Network and information systems and services play a vital role in society. Their reliability and security are essential to economic and societal activities, and in particular to the functioning of the internal market. Cybersecurity is a keystone to achieving this reliability.
On 6 July 2016, the European Parliament adopted the Directive on security of network and information systems (the NIS Directive). It covers measures to ensure a high common level of network and information security across the EU, to boost the overall level of cybersecurity. By mid-2018, it is to be transposed into Belgian law.
This directive is of particular interest to Beltug, because digital service providers (DSP) face additional obligations. In the context of the NIS, DSPs include providers of cloud, online market places and search engines, so this touches many of our members.
Some examples of the obligations for DSPs include a requirement to notify the competent authority or the CSIRT of any incident having a substantial impact on the provision of a service. But how to determine whether the impact of an incident is ‘substantial’ is defined in a very generic way in the Directive, and should be clarified in the implementing act, expected to be approved in August 2017.
Belgium and the NIS Directive
Beltug will follow up closely as Belgium moves towards transposing the Directive into national law. We have already made a Position for the Belgian government on the implementation act. In general, we plead that the obligations for DSPs be kept at a reasonable level, and that there be no 'parallel obligations' with the GDPR implementation.