Getting to grips with the NIS and security regulations. Takeaways from the N-sight of 16 June 2020


Although the EU Network and Information Security directive (NIS Directive) was transposed into Belgian law and became applicable on 3 May 2019, there is still little awareness about it and its requirements. And it is just one of the many security regulations surrounding organisations. There are plenty more texts relevant to security, including the ENISA guidelines and recommendations, and ISO standards, to name just two.


The challenges these create are many and complex. First, you need to get to grips with all relevant regulations, rules and best practices. But then, how do you implement them in your organisation? How do you compile all the information in a comprehensive and comprehensible policy? And how do you ensure adoption of the policy by your company’s staff?


We had a look at some of these elements in this online session.


The presentations from this X-change, and a link to the recording of the event, are available for our members (after log-in). Takeaways will be published soon.



The role of the National CSIRT (CCB) in incident notification and security measures


Valéry Vander Geeten, Legal Officer, DPO and Project Manager NIS, Centre for Cyber Security Belgium, opened the afternoon by stating that increasing the knowledge around the NIS directive is very important and a work in progress.  The CCB is the national authority for the NIS, the national SPOC (single point of contact) and the national CSIRT (slides 10 and 11).


He started by explaining 'incident notification', which becomes mandatory as soon as a DSP or an OES is identified as such (by the relevant authority). All incidents affecting IT systems on which an essential service depends, need to be formally reported on the NIS notification platform. The platform is now live, Valéry shared, and impacted companies will receive their onboarding credentials. For financial institutions, the process is slightly different (slide 5). These fall under the supervision of the National Bank.


Operators can also voluntarily report incidents. The notification guide (when, how, timing, etc.) is available on the CERT website, in Dutch and French.


So what is an incident with an obviously substantial impact:

  • Duration: unavailability for more than 5,000,000.000 user-hours
  • Number of users: more than 100,000 affected users
  • Nature of the impact: public safety, public security or resulted in a death
  • Material damage: > €1,000,000


Overall, the general obligations of the OES are to ensure

  • necessary and proportionate technical and organisational measures
  • a level of physical and logical security appropriate to the existing risks, taking into account the state of knowledge
  • appropriate measures to prevent or limit the impact of incidents

(slide 15)


The security measures are to be adopted within one year after an OES is defined as accountable under the NIS.  A first internal audit then needs to be performed within three months, followed by an external audit after another 24 months.


This means an OES needs to prove its compliance with the regulations and adopt a policy for the security of its information systems and networks (PSI) related to the provision of its essential services. The requirements include:

  • Technical and organisational measures that are necessary and proportionate
  • Physical and logical security measures that prevent and minimise the impact of incidents that compromise the NIS


Most companies already have existing security measures and policies, that meet e.g. the ISO/IEC 27001 standards (slide 18). It is up to the operator to demonstrate the adequacy, proportionality and effectiveness of its security measures (under the control of the sectoral inspection services and the external auditors/certification auditors).


For DSPs, the EU-harmonised rules apply, so there is no specific role for the CCB. For this group (cloud services providers, online market places and search engines), the law says:


"NIS Act Digital service providers shall identify the risks to the security of the networks and information systems they use to provide the services referred to in Annex II in the Union and shall take the necessary and proportionate technical and organisational measures to manage them.

These measures shall ensure, in the light of the state of knowledge, a level of network and information system security appropriate to the existing risk and shall take into account the following elements:

  • the security of systems and installations;
  • incident management;
  • business continuity management;
  • monitoring, audit and control;
  • compliance with international standards.


Digital service providers shall also take measures to avoid incidents affecting the security of their networks and information systems, and to minimise the impact of such incidents on the services listed in Annex II to this Act that are offered in the European Union, in order to ensure the continuity of these services." (Slide 21)



Case: FISP - Federal Information Security Policies: Approach, constraints and lessons learned


Our next speaker was Daniel Letecheur, CISO - DPO, Federal Public Service Strategy and Support (FPS BOSA).  FPS BOSA assists the federal government and supports the federal institutions in various areas: IT, HR, organisational control and integrity policy, budget, accounting and public procurement contracts.



BOSA chose to follow the ISO standards for its Federal Information Security Policy (FISP). This FISP is

  • a harmonised information security policy
  • through a common directive
  • for all federal government services, federal public interest groups and social security institutions.


It is up to each FPS to decide whether it wants to follow this FISP, making the latter more of a guideline than a real policy.


Daniel provided a breakdown of the FISP, with the key elements for general classification of information, privacy and information security (slide 5). CISOs, DPOs and the CCB, amongst others, were all involved in the drafting process for the FISP.


These guidelines will now be distributed across the various departments of the federal governments. This will make it possible to streamline the security approach across the federal government. To meet the needs of the different IT departments, a cloud decision matrix will be added to it.


At BOSA itself, the existing security policies have now been formalised, based on the work done for FISP. By writing policies down from the start – even when they are not perfect – they can be fixed along the way. Daniel shared BOSA's own security approach, based on good risk governance (slide 11).


Beltug NIS Questionnaire


Our final speaker was JP Bernaerts, External DPO & Data Protection Advisor at DPOffice and author of the recently published Beltug NIS questionnaire.


The questionnaire is focussed on DSPs as defined in the NIS Directive (slide 5). These only fall under the Belgian Act (Art. 3) when:

  • they have their main establishment in Belgium or
  • they are not established in the European Union but do provide services in Belgium and their representative is established in Belgium in the context of the NIS Directive.


The NIS Directive defines a number of requirements for the member states and for the organisations that are subject to the directive.


A focused questionnaire can help you get a clear picture of how your current or new digital service provider measures up against the requirements. It can also be an excellent means for proving accountability.


After this introduction, Jean-Pierre walked us through the questionnaire - starting at minute 52 in the recording (linked above, after log-in).











Dear visitor,

Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).

Beltug gathers a lot of information. Here you find the advantages of Beltug membership

The Beltug Team

Click here to login

>>> Back to overview