NIS2, Are you in scope?
Belgium's new cybersecurity law entered into force.
Incident Notification Requirements: What? To Whom? When?
This page provides a practical, to the point guide to EU cybersecurity and sector-specific digital legislation and their incident notification requirements in Belgium. The links below offer an overview of the relevant reporting & information channels per legislative framework.
This information is provided for general guidance purposes only and does not constitute legal advice. Users are strongly encouraged to consult the applicable legal texts themselves, as well as any relevant implementing or sector-specific legislation. In case of uncertainty regarding the interpretation or application of legal obligations, organisations should seek advice from a qualified legal or regulatory expert. Note that a single incident can trigger notification and reporting obligations under multiple legal frameworks simultaneously (e.g. cybersecurity, data protection, sectoral or critical infrastructure legislation). It is the responsibility of the organisation to assess all potentially applicable laws and ensure compliance with each of them.
If an incident occurs: use this table to quickly identify where to report?
Legal act | Who is concerned? | What is reportable? | Where to report? | Useful links / guidance |
|---|---|---|---|---|
| NIS2 | Essential and important entities in NIS2 sectors – scope test | Cyber incidents with a significant impact on the provision of services | (except financial entities → FSMA under DORA) |
|
| GDPR | Any organisation processing personal data | Personal data breaches posing a risk to individuals’ rights and freedoms | (except Police → COC) | |
| CRA | Manufacturers, importers, distributors of digital products | Severe security incidents and actively exploited vulnerabilities affecting products | TBD (ENISA single reporting platform & CCB as national CSIRT) |
|
| AI Act | Providers and deployers of high-risk AI systems | Serious incidents involving high-risk AI systems | TBD |
|
| CER | Designated critical entities | Incidents (incl. cyber) disrupting essential services | TBD |
|
| DORA | Financial entities & ICT third-party providers | Significant ICT-related incidents (and major cyber threats) | FSMA | |
| eIDAS 2.0 | Trust service providers & EUDI Wallet actors | Security breaches or outages affecting trust services | TBD | |
| NCCS | High- / critical-impact electricity entities | Cyber incidents affecting critical electricity infrastructure | TBD | |
| MDR / IVDR | Medical device manufacturers & distributors | Serious incidents impacting patient safety or public health | FAGG | |
| PSR (proposal) | Payment service providers | Major operational or security incidents | TBD (expected alignment with DORA) | |
| EECC | Telecom operators | Security incidents affecting networks or services | BIPT |
From Early Warning to Final Report: Reporting Deadlines Across Frameworks
This figure illustrates the different incident notification timelines across EU cybersecurity and digital legislation. Depending on the applicable legal framework, organisations may be subject to multiple reporting deadlines, ranging from early warnings to final reports. The overview highlights how reporting obligations can overlap in time and differ in scope.
