Network security and critical infrastructures


Relevant companies

According to the Act of 13 June 2005 on electronic communications (hereinafter the “Telecom Act”), all operators without exception must respect the provisions regarding network security.

However, according to the electronic communications sector referred to in the Act of 1 July 2011 on the security and protection of critical infrastructures (hereinafter the “Critical Infrastructures Act”), only the critical infrastructures designated by the sectoral authority are subject to this Act.

Obligations regarding security measures

The Telecom Act (see Article 114) defines the security measures to be taken by the operators to ensure the proper operation of their networks and services (for instance within the framework of the risk of electricity switch-off) and to protect (personal) data which are processed within the framework of the provision of these networks and services.

However, according to the Critical Infrastructures Act (see Article 13), the operator of such an infrastructure must design and implement a security plan, which includes at least the permanent internal security measures, applicable in all circumstances, and graduated internal security measures to be applied in accordance with the threat.

Obligations regarding incidents notification

Article 114/1 of the Telecom Act makes a distinction between 3 assumptions of security incident notification resting on operators:

1.    The obligation to notify BIPT of a particular risk of network security breach;

2.    The obligation to notify BIPT of a security breach or loss of integrity that has had a significant impact on the operation of networks or services. What should be understood by “significant impact” and the details of notification have been clarified in the BIPT Council Decision of 14/12/2017 (see the “Incidents notification and practical information” section);

3.    In case of breach of personal data transmitted, stored or otherwise processed in connection with the provision of electronic communications services, the operator shall inform the Data Protection Authority, which in turn shall inform BIPT without delay. In some cases, the subscriber concerned by the breach must also be informed. BIPT and the Data Protection Authority discuss together concerning the management of the incident.

According to the Critical Infrastructures Act (see Article 14), the operator shall notify when an event, the nature of witch may threaten the critical infrastructure security, occurs.

BIPT processes security incidents via its duty team, created for this purpose.

Monitoring and sanctions

BIPT monitors the observance of the legislation and of its implementation measures and imposes sanctions if necessary. To this end, the Institute has been appointed as inspection service for the electronic communications sector within the framework of the Critical Infrastructures Act.

Legal framework

The main provisions regarding network security are:

1.    Concerning network security in the narrower sense:

a.       Articles 114 to 114/2 of the Telecom Act;

b.       The BIPT Council Decision of 14/12/2017 regarding the thresholds and terms and conditions for reporting of security incidents within the electronic communications sector.

2.    Concerning personal data breaches:

a.       Articles 2, 68° and 114 to 114/2 of the Telecom Act;

b.       The Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications.

3.    Concerning the protection of critical infrastructures in the electronic communications sector:

a.       The Act of 1 July 2011 on the security and protection of critical infrastructures;

b.       The Ministerial Order of 17 October 2011 regarding the appointment of the sectoral authority for the electronic communications sector;

c.        The Ministerial Order of 17 April 2013 modifying the Ministerial Order of 17 October 2011 regarding the appointment of the sectoral authority for the electronic communications sector aimed at in Article 3, 3°, d, of the Act of 1 July 2011 on the security and protection of critical infrastructures;

d.       The Royal Decree of 27 May 2014 implementing in the electronic communications sector Article 13 of the Act of 1 July 2011 on the security and protection of critical infrastructures.