Belgium is one of the handful of EU Member States that have transposed the NIS2 Directive into national law. The Center for Cybersecurity Belgium (CCB) released Version 2.0 of its Frequently Asked Questions (FAQ) in February this year, offering updated guidance on key regulatory aspects. CCB is the Belgian national authority for cybersecurity.
The FAQ document covers a very wide range of issues, following the structure and content of the Belgian cybersecurity law based on the NIS2 Directive (Law of 26 April 2024 – “NIS2 Law“). This article provides an overview of selected issues. In particular, we point out the provisions of the Law on NIS2 in which the Belgian legislator took a different approach than the legislators in the Western Balkans, specifically in the recently adopted cybersecurity law in Montenegro and the law that is currently in the process of being adopted in Serbia. Clarifications provided by the Belgian cybersecurity agency help to assess the likely difficulties or, conversely, benefits that may result from the different legislative approach in Montenegro and Serbia.
Distinction between the main and ancillary activity of an entity
Generally, for an entity to fall within the scope of the Belgian NIS2 Law’s application, it is irrelevant whether the service captured by the law’s scope is the main or an ancillary activity of the entity. However, there is an exception to this general rule: an entity falls within the scope of the NIS2 Law if traffic management, the operation of intelligent transport systems, the distribution of water intended for human consumption, or the collection, discharge or treatment of waste water, is an essential part of the entity’s general activity. If the provision of one of the listed services is a non-essential part of the activity, the entity does not fall within the scope of the NIS2 Law.
The above clarification is relevant in Serbia, although in a somewhat different way than in Belgium. Under the Serbian proposal of the law, if the distribution of water intended for human consumption, or the collection, discharge or treatment of waste water is not the predominant part of the activity, the entity still falls within the scope of the law, but as an important (not essential) entity.
In any event, in Serbia the legislation generally attaches little significance to the distinction between “essential” and “important” entities, in terms of the cybersecurity requirements, the exposure to regulatory oversight, and severity of sanctions. The importance of classification is somewhat bigger in Montenegro, and substantially bigger under the NIS2 Directive (and consequently under the Belgian NIS2 Law).
Managed service providers
The NIS2 Law, as well as the cybersecurity legislation adopted in Montenegro and in the process of adoption in Serbia, include “managed service providers” among the entities to which the law applies. The contours of the concept are not as obvious from the natural meaning of the words as in the case of the entities from other sectors (“energy”, “transport”, “banking”, “financial market”, “waste management”, “chemicals”, “food production”, and so on). Nor is the meaning immediately clear from the rather technical definition of a managed service provider as “an entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely”.
The CCB gives some useful examples of a managed service provider:
- a helpdesk providing operational support to the users of a network or application via remote assistance;
- a software developer providing remote assistance in the installation and/or maintenance of its applications;
- a maintenance service for a customer’s networks and other activities carried out on the customer’s premises
“Assistance” is of a “reactive” nature, and examples include helping customers when they encounter problems or need guidance, troubleshooting, helping with setup and configuration, and similar. For the more proactive “active administration”, the Belgian cybersecurity authority gives examples of system monitoring and regular maintenance and updates.
Cross-border and M&A implications for businesses
Each organisation individually is subject to the NIS2 Law review of compliance. However, things become more complex when a Belgian company has subsidiaries or branches across the EU and is classified as a cross-border service provider.
If a company in an EU Member State must comply with NIS2, but its parent company is from a non-EU country, the latter company does not fall under NIS2. However, when both entities operate on shared IT infrastructure or networks, the parent company in effect must apply NIS2 cybersecurity measures, too. The indirect application of NIS2 to a parent company based outside the EU can be justified by the “all-hazards approach”, which considers all potential threats, including those from the parent company’s vulnerabilities that could impact cybersecurity of the subsidiary that is subject to NIS2.
A foreign parent company needs, for all practical purposes, to follow the requirements of NIS2 Law in another case as well: when the parent company is a part of the supply chain of the subsidiary.
When a company based in a non-EU country opens a branch (i.e. not a distinct legal entity) in an EU Member State, the foreign company is subject to the NIS2 obligations in the EU Member State, even if no IT systems are in the branch office.
Companies based outside the EU must also comply with NIS2 if they provide services within its borders. According to the CCB, several indicators suggest a company intends to operate in the EU, such as offering services in multiple EU languages or mentioning customers or users who are in the Union. However, mere accessibility of a company’s website from EU territory does not mean the company plans to provide services for the EU market. Therefore, such companies will not be subject to NIS2 cybersecurity standards.
CCB’s clarifications concerning the assessment of the territorial application of the law can by analogy be applied in the Montenegrin or Serbian context.
The other interesting question is what happens to the classification of a company after an acquisition. Acquiring a NIS2-regulated entity does not automatically transfer its classification as an essential or important entity to the acquiring. If, as a result of the acquisition, the organization grows large, the new entity might move to “essential” status even if prior to the acquisition one or both entities were “important” only.
The above considerations are relevant because a company planning to do business in the EU market needs to know to what extent it is obliged to comply with NIS2 and how this directive through national implementations across EU Member States affects the company’s cybersecurity strategy. Furthermore, regarding changes in the status of a company, NIS2 may expand the scope of M&A due diligence, requiring the inclusion of cybersecurity risk assessments.
The recent cybersecurity law in Montenegro, as well as the law’s proposal in Serbia, oddly do not include numerical criteria among the bases for classification of an entity as an “important” or “essential” one. The distinction is based entirely on the type of activity performed by an entity. For that reason, the above explanations regarding the acquisition of a company are not relevant in the two Western Balkans countries.
Incident reporting procedure
The NIS2 Law requires entities to report significant cybersecurity incidents promptly. Within 24 hours of detecting a major incident, an organization must send an early warning to relevant authorities. This initial report should indicate whether the incident may have resulted from a cyberattack or other malicious activity and whether it could affect multiple countries. The early warning only includes essential details to alert authorities, allowing the company to prioritize managing and resolving the issue.
It is remarkable that in Serbia and Montenegro the lawmakers seem to have disregarded the NIS2 rationale behind an early warning. As the Belgian CCB explains in the FAQ document, the purpose of the early warning is to bring the incident to the attention of the relevant authority and enable the entity concerned to request assistance, if necessary. An onerous reporting obligation might at that stage, “divert resources from the management of significant incidents or otherwise compromise the entity’s efforts in this regard”, as CCB put it. However, the law’s proposal in Serbia requires the entities to produce a detailed incident notification within the first 24 hours of detecting the incident. The recently adopted cybersecurity law in Montenegro leaves it to the Ministry of Public Administration to determine the elements of the initial notification of the incident. As of this writing, the Ministry still has not adopted a decree on the contents of the notification.
* Fourth-year law student at the Belgrade University School of Law, intern at BDK Advokati.
