

Obligations of all operators

Operators must:

analyse the risks regarding the security of their networks and services (Article 107/2, § 1, subparagraph 1). See the section on the risk analysis below;
take appropriate and proportionate technical and organisational measures, including encryption if applicable, to appropriately manage the risks as well as to prevent and minimise the impact of security incidents both on users and other networks and services (Article 107/2, § 1, subparagraph 2);
take all the necessary measures, including preventive ones, to ensure the fullest possible availability of voice communications services and internet access services in the event of exceptional network breakdown or in cases of force majeure (Article 107/2, § 3).

An operator must notify (see also section “Practical information”):

the BIPT in case of a particular and significant threat of a security incident in a public electronic communications network or a publicly available electronic communications service, and inform their users potentially affected by such a threat (Article 107/3, § 1);
the BIPT in case of a security incident that has had a significant impact on the operation of the networks or services. What is meant by “significant impact” and the procedures of notification were clarified in the Decision of 14 December 2017 (see section “Practical information”);
the Belgian data protection authority in case of a breach of personal data which were transferred, stored or processed in a different way in connection with the provision of electronic communications services. That authority shall inform the BIPT without delay. In some cases, the subscriber concerned by the breach must also be informed. The BIPT and the Belgian data protection authority discuss together concerning the management of the incident (Article 107/3, §§ 3 and 4).

In addition to the Act on the status of the BIPT (Act of 17 January 2003 on the status of the regulator of the Belgian postal and telecommunications sectors), the legal framework is the following:

Articles 2, 68°; 107/2 to 107/4 of the Act on electronic communications;
The Commission Regulation (EU) of 24 June 2013 on the measures applicable to the notification of personal data breaches;
BIPT Decision of 14 december 2017 regarding the thresholds and terms and conditions for reporting of security incidents within the electronic communications sector.

Ministerial authorisation for the provision of a 5G network

The following obligations arise from Article 105 of the Act on electronic communications and the Royal Decree of 16 April 2023 on the ministerial authorisation for the provision of a 5G network (hereafter the “Royal Decree on the ministerial authorisation”).

Obligations for:	Obligations:
the following companies when they provide a 5G network: MNOs (Mobile Network Operators, see definition in Article 2, 89°, of the aforementioned Act); “full” MVNOs (Mobile Virtual Network Operator, see definition in Article 2, 90°, of the aforementioned Act), i.e. MVNOs owning certain network elements; the A.S.T.R.I.D. limited company; Companies which have been designated as operators of critical infrastructures within the meaning of the Act of 1 July 2011 on the security and protection of critical infrastructures, provided that elements of the private 5G network are used in one of these critical Infrastructures; Companies which have been designated as operators of essential services within the meaning of the Act of 7 April 2019 laying down a framework for the security of network and information systems of general interest for public safety (NIS Act), provided that the provision of an essential service makes use of the private 5G network.	applying for and receiving a ministerial authorisation before using an element of the 5G network (prior authorisation), or; if this network element is already in use at the time of entry into force of the Royal Decree on the ministerial authorisation, applying for and receiving a ministerial authorisation within two months following this date (regularisation authorisation), and; applying for and receiving a ministerial authorisation before using a service provider for the management and supervision of their 5G network elements, with the exception of using equipment manufacturers providing support services, when this service is included in the contract regarding the provision of network elements (prior authorisation), or; if the use of such a service provider is already effective at the time of entry into force of the Royal Decree on the ministerial authorisation, applying for a ministerial authorisation within two months following this date and receiving it (regularisation authorisation).

Obligations for:

Obligations:

the following companies when they provide a 5G network:

MNOs (Mobile Network Operators, see definition in Article 2, 89°, of the aforementioned Act);
“full” MVNOs (Mobile Virtual Network Operator, see definition in Article 2, 90°, of the aforementioned Act), i.e. MVNOs owning certain network elements;
the A.S.T.R.I.D. limited company;
Companies which have been designated as operators of critical infrastructures within the meaning of the Act of 1 July 2011 on the security and protection of critical infrastructures, provided that elements of the private 5G network are used in one of these critical Infrastructures;
Companies which have been designated as operators of essential services within the meaning of the Act of 7 April 2019 laying down a framework for the security of network and information systems of general interest for public safety (NIS Act), provided that the provision of an essential service makes use of the private 5G network.

applying for and receiving a ministerial authorisation before using an element of the 5G network (prior authorisation), or;
if this network element is already in use at the time of entry into force of the Royal Decree on the ministerial authorisation, applying for and receiving a ministerial authorisation within two months following this date (regularisation authorisation), and;
applying for and receiving a ministerial authorisation before using a service provider for the management and supervision of their 5G network elements, with the exception of using equipment manufacturers providing support services, when this service is included in the contract regarding the provision of network elements (prior authorisation), or;
if the use of such a service provider is already effective at the time of entry into force of the Royal Decree on the ministerial authorisation, applying for a ministerial authorisation within two months following this date and receiving it (regularisation authorisation).

A new application will have to be made if the company providing a 5G network wishes to use a network or service that has not yet been the subject of an authorisation.

Article 11, subparagraph 1, of the Royal Decree on the ministerial authorisation provides that software or hardware updates do not require additional authorisation, except when they modify the elements listed in the application for authorisation.

The ministerial authorisation is granted by the following ministers: the Prime Minister, the Minister of Telecommunications, the Minister of Defence, the Minister of Justice, the Minister of Home Affairs and the Minister of Foreign Affairs (Article 105, § 1, of the Act on electronic communications).

They can grant the authorisation, grant it subject to certain conditions or reject it.

When reviewing an application, they must:

assess the risk profile of the provider based on an opinion of the intelligence and security services (probability that the provider will be subject to interference from a country other than an EU Member State) and an opinion of the BIPT (ability of the provider to ensure the supply in terms of deadlines, quantity, overall quality of its products or services and its practices in terms of security), and;
apply the restrictions laid down in the Royal Decree on the ministerial authorisation.

Certain restrictions for MNOs take into account sensitive areas in Belgium. The latter are listed in the annex to the Royal Decree of 23 October 2022 on sensitive areas within the framework of the Act of 17 February introducing additional security measures for the provision of mobile 5G services. This annex is confidential. MNOs which must apply for a ministerial authorisation and wishing to consult this annex can send an e-mail to the BIPT.

Companies which must get a ministerial authorisation (prior authorisation or regularisation authorisation) must send their application to the BIPT pursuant to the terms set out in the Communication of 15 May 2023 of the BIPT.

Location obligation within the framework of the provision of a 5G network

As of 1 January 2028, the companies referred to in the previous section providing a 5G network must ensure that the following elements are established in the territory of the European Union:

the persons, equipment, software and data that are necessary for the real-time monitoring of their 5G network or elements of the 5G network core;
the persons, equipment, software and data related to the monitoring of physical and logical access to their 5G network or elements of the 5G network core.

The persons who do not monitor the network in real time but who may be required to perform a one-off action on the network may be located outside the territory of the European Union, provided that their actions are permanently monitored by one of the above-mentioned persons (Royal Decree of 18 April 2023 on the location requirements for 5G networks).

Furthermore, when an MNO offers electronic communications services in Belgium over a 5G network, the network infrastructure must be located in the territory of the Member States of the European Union (Article 105, § 8, subparagraph 1, of the Act on electronic communications).

NIS Act

By “NIS Act” we mean the Act of 7 April 2019 laying down a framework for the security of networks and information systems of general interest for public safety.

In order to implement this Act the BIPT has been designated as the sectoral authority and inspection service responsible for the digital infrastructure sector. This sector includes at least the following entities: the IXPs (Internet exchange points), the DNS service providers and the registers of top-level domain names.

One of the missions of the sectoral authority is to designate the operators of essential services (OES) of its sector, in consultation with the Centre for Cybersecurity Belgium (CCB) and the Crisis Centre of the FPS Internal Affairs (NCCN).

The NIS Act lays down obligations on the OES regarding security measures (Articles 20 to 23), incident notification (Articles 24 and 25, also see section “Practical information), and audit (Article 38).

An entity of the digital infrastructure sector operating in Belgium and which has not been designated by the BIPT as an OES may notify, on a voluntary basis, any incident with a significant impact on the continuity of the services it provides (see section “Practical information”). This voluntary notification does not result, for the notifying entity, in obligations to which it would not have been subjected, had it not made the notification. While handling notifications, the CCB, the BIPT and the NCCN may give priority to mandatory notifications imposed by the NIS Act against voluntary notifications. Voluntary notifications are only handled when their handling does not create a disproportionate or unnecessary burden on the above-mentioned authorities.

The legal framework is the following:

Act of 17 January 2003 on the status of the regulator of the Belgian postal and telecommunications sectors;
Act of 7 April 2019 laying down a framework for the security of networks and information systems of general interest for public safety;
Royal Decree of 12 July 2019 implementing the Act of 7 April 2019 laying down a framework for the security of networks and information systems of general interest for public safety and the Act of 1 July 2011 on the security and protection of critical infrastructures;
Royal Decree of 15 December 2021 establishing the identification cards of the statutory agents and contractual agents of the Belgian Institute for Postal Services and Telecommunications.

You will find more information on the CCB website.

Risk analysis

The BIPT has implemented a risk analysis tool regarding the security of networks and information systems, SERIMA.be (which stands for Security Risk Management).

The BIPT intends to ask certain electronic communications operators and operators of essential services (OES) it has designated based on the NIS Act to submit an annual risk analysis via this platform.

The other electronic communications operators may use the platform upon request to the BIPT. More information is available in the communication of 12 April 2023 on risk analyses regarding the security of networks and information systems (see section “Documents”).

Critical Infrastructures Act

By “Critical Infrastructures Act” we mean the Act of 1 July 2011 on the security and protection of critical infrastructures.

In order to implement this Act, the BIPT has been designated as the sectoral authority and inspection service responsible for the electronic communications sector (including the digital infrastructures sector).

As a sectoral authority, the BIPT must designate critical infrastructure operators within its sector and identify their critical infrastructures, and this in consultation with the Crisis Centre of the FPS Internal Affairs (NCCN) and the Centre for Cybersecurity Belgium (CCB).

The main obligation of a critical infrastructure operator (see Article 13 of the Act) is to design and implement a security plan, which includes at least the permanent internal security measures (applicable in all circumstances) and graduated internal security measures (to be applied depending on the threat).

The operator must report any event which may threaten the security of the critical infrastructure (see Article 14 of the same Act).

The BIPT conducts inspections of the critical infrastructures.

The legal framework is the following:

Act of 17 January 2003 on the status of the regulator of the Belgian postal and telecommunications sectors;
Act of 1 July 2011 on the security and protection of critical infrastructures;
Royal Decree of 27 May 2014 implementing in the electronic communications sector Article 13 of the Act of 1 July 2011 on the security and protection of critical infrastructures;
Royal Decree of 14 June 2017 appointing for the electronic communications sector the inspection service established by the Act of 1 July 2011 on the security and protection of critical infrastructures;
Royal Decree of 15 December 2021 establishing the identification cards of the statutory agents and contractual agents of the Belgian Institute for Postal Services and Telecommunications.

Act on security advices

By “Act on security advices” we mean the Act of 11 December 1998 on classification and security clearances, security certificates and security advices.

To implement this Act, the BIPT has been designated as the competent authority for the “electronic communications and digital infrastructures sector”, except for the security advices for the members of the (Justice) Coordination Cell of the electronic communications operators. The Minister of Justice is the competent administrative authority for these advices.

The BIPT has the responsibility, as the competent administrative authority, to propose to the ANS (“Autorité nationale de sécurité” or National Seucurity Authority) the positions which should be subject to a security advice as well as the operators to which this measure is applicable. The ANS takes the decision in this matter. Once the decision is taken, the advice requests must be transmitted via the BIPT.

The legal framework is the following:

Act of 11 December 1998 on classification and security clearances, security certificates and security advices;
Act of 11 December 1998 establishing an appeal body regarding security clearances, security certificates and security advices;
Royal Decree of 24 March 2000 implementing the Act of 11 December 1998 on classification and security clearances, security certificates and security advices;
Royal Decree of 8 May 2018 laying down the areas of activity and the competent administrative authorities referred to in Article 22quinquies, § 7, of the Act of 11 December 1998 on classification and security clearances, security certificates and security advices;
Royal Decree of 8 May 2018 laying down the list of data and information which may be accessed within the framework of a security check;
Royal Decree of 8 May 2018 laying down the payments for security clearances, security certificates and security advices issued by the National security authority and for the security certificates issued by the Federal Agency for Nuclear Control, as well as the distribution keys referred to in Article 22septies, subparagraphs 6 and 8, of the Act of 11 December 1998 on classification and security clearances, security certificates and security advices.

Federal emergency phase

The website of the National Crisis Center (NCCN) summarises the actions taken by the 4 committees that are activated following the activation of the federal emergency phase as follows:

“During a federal phase, the Minister of the Interior is in charge. When a Minister declares a federal phase, four different committees come together:

The evaluation committee collects information, evaluates the situation and gives advice to COFECO. This committee is composed of experts and scientists from the various competent authorities or services.
The Federal Coordination Committee or COFECO assesses the situation and its evolution, proposes measures to protect the population to the policy committee and distributes available supra-local resources. This committee is composed of representatives of disciplines and public services.
The policy committee endorses the measures proposed by COFECO. This committee is composed of the competent ministers. They have the power to adopt measures and bear the political responsibility for them.
The information committee communicates about the measures. This committee is made up of the Communications Officers or spokespersons of the departments involved.

The Federal Coordination Committee is always in contact with the provincial crisis cell(s) and departmental or regional crisis centres, which implement the decisions within their own areas of competence.”

An assessment cell (CELEVAL) has been established for the telecoms sector (“CELEVAL telecoms”). The composition of this cell depends on the type of incident. It generally includes, among others, the electronic communications operators concerned, the Centre for Cybersecurity Belgium (CCB), the FPS Economy, the BIPT, the National Crisis Center (NCCN), the A.S.T.R.I.D. limited company, the Federal Police and the Directorate-General Civil Security. The BIPT chairs this cell.

COFECO is chaired by the National Crisis Center (NCCN) and includes, among others, the BIPT if telecom elements are discussed in this cell.

The BIPT, as chair of CELEVAL telecoms, is responsible for:

Reporting to COFECO on the situation of the whole telecoms sector;
Following up COFECO’s requests to the telecoms sector.

The legal framework applicable to the federal phase is point 4.4. of the annex to the Royal Decree of 31 January 2003 establishing the emergency plan for crisis events and situations requiring nationwide coordination or management.

ENISA (European Network and Information Security Agency) documents

Technical Guideline on Minimum Security Measures
Technical Guideline on Incident Reporting
Technical Guideline on Threats and Assets
Security Guide for ICT Procurement
Secure ICT Procurement in Electronic Communications
Protection of Underground Electronic Communications Infrastructure
Power Supply Dependencies in the Electronic Communications Sector
Signalling Security in Telecom SS7/Diameter/5G
National Roaming for Resilience
Guideline on assessing security measures in the context of Article 3(3) of the Open Internet regulation
7 Steps to shore up the Border Gateway Protocol (BGP)

Documents

Judgement of the Market Court of 10 May 2023 on the BIPT Decision of 23 August 2022 regarding the lack of adequate security measures taken by Telenet for its site in [confidential]
Communication of 15 May 2023 on the application for a ministerial authorisation for security purposes regarding a 5G network
Communication of 12 April 2023 on the platform SERIMA.be
Decision of 23 August 2022 regarding the lack of adequate security measures taken by Telenet for its site in [confidential]
Communication of 5 July 2022 on the platform SERIMA.be
Communication on the platform SERIMA.be (risk analyses regarding the security of networks and information systems)
Consultation on the communication project on the risk analyses regarding the security of networks and information systems
Communication on the COVID-19 virus following the communication of the Belgian government of 17 March 2020
Communication on the COVID-19 virus
Opinion of 15 May 2019 on the draft Royal Decree implementing the NIS Act as well as certain provisions of the “Critical Infrastructures Act”
Support document for the preparation of a security plan
Decision of 14 Dcember 2017 regarding the thresholds and terms and conditions for reporting of security incidents within the electronic communications sector
Consultation draft decision on the thresholds and terms and conditions for the notification of security incidents
Communication of 18 november 2015 about the risk of power cuts during winter 2015/2016
FAQ Planned power cut-offs winter 2014-2015
Decision of 1 April 2014 laying down the circumstances in which the operators have to notify BIPT of a security incident and the terms and conditions of this notification
Communication of 16 September 2013 regarding hacking at Belgacom
Consultation on the draft Royal Decree implementing in the electronic communications sector Article 13 of the Act of 1 July 2011 on the security and protection of critical infrastructures
Communication of 30 April 2013 on the possible risks of a safety breach regarding the mobile telephony networks and services in the context of the 2G and 2.5G technology
Draft decision of 3 May 2013 laying down the situations in which operators have to report a security incident to BIPT, as well as the terms and conditions of such notification
Opinion of 17 February 2012 to Minister Vande Lanotte on the potential risks of security violation in mobile telephone networks and services within the framework of 2G and 2.5G technologies