Cybersecurity Comparative Guide

• Published date: 07 April 2021
• Subject Matter: Privacy, Technology, Privacy Protection, Security
• Law Firm: Astrea
• Author: Mr Steven De Schrijver and Jan van Loon

1 Legal framework

1.1 Does the law in your jurisdiction distinguish between 'cybersecurity', 'data protection' and 'cybercrime' (jointly referred to as 'cyber')? If so, how are they distinguished or defined?

In Belgium, a legal distinction exists between these concepts, which follows from Belgian and EU law.

'Cybersecurity' is defined on the basis of EU law instruments. For example, the EU Cybersecurity Act (Regulation 2019/881 of 17 April 2019, which directly applies in Belgium) defines 'cybersecurity' as "the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats". A 'cyber threat' is defined as a "potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons".

The Belgian Network and Information Systems Security Act of 7 April 2019 ('NIS Act'), which implements the EU NIS Directive 2016/1148, states that the obligation to protect network and information systems aims to ensure "the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems".

'Data protection' usually refers to the legal framework for the protection of personal data - that is, data relating to an identified or identifiable person - which is set out in the General Data Protection Regulation (2016/679) (GDPR) and further regulated by the Privacy Act of 30 July 2018. In contrast, 'cybersecurity' can relate to the protection of all types of data, including non-personal data.

'Cybercrime' may be understood in the broad sense as all punishable actions and behaviours committed with the assistance of the Internet, data networks or IT systems. These include hacking, phishing, financial scams and cyberstalking. From a Belgian legal perspective, the term includes all crimes set out in the Act of 28 November 2000, which transposed the Council of Europe's Convention on Cybercrime of 23 November 2001.

1.2 What are the key statutory and regulatory provisions that address cyber in your jurisdiction?

Data protection:

• The GDPR;
• The Act of 3 December 2017 establishing the Data Protection Authority;
• The Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data;
• The Act of 5 September 2018 setting up the information security committee and amending various laws regarding the implementation of the GDPR; and
• Article 22 of the Belgian Constitution.

Cybersecurity:

• The Act of 1 July 2011 on the security and protection of critical infrastructures;
• The NIS Directive;
• The NIS Act;
• Royal Decree of 12 July 2019, implementing the Act of 7 April 2019, establishing a framework for the security of network and information systems of general interest for public security and the Act of 1 July 2011 on the security and protection of critical infrastructure;
• Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for the application of the NIS Directive as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems, and of the parameters for determining whether an incident has a substantial impact; and
• EU Regulation 2019/881 of 17 April 2019 on the European Union Agency for Cybersecurity, information and communications technology, cybersecurity certification and repealing EU Regulation 526/2013.

Cybercrime:

• The Penal Code (including amendments made by the Act of 28 November 2000 on cybercrime, the Act of 15 May 2006 on cybercrime and Title 14 of the Act of 6 July 2017), and specifically Articles 210bis, 504quater, 550bis and 550ter;
• The Code of Criminal Proceedings; and
• The Act of 13 June 2005 on electronic communications.

Further sector-specific laws and regulations exist (eg, with regard to electronic communications, employee surveillance or trade secrets), which are discussed in this Q&A where relevant.

1.3 Do special cyber statutes or regulations apply to: (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)? (b) Certain types of information (personal data, health information, financial information, classified information)?

(a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?

Yes, the NIS Act applies specifically to a list of digital service providers and operators of essential services:

• energy (including electricity, oil and gas);
• transport (including air, rail, water and road transport);
• financial institutes;
• financial market infrastructure;
• healthcare (both public and private);
• drinking water supply; and
• digital infrastructure (including online trade platforms, search engines and cloud computing providers).

Additional criteria are provided to identify which operators in these sectors are in fact covered by the act (eg, whether the provision of the service is dependent on a network and information system).

The Electronic Communications Act of 13 June 2005 lays down specific rules on the security of the telecommunications sector. The origin of these rules can be found in the European Electronic Communications Code and the e-Privacy Directive (2005/58). A debate on an e-Privacy Regulation, to replace the e-Privacy Directive, has been ongoing for a couple of years.

The eIDAS Regulation (910/2014) applies to providers of trust services that make business transactions more secure (eg, by creating, verifying and validating electronic signatures). Further Belgian legislation which is relevant in this respect can be found in:

• Title 2 of Book XII of the Code of Economic Law;
• the Act of 18 July 2017 on electronic identification;
• the Act of 20 September 2018 on the harmonisation of the concepts of electronic signature and durable data carrier and the elimination of obstacles to the conclusion of contracts by electronic means; and
• the Royal Decree of 25 September 2018 on the harmonisation of the concepts of electronic signature and durable data carrier.

The Second Payment Services Directive (2015/2366) includes cybersecurity rules which apply to payment service providers. The Belgian implementing legislation can be found in the Act of 11 March 2018 on the statute and supervision of payment institutions and electronic money institutions, access to the business of payment service provider and to the activity of issuing electronic money, and access to payment systems.

The GDPR and the Privacy Act apply in all sectors, including those mentioned above, in which personal data is processed.

(b) Certain types of information (personal data, health information, financial information, classified information)?

The GDPR specifically applies to any personal data that is being processed, regardless of sector or industry (but excluding that processed by a natural person or by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and prevention of threats to public security).

Health and financial information is also covered by the GDPR, as this in essence constitutes personal data. This is qualified as 'sensitive data', meaning that stricter requirements apply (eg, processing is forbidden, except in specific cases). Other types of sensitive data include data relating to a data subject's racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well genetic and biometric data.

Trade secrets are protected by the Code of Economic Law pursuant to the Trade Secrets Directive (2016/943).

1.4 Do any cyber statutes or regulations have extraterritorial reach? If so, how do they apply extraterritorially and what are the factors or criteria for such application?

The Penal Code in itself has no extraterritorial application, as it provides that the criminal courts are competent only for crimes committed in the Belgian territory.

However, on 19 February 2019 the Court of Cassation (the country's highest court) decided in the Skype case that a provider of electronic communications services had to provide technical cooperation for tapping, as there was a territorial link with Belgium because Skype was economically...