This website only uses cookies that are necessary for its proper functioning. You cannot block them if you want to have access to this website. BIPT does not use cookies for analytical purposes.

Relevant companies

According to the Act of 13 June 2005 on electronic communications (hereinafter the “Telecom Act”), all operators without exception must respect the provisions regarding network security.

However, according to the electronic communications sector referred to in the Act of 1 July 2011 on the security and protection of critical infrastructures (hereinafter the “Critical Infrastructures Act”), only the critical infrastructures designated by the sectoral authority are subject to this Act.

Obligations regarding security measures

The Telecom Act (see Article 114) defines the security measures to be taken by the operators to ensure the proper operation of their networks and services (for instance within the framework of the risk of electricity switch-off) and to protect (personal) data which are processed within the framework of the provision of these networks and services.

However, according to the Critical Infrastructures Act (see Article 13), the operator of such an infrastructure must design and implement a security plan, which includes at least the permanent internal security measures, applicable in all circumstances, and graduated internal security measures to be applied in accordance with the threat.

Obligations regarding incidents notification

Article 114/1 of the Telecom Act makes a distinction between 3 assumptions of security incident notification resting on operators:

  • The obligation to notify BIPT of a particular risk of network security breach;
  • The obligation to notify BIPT of a security breach or loss of integrity that has had a significant impact on the operation of networks or services. What should be understood by “significant impact” and the details of notification have been clarified in the BIPT Council Decision of 14 december 2017 (see the “Practical information” section);
  • In case of breach of personal data transmitted, stored or otherwise processed in connection with the provision of electronic communications services, the operator shall inform the Data Protection Authority, which in turn shall inform BIPT without delay. In some cases, the subscriber concerned by the breach must also be informed. BIPT and the Data Protection Authority discuss together concerning the management of the incident.

According to the Critical Infrastructures Act (see Article 14), the operator shall notify when an event, the nature of witch may threaten the critical infrastructure security, occurs.

BIPT processes security incidents via its duty team, created for this purpose.

Monitoring and sanctions

BIPT monitors the observance of the legislation and of its implementation measures and imposes sanctions if necessary. To this end, the Institute has been appointed as inspection service for the electronic communications sector within the framework of the Critical Infrastructures Act.


Newsletter subscription

To receive alerts via email, please enter your email address and your interest(s).

BIPT processes these personal data (e-mail address (possibly your name and forename) and interests) in order to send you these messages; your data will no longer be processed and will be deleted if you unsubscribe from this service.

You will have to confirm your subscription. You can unsubscribe or modify your profile at any time by clicking on the unsubscription link or by contacting us at

Learn more about cookies or the protection of your data.

Back to top