According to the Act of 13 June 2005 on electronic communications (hereinafter the “Telecom Act”), all operators without exception must respect the provisions regarding network security.
However, according to the electronic communications sector referred to in the Act of 1 July 2011 on the security and protection of critical infrastructures (hereinafter the “Critical Infrastructures Act”), only the critical infrastructures designated by the sectoral authority are subject to this Act.
Obligations regarding security measures
The Telecom Act (see Article 114) defines the security measures to be taken by the operators to ensure the proper operation of their networks and services (for instance within the framework of the risk of electricity switch-off) and to protect (personal) data which are processed within the framework of the provision of these networks and services.
However, according to the Critical Infrastructures Act (see Article 13), the operator of such an infrastructure must design and implement a security plan, which includes at least the permanent internal security measures, applicable in all circumstances, and graduated internal security measures to be applied in accordance with the threat.
Obligations regarding incidents notification
Article 114/1 of the Telecom Act makes a distinction between 3 assumptions of security incident notification resting on operators:
- The obligation to notify BIPT of a particular risk of network security breach;
- The obligation to notify BIPT of a security breach or loss of integrity that has had a significant impact on the operation of networks or services. What should be understood by “significant impact” and the details of notification have been clarified in the BIPT Council Decision of 14 december 2017 (see the “Practical information” section);
- In case of breach of personal data transmitted, stored or otherwise processed in connection with the provision of electronic communications services, the operator shall inform the Data Protection Authority, which in turn shall inform BIPT without delay. In some cases, the subscriber concerned by the breach must also be informed. BIPT and the Data Protection Authority discuss together concerning the management of the incident.
According to the Critical Infrastructures Act (see Article 14), the operator shall notify when an event, the nature of witch may threaten the critical infrastructure security, occurs.
BIPT processes security incidents via its duty team, created for this purpose.
Monitoring and sanctions
BIPT monitors the observance of the legislation and of its implementation measures and imposes sanctions if necessary. To this end, the Institute has been appointed as inspection service for the electronic communications sector within the framework of the Critical Infrastructures Act.
The main provisions regarding network security are:
- Concerning network security in the narrower sense:
- Concerning personal data breaches:
- Concerning the protection of critical infrastructures in the electronic communications sector:
- The Act of 1 July 2011 on the security and protection of critical infrastructures;
- The Ministerial Order of 17 October 2011 regarding the appointment of the sectoral authority for the electronic communications sector;
- The Ministerial Order of 17 April 2013 regarding the appointment of the sectoral authority for the electronic communications sector;
- The Royal Decree of 27 May 2014 implementing in the electronic communications sector Article 13 of the Act of 1 July 2011 on the security and protection of critical infrastructures
- Communication on the COVID-19 virus following the communication of the Belgian government of 17 March 2020
- Communication on the COVID-19 virus
- Opinion of 15 May 2019 on the draft Royal Decree implementing the NIS Act as well as certain provisions of the “Critical Infrastructures Act”
- Support document for the preparation of a security plan
- Decision of 14 Dcember 2017 regarding the thresholds and terms and conditions for reporting of security incidents within the electronic communications sector
- Consultation draft decision on the thresholds and terms and conditions for the notification of security incidents
- Communication of 18 november 2015 about the risk of power cuts during winter 2015/2016
- FAQ Planned power cut-offs winter 2014-2015
- Decision of 1 April 2014 laying down the circumstances in which the operators have to notify BIPT of a security incident and the terms and conditions of this notification
- Communication of 16 September 2013 regarding hacking at Belgacom
- Consultation on the draft Royal Decree implementing in the electronic communications sector Article 13 of the Act of 1 July 2011 on the security and protection of critical infrastructures
- Communication of 30 April 2013 on the possible risks of a safety breach regarding the mobile telephony networks and services in the context of the 2G and 2.5G technology
- Draft decision of 3 May 2013 laying down the situations in which operators have to report a security incident to BIPT, as well as the terms and conditions of such notification
- Opinion of 17 February 2012 to Minister Vande Lanotte on the potential risks of security violation in mobile telephone networks and services within the framework of 2G and 2.5G technologies