A. The following key laws/regulations apply at European Union level:

(i) Data Protection & Privacy

• Charter of Fundamental Rights of the European Union (“EU Charter”), which includes the right to privacy (Article 8) and is directly applicable in all EU Member States.
• E-Privacy Directive 2002/58 (“E-Privacy Directive”), which harmonises the provisions of the EU Member States to ensure an equivalent level of protection of the right to privacy and the processing of personal data in the electronic communication sector. As an EU Directive, it is not directly applicable, but needs to be transposed into Member State law.
• General Data Protection Regulation 2016/679 (“GDPR”).The GDPR is the overarching EU legislation designed to safeguard the rights and privacy of individuals in the processing of their personal data, while also facilitating the free movement of such data. In Belgium, the GDPR has direct effect, empowering individuals to directly invoke and rely on its provisions. The authority responsible for its enforcement is the Belgian Data Protection Authority (Autorité de protection des données/Gegevensbeschermingsautoriteit).
• Police Data Directive 2016/680 (“Police Data Directive”).The Police Data Directive lays down the rules relating to the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. As an EU Directive, it is not directly applicable, but needs to be transposed into Member State law.

(ii) Cybersecurity

• Cybersecurity Act 2019/881 (“CSA”).With a view to increase cybersecurity in the EU, the CSA establishes a common European framework for cybersecurity certification of ICT products, services, and processes, and reinforces the role of the European Union Agency for Cybersecurity (ENISA), by granting it enhanced responsibilities in the area of cybersecurity certification.
• Digital Operational Resilience Act 2022/2554 (DORA). DORA aims to enhance the IT security of financial institutions, including banks, insurance companies, and investment firms, ensuring that the European financial sector remains resilient in the face of significant operational disruptions. As an EU Regulation, DORA is directly applicable in Belgium. The authorities responsible for its enforcement are the National Bank of Belgium and the Financial Services and Markets Authority.
• Network and Information Security Directive 2022/2555 (“NIS-2”). NIS-2 is aimed to build cybersecurity capabilities across the EU, mitigate threats to network and information systems used to provide essential services in key sectors, and ensure the continuity of such services when facing incidents. NIS-2 is the successor to the first EU NIS Directive and was adopted to respond to the increased exposure of European entities to cyber threats. As an EU Directive, it is not directly applicable, but needs to be transposed into Member State law. NIS-2 is supplemented by a Commission Implementing Regulation on Critical Entities and Networks, which lays down the technical and methodological requirements of the measures referred to in NIS-2 with regard to entities active in the digital sector.
• Directive on the resilience of critical entities 2022/2557 (“CER”). The CER aims to improve cybersecurity of critical entities by focusing on physical infrastructures: it aims to ensure that key sectors are able to withstand and respond to various forms of crisis, thereby protecting society and maintaining the continuity of vital services and functions. As an EU Directive, it is not directly applicable, but needs to be transposed into Member State law.

Note: At the level of the Council of Europe (not an EU body), the European Convention on Human Rights (“ECHR”), which includes the right to respect for private and family life (Article 8), applies and is being enforced by the European Court of Human Rights. Additionally, consideration should be given to Convention 108, an international instrument that requires signatory countries to take the necessary steps in their domestic legislation to apply the principles it lays down ensuring fundamental human rights with regard to the processing of personal information. Convention 108 is seen as the “mother” of the EU’s GDPR. It was modernised in 2018 (Convention 108+).

B. The following key national laws/regulations apply at Belgian level:

(i) Data Protection & Privacy

• The Constitution is the foundation on which the political and legal organisation of Belgium is based. Its provisions include the fundamental rights and freedoms of Belgian citizens. Among its dispositions, figures the right to respect for private and family life (Article 22).
• Code of Economic Law, which contains certain provisions on direct marketing in its Book VI and is supplemented in this respect by the Royal Decree of 4 April 2003 regulating the sending of advertising by e-mail.
• Law of 21 March 2007 on the use of camera surveillance, which regulates the use of CCTV in public and private areas. The authority responsible for its enforcement is the Belgian Data Protection Authority.
• Law of 3 December 2017 on the establishment of the Belgian Data Protection Authority, which establishes the legal status, composition, tasks and powers of the Belgian data protection regulator. This law was recently updated (in 2023 and 2024) to reform the internal composition of the regulator and to allow third parties to appeal enforcement decisions.
• Law of 30 July 2018 on the protection of individuals with regard to the processing of personal data (the “Belgian Data Protection Act”),which contains the national transposition of the Police Data Directive and some provisions of the E-Privacy Directive (notably cookie rules). It also supplements the GDPR by incorporating national choices and derogations allowed by the GDPR. The authority responsible for its enforcement is the Belgian Data Protection Authority.

(ii) Cybersecurity

• Law of 20 July 2022 on the cybersecurity certification of information and communications technologies and designating a national cybersecurity certification authority. This law provides the Belgian framework for the implementation of the CSA and is supplemented by a Royal Decree of 16 October 2022.
• Law of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of public interest for public security (“NIS-2 Act”), which is the Belgian transposition of NIS-2. The NIS-2 Act is supplemented by a Royal Decree of 9 May 2024. The authority responsible for its enforcement is the Belgian Centre for Cybersecurity (CCB).

Note: Additional laws and regulations apply at sector-specific level (e.g., for the financial sector, consumer credit, the telecom sector, healthcare etc.) and to certain processing by public bodies. Also the topic of employee privacy is regulated separately, by several Collective Labour Agreements (e.g., regarding electronic monitoring of employees).

The following key proposals related to personal data processing and cybersecurity are currently under review and are expected to enter into force in 2025-2026:

• Belgian law transposing the CER. Although the deadline for transposing the CER, which was 18 October 2024, has already passed, Belgium has not yet completed the transposition. On 20 December 2024, the government submitted a new draft law to Parliament, aimed at transposing the CER into Belgian law. The transposition law is expected to be adopted in 2025.
• EU Artificial Intelligence Act (“AI Act”), designed to safeguard fundamental rights, democracy, the rule of law, and environmental sustainability against AI systems posing excessive risks, establishing obligations for AI based on its potential risks and level of impact. The AI Act entered into force on 1 August 2024 and will be fully applicable by 2 August 2026, with a few exceptions: (1) prohibitions and AI literacy obligations already started to apply on 2 February 2025; (2) governance rules and obligations for general-purpose AI models will come into effect on 2 August 2025; and (3) the rules for high-risk AI systems embedded in regulated products will have an extended transition period until 2 August 2027.
• EU Cyber Resilience Act (“CRA”). The CRA focuses on the cybersecurity features of products themselves. The CRA entered into force on 10 December 2024, with the main obligations introduced by the Act set to apply from 11 December 2027, with the following intermediary steps: (1) obligations for notifying conformity assessment bodies will become applicable on 1 June 2026; and (2) reporting obligations for vulnerabilities and security incidents will become applicable on 11 September 2026. As a Regulation, the AI Act will be directly applicable in all EU Member States.
• European Health Data Space Regulation (“EHDS”).The EHDS is an EU initiative to enhance access to and control over personal electronic health data. The EHDS entered into force on 26 March 2025, marking the start of a long transition period set to conclude in March 2034. Key components of the EHDS are scheduled to take effect in March 2029, including the exchange of the first group of priority health data categories (such as Patient Summaries and ePrescriptions/eDispensations) across all EU Member States. Additionally, rules governing the secondary use of most data categories, including data from electronic health records, will also begin to apply at that time. As a Regulation, the EHDS will be directly applicable in all EU Member States.

There are no mandatory data protection-related registration or licensing requirements for entities under the aforementioned laws, except for the obligation for companies that have appointed a Data Protection Officer (“DPO”) to register such DPO with the Belgian DPA.

In the field of cybersecurity, the NIS-2 Act requires all in-scope entities to register with the CCB. Registration must be completed via the online form on the CCB’s Safeonweb@Work platform. If an entity has already provided some of the required information to a sectoral authority due to another legal obligation, it only needs to update this information with the sectoral authority, which will then forward it to the CCB. Failure to register may result in sanctions such as warnings, reprimands, or orders to complete the registration. Additionally, if an entity fails to comply with a registration order, it could face an administrative fine up to EUR 200,000 (see also Question 44 below).

The relevant definitions are those set out in Article 4 of the GDPR. Personal data is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. Special categories of personal data (commonly called “sensitive data”) is any subset of personal data that reveals “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership” or concerns “genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”.

Note: Data related to criminal offences and convictions (Article 10 GDPR) is not included in the definition of special category data, but is commonly also deemed included in the notion of “sensitive data”. The same goes for the unique National Registry Number allocated by the government to all Belgian citizens, and the processing of which is in principle prohibited (except where specifically allowed by law).

There are no specific principles provided in Belgian legislation that deviate from the GDPR. Therefore, the general principles of Articles 5 and 6 GDPR apply, notably:

1. Lawfulness (Article 5(1)(a) GDPR), referring to need to have a valid legal basis for the processing of personal data. The GDPR outlines an exhaustive list of legal bases (see Article 6 GDPR) and a specific list of additional requirements for the processing of “sensitive data” (see Article 9 GDPR).
2. Fairness (Article 5(1)(a) GDPR), meaning that personal data must be handled in a way data subjects would reasonably expect.
3. Transparency (Article 5(1)(a) GDPR), according to which data subjects should be provided with information about the processing in a form that is “easily accessible and easy to understand”, using “clear and plain language”. This is further detailed in Articles 13 and 14 GDPR (see question 28).
4. Purpose limitation (Article 5(1)(b) GDPR). Personal data should be processed for “specified, explicit and legitimate purposes“. In practice, this principle dictates that before data processing begins, the purpose must be specified and that it is prohibited to process the data for a purpose incompatible with the original intent.
5. Data minimization (Article 5(1)(c) GDPR), according to which a data controller should collect only the minimum amount of data needed to meet the purpose of the processing.
6. Accuracy (Article 5(1)(d) GDPR). This is about the quality of the data collected, which must be “accurate and, where necessary, kept up to date“.
7. Storage limitation (Article 5(1)(e) GDPR), according to which personal data shall be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed“.
8. Integrity and confidentiality (Article 5(1)(f) GDPR). Personal data should be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures“. This requirement extends beyond cybersecurity and includes both physical and organisational security.

Finally, the data controller shall be responsible and able to demonstrate compliance with these essential processing principles (Accountability – Article 5(2) GDPR).

(i) Circumstances in which consent is required or typically obtained

Consent is one of the legal bases recognized by Article 6 of the GDPR and Article 9 of the GDPR. It is typically used as legal basis for the processing of photographs/images of persons, for electronic direct marketing (consent is legally required, except – under strict conditions – for electronic mailings to existing customers), and for the use of non-essential cookies (opt-in consent is required under E-Privacy implementation). In some cases, it is also used to legitimize the processing of “sensitive data” (e.g. health or biometric data) and personal data relating to criminal offences or criminal convictions (cf. Article 10 of the Belgian Data Protection Act).

The validity of a consent as legal basis for processing is determined by Article 7 GDPR, and by ample case law of the Belgian Data Protection Authority. In an employer-employee context (or in other circumstances of manifest imbalance of power), consent is however not deemed appropriate as legal basis, and often declared invalid (as not “freely given”).

Finally, Article 22 of the GDPR also provides that consent is required – with limited exceptions – for automated decision-making which produces legal effects or similarly significantly affects a data subject.

(ii) Rules relating to the form, content and administration of consent

Article 4(11) GDPR defines a valid consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. Article 7 GDPR (and recitals 32, 33, 42, and 43) provide additional guidance. Notably, valid consent must be (i) freely given (the data subject must have a genuine choice and not fear negative consequences for refusal), (ii) specific (it must be related to a specific processing operation and a determined purpose, (iii) informed (before giving consent, the individual must receive certain transparency notices), and (iv) unambiguous. In some cases (e.g., for non-essential cookies or for electronic direct marketing), consent must moreover be given explicitly (“opt-in”). Methods such as pre-ticked boxes, bundled consents, or inaction are generally not considered valid forms of consent.

The rules governing the administration of consent are the following:

• The controller must be able to demonstrate at any time that the data subject has consented under valid conditions; and
• The processing of a child’s personal data based on consent is only lawful, in Belgium, if the child is at least 13 years old.

The following personal data is considered ‘sensitive’ and is subject to specific processing conditions (Article 4(13)(14)(15), Article 9 and recitals 51 to 56 GDPR):

• personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
• trade-union membership;
• genetic data;
• biometric data processed solely to identify a human being;
• health-related data; and
• data concerning a person’s sex life or sexual orientation.

The processing of these types of personal data is in principle prohibited, except where a limited exception as set out in Article 9 GDPR applies (e.g.; consent or a legal obligation to process).

Note: Data related to criminal offences and convictions (Article 10 GDPR) is not included in the definition of special category data, but is commonly also deemed included in the notion of “sensitive data”. The processing hereof is in principle prohibited, except where explicitly mandated or allowed by law.

Articles 8, 9 and 10 of the Belgian Data Protection Act (i) contain additional exceptions allowing for the processing of “sensitive” and “criminal” data, respectively; and (ii) require the data controller (or, where applicable, the data processor) to take the following additional measures when processing such data:

1. Designating the categories of individuals with access to the data, with a precise description of their function regarding the processing of the data;
2. Making this list of designated categories of individuals available to the supervisory authority upon its request; and
3. Ensuring that the designated individuals are subject to a legal or statutory obligation, or an equivalent contractual provision, to respect the confidentiality of the data concerned.

Certain additional derogations, exclusions or limitations (i) cover the processing of the National Registry Number, (ii) apply to the processing by public bodies, government authorities and law enforcement, (iii) apply to the processing for journalistic or academic/artistic/literary purposes, for archiving in the public interest, and for scientific or historical research or statistical purposes, (iv) are included in sector-specific laws, or (v) are governed by specific labor law rules protecting privacy in an employment context.

Article 35 of the GDPR imposes an obligation on the data controller to conduct a data protection impact assessment (DPIA) before initiating any processing that poses a high risk to the rights and freedoms of natural persons, in particular where the intended processing involves (i) an assessment of personal aspects, such as profiling, followed by a decision relating to the natural person concerned; (ii) large-scale processing of data as referred to in Articles 9-10 GDPR; or (iii) the systematic and large-scale monitoring of publicly accessible areas.

To determine whether or not a controller needs to conduct a DPIA, elements such as the types and amount of personal data, the categories and numbers of individuals involved, the nature, context, scope and purpose of the processing, the use of new technologies, and the categories of persons who may have access to the data, are relevant. For a better understanding of whether a DPIA is required, the Belgian DPA has published a DPIA manual and a list of processing activities for which a DPIA is deemed mandatory (e.g., for the use of biometric data for the purpose of uniquely identifying individuals in a public space or in private spaces accessible to the public, when health data of an individual is collected in an automated manner through an active implantable medical device; when there’s large-scale and/or systematic processing of telephony, internet, or other communication data, metadata, or location data of or attributable to individuals, etc.).

Even when not mandatory, it’s generally also advised to conduct a DPIA for other processing activities, as it helps controllers consider and demonstrate compliance and potential risks.

The Belgian DPA has not published any template DPIA.

Additionally, in the context of international data transfers, a “data transfer impact assessment” may also be required (see question 32).

Article 40 of the GDPR provides an opportunity for stakeholders to develop codes of conduct to ensure the effective implementation of the GDPR within specific sectors or for particular processing activities. In accordance with Article 40(5), associations and other bodies that wish to create, amend, or extend a code of conduct must submit their draft to the competent Data Protection Authority (DPA). For codes of conduct covering processing activities across multiple Member States, a cooperation mechanism between national DPAs, the European Data Protection Board (EDPB), and the Commission is in place. Once approved, these codes, along with any amendments or extensions, must be published.

The Belgian DPA has approved the following codes:

• The code of conduct from the National Chamber of Notaries, approved on April 8, 2021. This code outlines specific procedures for appointing a data protection officer, ensuring data security, increasing staff awareness, and informing individuals about their data rights. The National Chamber of Notaries is responsible for ensuring compliance with this code among notaries.
• The transnational EU Cloud Code of Conduct, approved on May 20, 2021. This code implements the requirements of Article 28 of the GDPR (concerning data processors) and other relevant GDPR provisions, aimed at ensuring their application within the cloud market, including for IaaS, PaaS, and SaaS services. Scope Europe is responsible for overseeing compliance with this code.

The obligation for controllers to keep an internal record of processing activities (or ROPA) is included in Article 30 GDPR. This ROPA needs to contain at least the following:

• Name and contact details of the controller;
• Purpose of processing;
• Description of the categories of the personal data and individuals;
• (Categories of) recipients of the data;
• In case of transfers: identification of a third country or international organization;
• Retention periods; and
• Description of technical and organizational security measures.

According to the same provision, processors need to maintain a more limited ROPA. The record should at least contain information on:

• The name and contact details of each controller by which they are engaged;
• Categories of processing;
• In case of transfers, identification of a third country or international organisation; and
• Description of technical and organizational security measures.

Article 30(5) GDPR excludes organizations with fewer than 250 employees from the ROPA obligation, except where they process special categories of data or personal data relating to criminal convictions and offences, where the processing they carry out is likely to result in a risk to the rights and freedoms of data subjects, or where the processing is not occasional.

The Belgian legislator has adopted some additional ROPA requirements in relation to processing for archiving in the public interest and for scientific or historical research or statistical purposes.

The Belgian DPA published templates of controller/processor records (in excel format), which companies are free to use on a voluntary basis. Businesses in Belgium typically use these templates, similar excel files or dedicated internal record-keeping software offered on the market by specialized providers.

The storage limitation principle, as set out in Article 5.1.e) GDPR, requires that personal data should only be kept for as long as is necessary for its intended purpose. When no longer necessary for such purpose, personal data should be deleted or anonymised (see also Article 17 GDPR describing the right to erasure or “right to be forgotten”). Neither the GDPR, nor the Belgian Data Protection Act, impose specific data retention periods or additional requirements or procedures (except for some additional pseudonymisation/anonymisation requirements for archiving in the public interest and processing for scientific or historical research or statistical purposes).

In practice, most companies establish a data retention policy to comply with this principle. Such policy sets out retention periods (or, at least, the means to determine such retention period) per category of personal data and/or per processing purpose. In most cases, the appropriate retention period is either linked to the expiry of a contract, the applicable statute of limitation, or certain minimum or maximum retention periods determined by law for certain types of data (e.g., payroll records, accounting documents, CCTV footage).

As regards data disposal/deletion, the Belgian DPA published a document in 2021 with guidelines concerning techniques for data cleansing and the destruction of data carriers. These guidelines discuss techniques such as overwriting, cryptographic erasure, demagnetization, etc. for different types of media (HD, SSD, paper, etc.) that either make it impossible to access the data on a protected medium (erasure without the possibility of reconstruction and encryption) or bring about the destruction of the medium (without the possibility of reconstruction). Depending on the type of storage medium, the DPA lists the recommended clean-up and destruction techniques to achieve the desired level of confidentiality.

Article 36 of the GDPR requires that, before implementing a new processing operation that poses a significant risk to the rights and freedoms of individuals, companies are obliged to seek the advice of the competent supervisory authority, unless they can take measures to mitigate such risks. Data processing cannot commence until the DPA has evaluated the request. Typically, the DPA furnishes written guidance to the data controller within 8 weeks from receipt of the request. In complex cases, it may extend this timeframe by 6 weeks.

Outside the framework of Article 36 GDPR, no general right or possibility for consultation with the Belgian DPA exists.

Article 37 GDPR specifies three cases in which it is mandatory to appoint a Data Protection Officer (DPO):

• The processing of data is carried out by a public authority or body, regardless of the data they process, except in the case of courts acting in their judicial capacity;
• The core activities of the controller or processor involve processing operations which, by their nature, scope, and/or purposes, require regular and systematic monitoring of data subjects on a large scale; or
• The core activities of the controller or processor involve large-scale processing of data referred to in Article 9-10 GDPR.

The Belgian Data Protection Act adds a number of additional scenario’s in which as well as specific (public) entities for which the appointment of a DPO is mandatory, such as:

• Any company or institution conducting processing for scientific or historical research or statistical purposes (to the extent the processing may involve a “high risk” as referred to in Article 35 GDPR);
• Any private company processing personal data on behalf of a federal government or to which a federal government transfers personal data (to the extent the processing may involve a “high risk” as referred to in Article 35 GDPR);
• the public benefit foundation ‘Foundation for Missing and Sexually Exploited Children’, known as “Child Focus”;
• the competent authorities when processing personal data with the intention of prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
• the Belgian intelligence and security services when processing personal data;
• the relevant authorities acting as controllers or processors processing personal data within the framework of the Belgian Act of 11 December 1998 concerning classification, security clearances, security advice and the publicly regulated service; and
• the Coordination Unit for Threat Assessment and the joint database ‘Terrorism, Extremism, Radicalisation Process and their processors.

The appointment of a DPO is also mandatory for processors acting on behalf of a Flemish public body.

In addition, the law regulating the National Register of Natural Persons stipulates that those seeking authorization to access the national register must appoint a Data Protection Officer.

The position, tasks and legal responsibilities of the DPO are set out in Articles 38-39 GDPR. The Belgian DPA provides documents / a toolbox on its website that DPO’s can use to perform their tasks, including a table summarizing its case law regarding the independence and position of the DPO.

In Belgium, there is no general legal obligation to appoint a CISO or other type of compliance officer, although specific sectoral laws may require similar profiles to be appointed (e.g., in financial services, healthcare and electronic communications).

While neither the GDPR, nor Belgian law, contains specific obligations regarding employee training, the principle of accountability (cf. Article 24 GDPR) and the obligation to take adequate “organisational” measures to protect personal data processed by an organisation, is generally deemed to also imply some employee training obligations (as “best practice”).

To comply with the transparency principle included in article 5(1)(a) GDPR, controllers must provide data subjects with information about the processing of their personal data. This obligation applies to data obtained directly from data subjects (article 13 GDPR) and to data obtained from third parties (article 14 GDPR). The information notices should be presented in a concise, transparent, intelligible, and easily accessible manner, using clear and straightforward language, in accordance with the requirements outlined in Article 12 GDPR.

Belgian law contains limited exceptions to the general transparency obligations laid down in the GDPR, notably for processing by courts and tribunals, by public bodies, and for journalistic and academic, artistic and literary purposes, as well as for archiving in the public interest and for scientific or historical research or statistical purposes.

Additionally, there is ample case law of the Belgian DPA addressing the topic of transparency and best practices for providing privacy notices to data subjects.

Under the GDPR, there are different roles and obligations for controllers and processors of personal data. The controller, as defined in Article 4(7) GDPR, is the entity responsible for determining the purposes and means of processing personal data. Essentially, the controller has the primary responsibility for ensuring compliance with the GDPR.

The processor, as defined in Article 4(8) GDPR, is the entity that processes personal data on behalf of the controller and in accordance with the controller’s instructions.

The GDPR imposes more limited obligations on processors, including the requirement to enter into a ‘data processing agreement’ with the controller (Article 28 GDPR), the obligation to maintain an internal record of processing activities (Article 30 GDPR), and data security and data breach notification obligations (Articles 32-33 GDPR).

Automated Decision-Making and Profiling (Articles 4 and 22 GDPR):

• The GDPR defines profiling in its Article 4 as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.
• Article 22 GDPR regulates the process of making a decision on the basis of personal data processing without any human involvement which produces legal effects concerning the data subject or similarly affects him or her. As a rule, such automated decision-making is prohibited, unless certain exceptions apply.
• The Belgian Data Protection Act contains additional restrictions on profiling and automated decision-making for law enforcement purposes.

Tracking Technologies and Cookies:

• Tracking technologies are typically used to track visitors of a website or users of an online application throughout their visit/use, and to monitor their behavior or actions across different platforms. Cookies are one of the most common tracking technologies.
• Belgian legislation implementing the E-Privacy Directive (see question 1) regulates both cookies as well as any other type of online tracking technology, by imposing (i) transparency requirements (i.e., posting a cookie notice online), and (ii) an opt-in consent requirement for all non-essential cookies (i.e., all cookies that are not strictly necessary to transmit a communication over an electronic communications network or to provide an information society service requested by the user).
• The Belgian DPA has published guidelines and extensive case law on the use of cookies and the applicable transparency and consent requirements (notably in relation to the Transparency & Consent Framework of IAB Europe).

Other types of monitoring:

• See response to question 1: specific Belgian laws and regulations regulate (i) employee monitoring by employers, and (ii) the use of camera surveillance.

Neither one of these notions is expressly defined in the GDPR or Belgian law. They are regulated by the general rules included in the GDPR and E-Privacy Directive, as targeted advertising still often relies on the use of cookies. Hence, we refer to question 18.

Additionally, the DSA regulates all forms of online advertising. Primarily, it provides for more extensive transparency and information obligations, such as the obligation to be transparent about profiling and prohibiting the use of profiling to provide targeted advertisements towards minors, as well as the use of profiling that involves specific categories of personal data, such as religious beliefs or sexual orientation, for targeted advertising.

The “sale” of personal data is not defined in Belgian law. It is however a type of “processing” governed by the GDPR. Hence, the rules relating to the processing of personal data set forth by the GDPR and applicable national laws, also apply to the “sale” of personal data. Note that the Belgian DPA has already issues fines to controllers for not complying with their transparency obligations under the GDPR when selling customer data.

Belgian law lacks a definition of direct marketing. Hence, the DPA has adopted its own definition and interpretation as to what constitutes direct marketing. The DPA very recently updated its guidance on direct marketing and published “Recommendation 01/2025 on the processing of personal data in direct marketing”. The new recommendation also provides for an updates (and broader) definition of direct marketing, which is: “all activities that result in the direct communication of messages with a promotional content to one or more identified or identifiable natural persons”. The guidance also includes several examples.

The rules regarding direct marketing can be distinguished by the communication means used:

• For all types of direct marketing (including ordinary mail), the GDPR applies to the extent this involves personal data processing.
• For electronic direct marketing (e.g., by means of e-mail, SMS, pop-ups, etc.), prior opt-in consent must be obtained (Article XII.13 Code of Economic Law). In limited circumstances, an opt-out right however suffices (notably for direct marketing for the company’s own products and services to existing customers – not for prospects – provided that transparency requirements are met, and the addressee is provided with the opportunity to object).
• The use of automated calling systems without human intervention or faxes for the purpose of direct marketing is also prohibited without the prior, free, specific and informed consent of the addressee (Article VI.110 Code of Economic Law).
• For direct marketing via telephone (not falling within any of the two categories mentioned above), a right to object applies, which is implemented in practice by registration on an official “do not call me”-list. It is prohibited to make direct marketing calls to a number included on this list, except on the basis of the recipient’s prior opt-in.

Generally, it is also forbidden to conceal the identity of the person or entity on whose behalf a marketing communication is made (Article VI.110 Code of Economic Law), and that any persistent and unwanted solicitation by telephone, fax, e-mail or other remote media towards consumers specifically, is considered an “unfair” (aggressive) commercial practice, which is equally prohibited (Article VI. 103, °3 Code of Economic Law). Finally, the use of an electronic communications network or service or other electronic means of communication to cause nuisance or harm, is prohibited, as well as setting up any “device” intended to commit the foregoing infringement, and attempts to commit it (Article 145 Electronic Communications Act).

The processing of biometric data is regulated by the GDPR (Article 9 – as a category of “sensitive data”, see question 8 above).

The Belgian DPA has issued Guidelines addressing biometrics, notably when used in an employment context, confirming its position that biometrics are generally to be deemed prohibited in Belgium due to the lack of a specific legal basis in national law and the presumed invalidity of consent.

Note: The AI Act further restricts the processing of biometric data using artificial intelligence by imposing additional requirements on certain AI systems. The special attention given to employees and the employment context by the Belgian DPA in its abovementioned guidelines is also present in the AI Act. As per the AI Act, emotion recognition systems in the workplace are classified as carrying an unacceptable risk and are thus prohibited. The AI Act also prohibits biometric categorization of natural persons to deduce or infer their race, political opinions, trade union membership, religious or philosophical beliefs or sexual orientation, as well as real-time remote biometric identification in publicly accessible spaces by law enforcement (subject to limited exceptions). For non-prohibited AI-systems relating to biometrics, these are typically classified as “high-risk”, and are thus subject to the most stringent obligations under the AI Act.

To date, Belgium has not adopted any national legislation on artificial intelligence or machine learning. At EU level, the AI Act has been adopted and has direct effect in Belgium (see question 2).

The entry into force of the AI Act follows a phased approach, with some provision applying since 2 February 2025, others that will apply as of 2 August 2025, and a full entry into force on 2 August 2027.

The AI Act classifies AI systems according to risk, ranging from unacceptable risk to low risk AI systems. The AI Act imposes various requirements on the development and use of AI systems and prohibits certain AI applications that pose a threat to citizens’ rights, as already exemplified in question 22. It focuses primarily on strengthening rules on data quality, transparency, human oversight and accountability in the use of AI systems.

Within the European Economic Area (EEA), transfers of personal data from one country to another are not restricted, provided that the general principles requirements for lawful data processing – as set out in the GDPR – are respected (e.g. lawful basis for the transfer, transparency, data processing agreement in place (if needed)).

Transfers of personal data from Belgium to a country outside the EEA are regulated by Chapter V of the GDPR. No additional restrictions apply under Belgian law.

Pursuant to Chapter V of the GDPR, whenever personal data are transferred to a recipient outside the EEA, no additional restrictions apply where the country to which the data are transferred has been recognized by the European Commission as a country providing adequate protection, equivalent to the level of protection offered by the GDPR (see European Commission’s “white list”).

For countries not on the “white list”, additional safeguards need to be implemented, except where one of the (limited) derogations set out in Article 49 GDPR applies (e.g., explicit consent, necessity for the execution of a contract with the data subject, necessity for the establishment, exercise or defence of legal claims, or a one-time occasional transfer). Where none of these derogations (which need to be interpreted restrictively) apply, the ‘data exporter’ and ‘data importer’ need to set up appropriate safeguards, providing for enforceable data subject rights and effective legal remedies for data subjects. These can include (see Article 46 GDPR), without requiring any specific authorisation from a supervisory authority, (i) Binding Corporate Rules (BCRs) in accordance with Article 47 GDPR, the implementation of Standard Contractual Clauses (SCCs), as adopted by the European Commission or by a national supervisory authority, adherence to an approved code of conduct, and certification. Subject to a prior authorisation from the competent supervisory authority, other appropriate safeguards (e.g. tailor-made contractual clauses, deviating from the SCCs), may also suffice.

Additionally, following case law of the CJEU (Schrems and Schrems II), the data exporter must carry out a data transfer impact assessment (DTIA) and identify and implement supplementary measures to ensure an “essentially equivalent” level of protection applies to the personal data transferred to a third country that is not whitelisted.

Pursuant to Article 32 of the GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. Adherence to an approved code of conduct or an approved certification mechanism may be used as an element by which to demonstrate compliance with these data security requirements.

Additional data security obligations apply to certain sectors, such as telecom, public bodies and entities within the scope of the NIS-2 Act.

The Belgian DPA has already imposed multiple sanctions for lack of (adequate) security measures to protect personal data.

Article 4 GDPR defines a ‘personal data breach’ as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. The Belgian Data Protection Act additionally addresses personal data breaches within public bodies. This concept is further clarified by Guidelines of the European Data Protection Board.

Additionally, the NIS Act defines ‘incidents’ as “any event with an actual negative impact on the security of network and information systems”.

The personal data breach notification obligations set out by Articles 33 (notification to the supervisory authority) and 34 (notification to data subjects) of the GDPR apply. Pursuant to these provisions, the Belgian DPA must be informed by the data controller, without undue delay and, where feasible, not later than 72 hours after having become aware of the data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Notifications are filed by uploading a designated notification form onto the website of the Belgian DPA. Data processors, on the other hand, are only required to inform the relevant data controller without undue delay after becoming aware of a personal data breach. When the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall also inform the data subjects concerned of the personal data breach, without undue delay. Limited exceptions apply. This obligation (and its exceptions) is further clarified by Guidelines of the EDPB.

Entities falling within the scope of the NIS Act need to report certain incidents to the local cybersecurity regulator. Notably, providers of essential services shall report without delay any incidents significantly affecting the availability, confidentiality, integrity or authenticity of the network and information systems on which the essential service or services it provides depend to the national CSIRT (the Centre for Cybersecurity), the sectoral authority or its sectoral CSIRT (as designated for energy, transportation, healthcare and digital service providers), and the National Crisis Centre established within the Ministry of Interior Affairs. An online platform is available for the filing of such notifications. Digital service providers shall notify the same regulators, without delay, in case of any incident that has a significant impact on the provision of a service offered by them in the EU, but only when the digital service provider has access to the information necessary to assess all or part of the impact of an incident.

Additional security breach notification obligations apply to providers of electronic communication services and in the financial sector.

Notifications to law enforcement are generally not mandated by law but generally recommended by the regulators and from an insurance perspective.

Data privacy rights of individuals are laid down in the GDPR, which has direct effect in Belgium. These rights include (cf. articles 12 and 15-21 GDPR) a right to information/access, to rectification, deletion (‘right to be forgotten’), restriction of the processing, a right to data portability and a right to object to processing (absolute in case of direct marketing / conditional in case of processing on the basis of legitimate interests). Additionally, data subjects also have the right to not be subject to automated decision-making which produces legal effects concerning him or her or similarly significantly affects him or her (and to oppose hereto and request to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision). Finally, data subjects also have the right to lodge a complaint with their local supervisory authority.

Article 12 GDPR provides that the controller must respond to the request within one month. This deadline can be extended by two additional months, provided that such extension is duly motivated, and the data subject has been informed about the extension within the first month. The EDPB has published Guidelines on the calculation of this delay and on the modalities for responding to data subject (access) requests.

The exercise of these rights is subject to the conditions and exceptions laid down in the GDPR and the Belgian Data Protection Act. The latter for example includes exceptions for processing by courts and tribunals, by public bodies, for journalistic and academic, artistic and literary purposes, and for archiving in the public interest and scientific or historical research or statistical purposes.

Yes, the Belgian Data Protection Act provides for a private right of action. Data subjects can initiate civil court cases, either in cease-and-desist proceedings or in ordinary civil proceedings (e.g. to obtain damages). Representative actions are also possible, but only with a mandate from the data subjects (cf. Article 80.1 GDPR) and provided that the conditions set out in Article 220 of the Belgian Data Protection Act are met.

Finally, some infringements of GDPR are also criminally sanctioned. For example, the Belgian Data Protection Act provides for criminal fines in case of a.o. processing without a lawful basis, not respecting a data subject’s right to object to direct marketing, and non-compliant international data transfers. Both controllers and processors (as well as individuals involved in the processing) can be criminally prosecuted and sanctioned. So far, this has, however, been very rare.

Individuals are entitled to monetary damages or compensation if they are affected by breaches of data protection law. However, compensation cannot be obtained through administrative enforcement by the Belgian DPA, but rather requires civil (or criminal) proceedings to be initiated.

Extracontractual claims require the existence of a fault (e.g. a breach of the law), a damage, and a causal link between the two. Belgian law requires actual damage to have been sustained, which includes (sufficiently demonstrated) non-material damage, such as injury to feelings or emotional distress. When damages are granted, these can only compensate for the real prejudice suffered and can never be “punitive”. Amounts granted to individuals are therefore typically rather low. It is also possible for representative organisations to claim damages on behalf of a group of individuals, but only with such individuals prior mandate and following strict procedural rules (cf. Article 220 of the Data Protection Act).

Damages could also be claimed on the basis of contractual liability, in case contractual provisions on the processing of personal data have been breached by a party (e.g. a controller claiming damages from a processor based on a breach of a data processing agreement).

We are not aware of Belgian case law in relation to GDPR damages specifically. There has however been extensive case law of the CJEU on this topic (interpretation and application of Article 82 GDPR) in the past couple of years, which is also relevant for Belgium.

Data protection laws in Belgium are enforced primarily through administrative enforcement by the Belgian DPA. The DPA has investigative and corrective powers, including the authority to conduct audits, issue warnings and reprimands, and impose administrative fines for violations of data protection law.

In addition, two types of civil proceedings can be brought for GDPR violations: (i) cease-and-desist proceedings, and (ii) ordinary civil proceedings. More specifically:

(1) As regards cease-and-desist proceedings, a data subject or supervisory authority can ask the President of the Court of First Instance to establish a violation of data protection laws and to take certain actions other than granting damages, if necessary, under penalty (e.g. order the cessation of the violation, order to grant access, rectify or delete personal data, order to prohibit the use of incorrect, irrelevant, incomplete or illegal data, etc.;

(2) As regards ordinary civil proceedings, a plaintiff may claim damages to a controller or processor based on civil liability law to seek compensation for a prejudice suffered due to the violation of the GDPR by the controller or processor. In such proceedings, certain interim measures (e.g. temporary injunctions) can also be requested.

Finally, certain GDPR violations are criminally sanctioned. Criminal fines can be imposed on the data controller, the data processor and their personnel/representatives, for certain specific infringements enumerated in Articles 222-227 of the Belgian Data Protection Act.

Decisions of the Belgian DPA can be appealed before the Brussels Court of Appeal (Markets Court division).

Other sectorial data protection regulations (e.g. telecom, financial services) are enforced in a similar manner by the competent sectorial regulators.

As regards administrative sanctions for GDPR violations, the Belgian DPA can impose various sanctions, among which:

• warnings and reprimands;
• orders to comply with requests of data subjects, to inform data subjects, to bring the processing into conformity, subject to penalties (e.g., for legal entities up to 25,000 EUR per day or 5% of the daily revenue per day of delay from the day determined in the decision, whichever is higher);
• the freezing, restriction or temporary or final prohibition or suspension of processing, subject to penalties;
• publication of the decision on the DPA’s website (in non-anonymised form); and
• administrative fines.

Cf. Article 83 GDPR, administrative fines can reach up to 20,000,000 EUR or 4% of the worldwide annual revenue of the undertaking concerned (for lesser infringements: up to 10,000,000 EUR or 2% of the annual turnover). The highest fine imposed in Belgium to date amounted to 600,000 EUR, while more common fines typically vary between 25,000 and 200,000 EUR. In practice, fines are not the most common sanction imposed by the Belgian DPA, as it tends to issue warnings, reprimands or compliance orders more often.

As regards financial penalties linked to a court order in civil proceedings, these can vary widely and are usually determined by the judge based on an amount that is sufficiently dissuasive in relation to the defendant’s financial capacity.

Finally, as regards criminal sanctions for GDPR infringements, fines generally vary from 250 to 15,000 EUR (to be multiplied by an indexation factor, set today at 8) per offence. In exceptional cases, more severe sanctions (up to 20,000 or 30,000 EUR, to be multiplied by the indexation factor) apply. The controller, processor, or his representative in Belgium shall be civilly liable for the payment of fines to which his employees or representatives are convicted.

The judge can also order the publication of the judgement in one or more journals as an additional sanction.

Other sectorial data protection regulations (e.g. telecom, financial services) are enforced in a similar manner with similar types of sanctions.

The Belgian DPA applies the Guidelines on the calculation of administrative fines, as published by the EDPB. Additionally, the Belgian DPA has published its own (i) guidelines on financial penalties, and (ii) guidelines on the publication of decisions by the Litigation Chamber:

(1) As regards the guidelines on financial penalties, the imposition of penalties is motivated by the required compliance with the principal condemnation. The Litigation Chamber will consider a penalty if it has doubts as to whether the infringer will spontaneously comply with the principal condemnation. The penalty can only be imposed as an accessory to the principal condemnation. The criteria considered are as follows: financial capacity of the condemned party, nature and gravity of the violation, financial advantage of continuing / maintaining the violation, repetition of the violation, expected resistance or cooperation of the party(ies) in enforcing the condemnation, sufficiently high amount of the penalty.

(2) As regards the guidelines on the publication of enforcement decisions, the Litigation Chamber indicates that it operates based on the principle that all its decisions, with a few exceptions, are published on its website, with the general aim of transparency, visibility and accountability. Publication for sanction purposes is decided on a case-by-case basis and duly justified as such. As a rule, personal data contained in the published decisions are pseudonymized. However, the Belgian DPA can decide to publish a decision without pseudonymizing it first, as a sanction. As regards non-personal data concerning the identification of to legal entities, the Belgian DPA applies a similar reasoning, i.e. the name of the infringer will in principle be deleted, except, for instance, if the publication is imposed as a sanction, in case of retention of identification data at the request of the legal entity or if the identification of the legal entity is in the public interest.

Yes, they can be appealed before the Brussels Court of Appeal (Markets Court division). The Court of Appeal does not perform a new factual assessment but checks whether the DPA’s enforcement decisions respect the scope and limits of its competence, are properly motivated and respect the principles of due process.

The Belgian DPA receives more complaints and handles more cases each passing year and the fines imposed by the Belgian DPA tend to increase in value.

In the recent years, the Belgian DPA tended to focus its activities on:

• Processing activities after the end of an employment relationship (e.g. retention of and access to professional mailboxes);
• Direct marketing and data brokerage;
• Politics and public representatives (data processing in the context of elections);
• Private use of CCTV;
• Cookies; and
• The role and independence of DPOs.

Each year, the DPA publishes an annual report with a summary of its activities during the past year and a preview of its enforcement priorities for the next year.

1. Belgian Law of April 26, 2024 (NIS2 Law)

This law transposes Directive (EU) 2022/2555 (NIS 2 Directive) into Belgian law and establishes a framework for securing networks and information systems of public interest. It imposes the following main obligations on in-scope entities:

• Cybersecurity Risk Management: Organizations must adopt measures to manage cybersecurity risks, mitigate incidents, and protect service recipients. The law mandates eleven specific measures;
• Incident Notification: Entities must report significant cybersecurity incidents;
• Governance & Oversight: The management board must approve and oversee cybersecurity risk management and undergo cybersecurity training to ensure compliance; and
• Registration: Entities that are in-scope must self-register with the NIS-2 regulator, which is the Centre for Cybersecurity Belgium (CCB).

2. Belgian Law of July 1, 2011 (CER Law)

This law originally transposed Council Directive 2008/114/EC, which has since been repealed by Directive (EU) 2022/2557. A new Belgian transposition law is currently in preparation, expected to continue requiring cybersecurity risk management measures for critical infrastructures. In the actual version, still applicable, it is required that operators of critical infrastructure:

• Designate a point of contact;
• Develop a security plan (if cybersecurity is not explicitly mentioned, it is nonetheless part of the obligation to develop “a security plan aimed at preventing, mitigating, and neutralizing the risks of operational disruption or destruction of critical infrastructure”); and
• Notify when an event occurs that may threaten the security of critical infrastructure.

3. Regulation (EU) 2022/2554 (DORA Regulation)

DORA applies directly across the EU, including in Belgium, and imposes the following main obligations on entities within the financial sector:

• ICT Risk Management Framework: Design and implement robust ICT risk management frameworks;
• Impelementation of detection mechanism/reactive measures;
• Training and awareness;
• Business continuity management;
• Oversight of third-party service providers supporting critical functions;
• Incident Reporting: Report major ICT-related incidents to the FSMA, following a structured reporting process (initial, interim, and final reports);
• Digital Operational Resilience Testing: Perform regular testing to assess and improve digital resilience;
• Third-Party Risk Management:
  • Conduct due diligence on ICT third-party service providers (TPSPs);
  • Enter into specific contractual agreements with ICT TPSPs; and
  • Maintain and update a register of ICT TPSP relationships
• Client Communication: Notify clients if a serious ICT-related incident affects their financial interests and inform them of mitigation measures;
• Cyberthreat Notification (Voluntary): Optionally notify FSMA of significant cyberthreats that could impact financial stability, service users, or clients;
• Cross-Border Information Sharing: Provide relevant ICT incident information to enable FSMA coordination with other authorities;
• Customer Protection: Inform affected clients about protection measures in case of a significant cyber threat; and
• Outsourcing Reporting Duties: Possible delegation of reporting obligations, but the financial entity remains fully responsible for compliance.

Note that DORA mandates specific entities to perform advanced threat-led penetration testing, but this requirement applies only to selected financial entities.

1. Belgian Law of April 26, 2024 (NIS2 Law)

The NIS2 Law mandates that organizations implement measures to secure their supply chain, managing risks that could impact the security of their networks and information systems. These measures aim to mitigate the effects of cybersecurity incidents on their services and end users. The law does not provide detailed guidance on how entities subject to its regulations should manage supply chain security obligations. However, the CCB recommends that entities subject to the NIS2 Law require their suppliers to meet specific labeling or certification obligations. Additionally, entities under this legislation should consider incorporating specific cybersecurity clauses in their contracts with suppliers.

2. Regulation (EU) 2022/2554 (DORA Regulation)

DORA requires financial entities to ensure that their operational resilience covers third-party ICT service providers. This includes developing comprehensive risk management frameworks addressing the entire supply chain. These frameworks must incorporate, among other things:

• Risk management controls;
• Incident reporting requirements;
• Testing and security guarantees; and
• Business continuity plans.

Additionally, entities are required to incorporate specific contractual obligations into their outsourcing agreements and in agreements with subcontractors. The following elements must be clearly outlined and agreed upon in contracts with ICT third-party service providers:

• Clear and complete service descriptions;
• Service and data location transparency;
• Provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data;
• Access and recovery of data;
• Service levels and revisions;
• ICT incident support;
• Cooperation with supervisory authorities;
• Termination rights and notice periods; and
• Participation in security and resilience programs.

For ICT services supporting critical or important functions, contracts must include ‘enhanced’ requirements, as well as for critical or important subcontractors. The following elements must be clearly outlined (in addition to the aforementioned requirements):

• Full service level descriptions;
• Notice periods and reporting obligations;
• Business contingency plans and security measures;
• Participation in financial entity’s threat-led penetration testing;
• Ongoing monitoring and access rights for the financial entity and FSMA; and
• Exit strategies and transition period.

It is important to emphasize that DORA not only requires the explicit inclusion of technical, commercial, and information security aspects in the contract itself, but also mandates that each of these measures/elements be formally documented.

1. Belgian Law of April 26, 2024 (NIS2 Law)

The NIS2 Law imposes information sharing and collaboration with the relevant authorities. What is more, the law allows for the voluntary exchange of relevant cybersecurity information, in particular information relating to cyberthreats, avoided incidents, vulnerabilities, etc. This exchange takes place under certain conditions within the framework of information exchange communities, implemented by means of information sharing agreements.

2. Belgian law of July 1, 2011, on the security and protection of critical infrastructures (CER Law)

While the CER Law is under revision, the current version imposes operators of critical infrastructures to collaborate with certain authorities and police services by sharing information on the security and protection of their infrastructure.

3. Regulation (EU) 2022/2554 (DORA Regulation)

Under DORA, financial entities are required to:

• Report serious ICT-related incidents: Financial entities must collect and analyze relevant information and report serious ICT-related incidents to the FSMA. If an incident affects clients’ financial interests, entities must inform them of the incident and mitigation measures;
• Maintain an information register: Financial entities must keep and update a register of information (ROI), listing contracts with ICT service providers. Upon request, they must provide the FSMA with the full ROI or specific parts, along with necessary information for supervision;
• Notify the FSMA of new ICT service agreements: Financial entities must inform the FSMA of any new or planned agreements involving ICT services that support critical functions;
• Make voluntary cyberthreat notifications: Entities may voluntarily notify the FSMA of significant cyberthreats that could lead to major incidents; and
• Voluntarily share information between financial entities: Financial entities may exchange amongst themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools

What is more, the Lead Overseer may, by simple request or by decision, require critical ICT third-party service providers to provide all information that is necessary for the Lead Overseer to carry out its duties under this Regulation.

1. Belgian Law of April 26, 2024 (NIS2 Law)

If an in-scope entity in the digital sector (not applicable for the other sectors under the NIS2 Law) is not established in the EU, it must designate a representative within the EU. The representative must be established in one of the member states where services are provided. The designation of a representative by a digital entity does not affect any legal actions that may be brought against the digital entity itself.

There is no obligation for any entity under NIS2 Law to appoint a specific physical contact person within the entity regarding cybersecurity. Members of management are, however, responsible for the entity’s compliance with the NIS2 Law.

2. Belgian law of July 1, 2011, on the security and protection of critical infrastructures (CER Law)

While the CER Law is under revision, the current version mandates that the operator must designate a point of contact and communicate their details to the relevant authorities. This person is responsible for all matters related to the security and protection of the infrastructure and acts as the main liaison between the entity, the competent authorities and the police services.

3. Regulation (EU) 2022/2554 (DORA Regulation)

There is no obligation in this regard.

In Belgium, all cybersecurity legislations are sectoral.

1. Belgian Law of April 26, 2024 (NIS2 Law)

The NIS2 Law applies to 18 sectors, including:

• Energy;
• Transportation;
• Banking;
• Financial market infrastructures;
• Healthcare and life sciences;
• Potable water, and wastewater;
• Digital infrastructures;
• ICT service management (Business-to-business);
• Public administration;
• Space;
• Postal and courier services;
• Waste management;
• Manufacture, production and distribution of chemicals;
• Food production, processing and distribution;
• Manufacturing of e.g. electronic products machines and vehicles;
• Digital providers; and
• Research.

2. Belgian law of July 1, 2011, on the security and protection of critical infrastructures (CER Law)

While the CER Law is under revision, the current version applies to the sectors of transport, energy, finance and electronic communications.

3. Regulation (EU) 2022/2554 (DORA Regulation)

DORA applies to the financial sector (i.e. more than 20 different categories of entities, from banks to crypto-asset service providers) and to third-party service providers supporting critical functions of such financial entities.

1. Belgian Law of April 26, 2024 (NIS2 Law)

The legislation imposes on “essential” entities (while this is voluntary for “important” entities) a periodic compliance assessment obligation. Under Belgian law, entities may choose to use an international reference framework: ISO/IEC 27001, or the Belgian CyFun framework, which is based on common standards NIST CSF, ISO/IEC 27001, CIS Controls, and IEC 62443.

2. Regulation (EU) 2022/2554 (DORA Regulation)

Under DORA, there is no direct obligation for financial institutions to be certified under specific cybersecurity or risk management standards like ISO/IEC 27001, NIST, or others. However, DORA sets specific requirements that institutions must comply with regarding digital operational resilience, and obtaining certifications based on internationally recognized standards can help demonstrate compliance.

1. Belgian Law of April 26, 2024 (NIS2 Law)

Under the NIS2 Law, a significant incident is defined as:

“any incident having a significant impact on the provision of any of the services provided in the sectors or subsectors listed in Annexes I and II of the law and which:

1° has caused or is likely to cause a severe operational disruption of any of the services provided in the sectors or subsectors listed in Annexes I and II or financial losses for the concerned entity; or

2° has affected or is likely to affect other natural or legal persons by causing significant material, bodily, or moral damage.” [Translation from French/Dutch]

Note that the European Commission has adopted an Implementing Regulation 2024/2690, which provides a more precise definition of what constitutes a significant incident for digital entities.

The NIS2 Law requires in-scope entities to notify without unjustified delay any significant incident to the CCB, as well as to the recipients of their services (when the incident is likely to disrupt the delivery of services in critical sectors for society, as mentioned in the annexes of the legislation). These recipients must then be informed of the corrective measures that can be applied and, if necessary, of the cyber threat itself.

The notification to the CCB must be prompt and take place in several stages, allowing for an appropriate and coordinated response. Generally, as soon as an entity becomes aware of a significant incident in its network or information systems, it must issue an early alert within 24 hours of this discovery, specifying whether the incident may result from illicit or malicious activities, and whether there may be cross-border implications. A second notification must follow within 72 hours, updating the previous information and providing an initial assessment of the severity and impact of the incident, as well as indicators of compromise when available. A final report, within one month after the second notification, must be submitted, which must include certain elements explicitly mentioned in the law. Finally, upon request from the authorities, interim reports may be required.

The national authority, for its part, must provide initial feedback on the significant incident and, upon the entity’s request, operational guidance or advice on the implementation of potential mitigation measures. It must also provide additional technical support upon request from the entity concerned.

In addition to these requirements, all entities, regardless of whether they fall under the scope of the NIS2 Directive, have the option to voluntarily notify cyber threats encountered and/or incidents avoided to the CCB.

2. Belgian law of July 1, 2011, on the security and protection of critical infrastructures (CER Law)

While the CER Law is currently under revision, the existing version outlines certain obligations regarding cybersecurity incidents. Specifically, it mandates the reporting of any potential threats to the security of critical infrastructure.

3. Regulation (EU) 2022/2554 (DORA Regulation)

Under DORA, the following definitions are important when talking about incident notification:

• ‘ICT-related incident’ is defined as “a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity”;
• ‘Significant cyber threat’ is defined as “a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident”;
• ‘Major ICT-related incident’ is defined as “an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity”;
• ‘Operational or security payment-related incident’ is defined as “a single event or a series of linked events unplanned by the financial entities referred to in Article 2(1), points (a) to (d), whether ICT-related or not, that has an adverse impact on the availability, authenticity, integrity or confidentiality of payment-related data, or on the payment-related services provided by the financial entity”.

When serious, financial entities must report ICT-related incidents to the FSMA through an initial, interim, and final report. An interim report is required if there are significant changes to the incident or at the FSMA’s request. The final report includes the incident’s cause analysis and its impact. When an incident affects client financial interests, entities must inform them of the incident and mitigation measures.

DORA also allows voluntary reporting of significant cyberthreats (cyberthreats that could result in a major ICT-related incident or a major operational or security payment-related incident). Entities may also notify significant cyberthreats to the FSMA on a voluntary basis, if they believe the threat affects the financial system, service users or clients. There are no specific timelines for this, and companies can report them at any time when they believe the cyber threat is relevant to the financial sector. The FSMA is allowed to share this with relevant authorities.

For significant cyber threats, entities may need to advise affected clients on protection measures.

1. Belgian Law of April 26, 2024 (NIS2 Law)

The national cybersecurity authority (CCB) oversees compliance with the NIS2 Law with support from sector authorities, and serves as the central contact for NIS2 implementation. The sector-specific authorities, designated by royal decree, include:

• Energy: Federal Minister for Energy or designated senior official;
• Transportation:
  • Transport (excluding waterborne): Federal Minister for Transport or designated senior official;
  • Waterborne Transport: Federal Minister for Maritime Mobility or designated senior official;
• Healthcare and life sciences:
  • Research, pharmaceutical manufacturing, and critical medical devices: Federal Agency for Medicines and Health Products (AFMPS);
  • Public Health: Federal Minister for Public Health or designated senior official;
• Digital Infrastructure: Belgian Institute for Post and Telecommunications (IBPT);
• Trust Service Providers: Federal Minister for the Economy or designated senior official;
• Digital Providers: Federal Minister for the Economy or designated senior official;
• Space and Research: Federal Minister for Scientific Policy or designated senior official;
• Drinking Water: National Security Committee;
• Banking: National Bank of Belgium (NBB);
• Financial Market Infrastructure: Financial Services and Markets Authority (FSMA);
• Medical Devices and In Vitro Diagnostics: Federal Agency for Medicines and Health Products (AFMPS).

These entities may intervene, when necessary, in the following tasks:

• Additional identification of entities that should be subject to the NIS2 regime (consulting and proposing);
• Registration of entities;
• Organization of sector-specific exercises;
• Analysis and management of the consequences of an incident for a sector;
• Participation in certain activities of the NIS Cooperation Group;
• Raising awareness among entities in their sectors;
• National-level cooperation;
• Additional cybersecurity risk management measures;
• Incident notification (transmitting significant incidents reported by the national CSIRT to the sector-specific authorities, consulting in different situations on this matter);
• Supervision and inspection (joint or delegated);
• Administrative fines (see response to Question 44 below);
• Information assistance.

2. Belgian law of July 1, 2011, on the security and protection of critical infrastructures (CER Law)

While the CER Law is currently under revision, the existing version is still applicable and is primarily enforced by an inspection service set up in each relevant sector or sub-sector.

3. Regulation (EU) 2022/2554 (DORA Regulation)

The FSMA will primarily handle DORA compliance. DORA also aligns EU financial authorities, such as the European Banking Authority and European Securities and Markets Authority, to harmonize ICT risk supervision.

DORA allows EU authorities to impose fines for violations (see response to Question 44 below).

DORA also introduces a new oversight framework, designating one of the key EU financial authorities (such as the European Banking Authority or the European Securities and Markets Authority) as the lead overseer responsible for monitoring the activities of critical ICT third-party service providers. This lead overseer will have the authority to conduct investigations, including on-site and off-site inspections, and can impose periodic penalty payments to ensure that critical ICT third-party service providers cooperate with the lead overseer during an investigation.

1. Belgian Law of April 26, 2024 (NIS2 Law)

The CCB is empowered to oversee compliance with cybersecurity risk management measures and incident reporting requirements. For essential entities, this oversight may be both ex-ante and ex-post, including regular and targeted security audits conducted by an independent body. In contrast, for important entities, oversight is limited to ex-post assessments, triggered by evidence, indications, or information suggesting non-compliance with the NIS2 Law.

In exercising this oversight, the CCB may:

• Request access to and obtain a copy of any document or information necessary for carrying out their supervisory mission;
• Carry out, on-site or remotely, any examination, inspection, and interview, including random checks;
• Conduct audits;
• Request any information they deem necessary for assessing the cybersecurity risk management measures adopted by the concerned entity, including documented cybersecurity policies, compliance with the obligation to submit information to the national cybersecurity authority or the relevant sectoral authority in accordance with Title I, and the implementation of the present law;
• Perform security scans based on objective, non-discriminatory, fair, and transparent risk assessment criteria, if necessary, with the cooperation of the concerned entity;
• Identify individuals present on premises used by the entity, whose interview they consider necessary for fulfilling their mission;
• Where applicable, request assistance from federal or local police forces in the event of the use of force;
• Request information from the personnel referred to in Article 9 of the Law of 15 April 1994 on the protection of the population and the environment against the hazards of ionizing radiation and concerning the Federal Agency for Nuclear Control, for the purposes of enforcing the provisions of this law;
• Enter, without prior notice and upon presentation of their official identification card, any premises used by the entity; they may only access inhabited premises with prior authorization issued by an investigating judge.

2. Belgian law of July 1, 2011, on the security and protection of critical infrastructures (CER Law)

While the CER Law is currently under revision, the existing version is still applicable and provides that the competent sectoral inspection service may:

• Enter all areas of the critical infrastructure. Authorities may only access habited places with prior authorization issued by a court judge;
• Review the security plans, as well as any acts, documents, and other necessary sources of information; and
• Conduct any examination, inspection, and hearing, and request all necessary information.

3. Regulation (EU) 2022/2554 (DORA Regulation)

1. Supervisory Powers

Under DORA, the FSMA may:

• Request information: Entities must provide any information required to assess compliance with DORA — this includes documentation, policies, risk assessments, test results, incident reports, contracts with third-party providers, etc.;
• Conduct investigations and inspections: both on-site and off-site inspections of the financial entity’s premises and ICT systems;
• Interview staff: They may question staff, including senior management, to understand processes and assess compliance; and
• Access data and systems: access to systems, logs, and other ICT data to evaluate operational resilience.

2. Oversight of Critical ICT third-party providers

For ICT third-party providers deemed “critical”, such as major cloud or infrastructure service providers, a “Lead Overseer” (assigned by the European Supervisory Authorities – ESAs) is appointed.

The Lead Overseer has powers to:

• Request documentation and information;
• Conduct inspections, including on-site at the provider’s premises; and
• Issue recommendations to mitigate risks to the financial system. These recommendations are binding in effect — financial entities must consider them in their own risk management.

1. Belgian Law of April 26, 2024 (NIS2 Law)

The CCB has the power to impose measures and administrative fines on companies that fail to comply with their obligations under the NIS2 Law.

Among the list of administrative measures are:

• Warnings;
• Binding instructions or an injunction requiring remedying identified deficiencies or violations;
• Orders to cease any behaviour that violates the law and not to repeat it;
• Orders to ensure compliance with risk management measures or with incident notification obligations, within a specified timeframe;
• Instructions to inform natural or legal persons for whom the concerned entity provides services or carries out activities, that may be affected by a significant cyber threat, of the nature of the threat and any preventive or remedial measures they could take in response to this threat;
• Instructions to implement recommendations made following a security audit within a reasonable timeframe; and
• Instructions to publicly disclose specific aspects of the identified breaches.

If the measures requested are not taken within the time limit set, the following orders may be imposed:

• Order to temporarily suspend a certification or authorisation concerning all or part of the relevant services provided, or relevant activities carried out by the entity concerned; or
• Order to temporarily prohibit a natural person from exercising managerial responsibilities at the level of managing director or legal representative in the entity concerned from exercising managerial responsibilities.

Companies that neglect to comply with this legislation may also face administrative fines calculated based on their turnover. For significant entities, the fine can reach 7,000,000 EUR or 1.4% of their annual turnover, while essential entities may face a fine of up to 10,000,000 EUR or 2% of their annual turnover. If the same company is repeatedly fined for breaching its obligations under the NIS2 Law based on the same facts within a 3-year period, the fine may be doubled.

2. Belgian law of July 1, 2011, on the security and protection of critical infrastructures (CER Law)

While the CER Law is currently under revision, the existing version is still applicable and non-compliance with obligations related to internal security measures and information exchange can lead to the following criminal sanctions:

• Prison sentence from 8 days to 1 year;
• A fine from 26 EUR to 10,000 EUR (as this is a criminal fine, it must be multiplied by an indexation factor of 8);
• In case of recidivism, the fine is doubled, and the prison sentence increases (ranging from 15 days to 3 years).

Obstruction of control, refusal to provide information, or providing inaccurate or incomplete information can lead to the following criminal sanctions:

• Prison sentence from 8 days to 1 month;
• A fine from 26 EUR to 1,000 EUR (as this is a criminal fine, it must be multiplied by an indexation factor of 8;
• In case of recidivism, the fine is doubled, and the prison sentence increases (ranging from 15 days to 1 year).

Additional provisions:

• Application of the Criminal Code rules: The offenses are also governed by the provisions of Book 1 of the Criminal Code, including Chapter VII and Article 85, which may involve other penalties or specific procedural measures.

3. Regulation (EU) 2022/2554 (DORA Regulation)

Consequences for failing to comply may include administrative fines, mandatory corrective actions, public warnings, revocation of operating authorization, and compensation for damages resulting from breaches.

Non-compliance with DORA requirements can lead to administrative fines of up to 2% of a company’s total annual global turnover or up to 1% of its average daily global turnover. Both individuals and companies could face fines as high as 1,000,000 EUR. Additionally, critical third-party ICT service providers supporting financial entities are subject to even higher fines, reaching up to 5,000,000 EUR for companies or 500,000 EUR for individuals.

Belgian Law of April 26, 2024 (NIS2 Law): According to the latest version of the CCB’s FAQ, a measure or administrative fine will be imposed proportionally, considering the severity of the violations, the attitude of the entity, and any potential recurrence. The FAQ also states that the administrative fine is doubled in the case of a repeat offense for the same actions within a 3-year period, and that multiple violations may lead to a single administrative fine, proportional to the severity of all the facts involved.

The enforcement decisions are subject to appeal, depending on their nature either before the Brussels Court of Appeal (Markets Court division) or in the context of an administrative appeal with the Council of State.

As the CCB is a new regulator, competent for ensuring and enforcing compliance with the NIS2 Law that is applicable since October 2024, its enforcement priorities still need to be identified. There is no enforcement case law yet on NIS2 in Belgium. In 2025, we do expect enforcement under both NIS2 and DORA to kick off and priorities to become clear. As a more general trend, we note that the CCB focuses enormously on cyber awareness and education. It has published FAQs on the NIS2 Law, several guidance documents, has given presentations and training, and maintains a very elaborate website with information on various cyber threats.