Belgian Cyber Security Act (NIS): New risks for online service providers

The new Cyber Security Act (NIS) may result in online service providers being held liable for a cyberattack that they themselves are the victims of. The penalties for this can be up to €400,000 or even one year of imprisonment. In addition to taking adequate preventive measures, a cyber policy and directors' and officers' liability insurance, among other things, provide the necessary protection against these new risks.

Belgian Cyber Security Act (NIS): New risks for online service providers

When cybercriminals hack into your IT infrastructure or steal important data from your customers, you are primarily the victim of these criminals. However, if your organisation provides digital services, you may also be held liable. This is one of the consequences of the entry into force of the new Cyber Security Act (or NIS Act, whereby NIS stands for Network and Information Security) that was published on 3 May 2019.

Once you fall within the scope of this Act as a digital service provider (or provider of essential services in the Energy, Transport, Financing or Health sectors), you must take into account some additional obligations. If you fail to do so, you may be held responsible if, for example, you have not done enough to prevent a cyberattack or if you have not reported the incident.

Are you a digital service provider?

The Cyber Security Act defines a digital service provider as follows: ‘a legal entity providing a digital service’. A digital service is ‘any information society service, that is to say any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services‘.

This is, of course, a very broad definition, to which the annexes to the law provide for a number of exceptions. However, roughly speaking, digital service providers are online marketplaces, online search engines and cloud computing services.

Three additional obligations

If you fall under the category of ‘digital service provider’, you have three important obligations (which you can find more information about in the Cyber Security Act itself):

1. Security obligation: you must identify the risks to the security of your network and information systems and take the necessary measures to manage these risks. You are also expected to take measures to guarantee the continuity of your services.

2. Notification obligation: any incident that has a major impact on your digital service must be reported via the platform of the Centre for Cyber Security Belgium (CCB). This obligation only applies if you have access to the information in order to assess all or part of the consequences of the incident.

3. Obligation to provide information: you must provide the FPS Economy’s inspection service with the information required to assess the security of your network and information systems within the set time limit.

Criminal and administrative sanctions

If you do not comply with the above obligations, you may be subject to both criminal and administrative sanctions. The criminal sanctions imposed on you when, for example, you have failed to comply with your security obligation can be up to a year’s imprisonment and/or a fine of up to €240,000. In the event of failure to comply with the obligation to provide information, this can amount to as much as €400,000.

In addition, online service providers also risk an administrative fine. This can amount to as much as €100,000.

Conclusion: protect yourself with the right policies

As a digital service provider, you wear two hats in the event of a cyberattack: that of the victim and (if you have failed to comply with the obligations of the new Cyber Security Act) that of the person responsible.

It is therefore crucial to ensure that you correctly assess the cyber risks and at the same time take the necessary preventive measures to ensure that your organisation and all its stakeholders are well protected. In addition, you must be in compliance with the new obligations arising from the NIS Act.

As no risk can ever be ruled out completely, we also advise you to take out the following insurance solutions:

  • Cyber policy: this provides protection against the financial consequences of a cyberattack, reimburses administrative fines and provides assistance (IT, PR, legal) in the event of a cyberattack.
  • Directors’ and officers’ liability insurance: this protects the personal liability of directors and officers, both in terms of criminal law and administration.
  • Professional liability and civil liability insurance: this provides protection against the financial consequences of professional errors and third-party claims.
Jonas Mannaerts

We are there for you.

If you would like more information, we will be happy to help you via jonas.mannaerts@vanbreda.be or +32 (0)3 217 62 47.

Subscribe to our newsletter.