Beltug

The NIS Directive: security, privacy and compliance: Takeaways from the Beltug event of 1 October 2019


What will be the impact of the NIS Directive (i.e. the European Directive on the security of network and information systems) on your organisation in Belgium? The NIS Directive has been transposed into Belgian law as the NIS Act, which applies to eight specific sectors covering a very broad range of activities (energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, digital infrastructures and digital service providers).

 

 

Many of our members will thus be impacted, so we organised a session to explore the ins and outs of the Directive and the Belgian implementation, and to learn about the implications for Belgian organisations.

 

 

The presentations from the N-sight are available for our members (after login).

 

 

 

 

NIS requirements for ‘operators of essential services’ and ‘digital service providers’ in Belgium

 

To understand the NIS, we first need to know the two categories of entities that are responsible within the directive, began Valéry Vander Geeten, Legal Officer, DPO and Project Manager NIS at the Centre for Cyber Security Belgium. These are:

 

Furthermore, different entities amongst the national and the sector authorities have been assigned to follow up on the NIS (slides 4-6).

 

In Belgium, the CCB is the national coordination authority for NIS; the sectoral authorities must thus collaborate with the CCB. CCB holds the national Computer Security Incident Response Team (CSIRT).  The sectoral authorities may also form a sectoral CSIRT if they wish.

 

While implementing the NIS directive has a serious impact on a company, the CCB does see some advantages:

 

 

Valéry also zoomed in on the criteria that make a company an OES in Belgium (slides 17-20).

 

What security measures does a company need to set up? Valéry explained that article 20 of the directive is key:

 

"The operator of essential services shall take the necessary and proportionate technical and organisational measures to manage the risks that threaten the security of the networks and information systems on which its essential services depend.

These measures shall ensure, for networks and information systems, a level of physical and logical security appropriate to the existing risks, taking into account the state of knowledge.

The operator shall also take appropriate measures to prevent or limit the impact of incidents that compromise the security of the networks and information systems used to provide these essential services, with a view to ensuring the continuity of these services."

 

NIS also requires notification of incidents, including the ‘how’ and the ‘when’ (slides 30-36).

 

Valéry concluded with consequences for non-compliance, including a list of potential criminal and administrative sanctions (slides 43 and 44).

 

 

 

Security-as-a-Selling point? The impact of the NIS on IT providers

 

Next up was Benjamin Docquir, Partner and Head of IP at Osborne Clarke, who explored the impact of NIS on the IT providers.

 

To start with, traditional Belgian law did not provide a harmonised answer to the question: ‘what exactly is Security?’: until the GDPR, that is (slide 4). But the NIS Act does define ‘security’ (slide 5).

 

And while compliance with ISO 27001 is not an obligation in the NIS directive (companies can use an 'equivalent' norm), there is clearly an incentive to IT providers in terms of their customers’ expectations. In terms of the IT supplier/customer relationship, Benjamin sees increased support for certification in the coming years; the EU Cybersecurity act will help with the certification process.

 

Benjamin concluded with some helpful tips on how to embed security in a contract with an IT provider (slides 11 and 12).

 

 

 

The interaction between the NIS Act, the Critical Infrastructures Act and the GDPR

 

Johan Vandendriessche, Professor at the University of Gent, then walked us through the ways the NIS Act interferes with other legislation, such as the Critical Infrastructures Act and the GDPR.  Johan highlighted, for example, that even if you're not a (designated) provider of essential service, you are a potential operator of essential services and thus need to comply with a limited application of the NIS Act, specifically:

 

Keep in mind that the NIS Act does not prevail on the Critical Infrastructures Act (which focuses on assets, not on companies or sectors) or other legislation.  It is not a lex specialis (slide 10-11). In fact, the NIS Act has expanded the scope of this Critical Infrastructures Act: the obligations of each are similar.  So while their approaches are different, both legislations are largely aligned.

 

Next Johan compared the NIS with the GDPR: again, the NIS Act does not prevail on the GDPR and other data protection legislation (slides 16-21). The rights of data subjects can be restricted by the NIS Act, which might prove a pitfall to companies (slides 22-26).

 

Johan concluded with some key takeaways regarding the interaction of the NIS Act with the GDPR:

 

 

 



 

Dear visitor,

Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).

Beltug gathers a lot of information. Here you find the advantages of Beltug membership

The Beltug Team

Click here to login