We sat down with Levi to briefly ask him how his and Beltug’s expertise and initiatives can support our members, with insight into the upcoming legal framework and the transposition of the NIS2 into Belgian law:

Q: What is Beltug doing to around the NIS2?

Levi: Beltug has set up several initiatives to ensure our members are prepared, including establishing the NIS2 sounding board, which analyses legislation and brings forward issues. We have also organised several D-scover regulatory events on the NIS2 (7 Feb 2024, 30 Jan 2023, 17 Jan 2023), and our recent CyFun session.

Furthermore, we can inform others in our network – and have already done so through online and in-person information sessions. There is plenty of information available, but there are a lot of ‘myths’ as well. Beltug members (and often their clients) need real answers about the latest developments of the NIS2 transposition into Belgian law. We aim to bring them some clarity, with the knowledge we have developed.

Q: What knowledge can Beltug share through information sessions?

Levi: An information session can be a great way for a Beltug member to support its network with insight into the legislation. We can help organisations to understand which questions to ask, and we can debunk some of the myths that have arisen.

This can thus include addressing the ‘basic’ questions of: what is the NIS2, when will it be transcribed into Belgian law, why is it important, who is it relevant for, etc. But depending on the organisation’s information needs, we can also go into more complex queries about the decisions still to be made around the transposition. For example:

  • How is Belgium planning to organise registration for the approximately 3000 entities that might need to follow the regulations in Belgium?
  • What will be the timing for registration?
  • Will there be sectoral authorities along with the national cyber security authority?
  • How will organisations be able to prove that their security controls comply with the law?
  • Will they be allowed to choose between, for example, the CyberFundamentals Framework, the ISO27001 framework or sectoral frameworks?

Q: What other insight can Beltug share?

Levi: Certain organisations will be directly impacted by some specific aspects of the legislation, and they need to be aware of this. For example:

Entities can choose between certain frameworks, and remain in compliance. However, which framework they choose makes a difference. If they get certified in ISO27001 or the CyberFundamentals Framework, the organisation will be ‘believed’ to be in compliance, but they can also choose a different framework. However, when choosing a different framework, the entity has to map it back to ISO27001 or the CyberFundamentals Framework.

Boards of organisations will become responsible for cyber security. They will need training, and this should be foreseen.

Furthermore, in our back-and-forth discussions with policy makers, we have focussed on several key topics. These include:

  • In the transposition, Belgium needs to stick closely to the EU Directive, because many organisations have activities in several Member States. Keeping the Belgian legislation close to the EU Directive helps ensure a true single market. We have also highlighted the need to avoid, where possible, adding measures to the Belgian version.
  • We have communicated our appreciation that Belgium has taken up the possibility to consider entities that do not share an IT infrastructure as ‘separate’.

We continue to raise additional questions with policy makers, not only to get answers, but also to make sure those important issues are being discussed. These include notification of incidents to different authorities, ensuring there are enough auditors, the legal basis of biometrics, essential administrative measures for essential entities, etc.

Sound interesting? Would you like to share Levi’s expertise with your team, clients, etc? Contact him to find out more.