The European Commission’s patience with Belgium’s slowness is now almost over, according to the Commission. In July last year, the Commission opened infringement proceedings against Belgium, Luxembourg, Greece and Poland. Those four Member States were not yet in order.
The Commission is now taking a new step. Belgium and Luxembourg will have two more months to take the necessary measures. Greece and Poland have since transposed the directive. The deadline for Belgium is 7 May. If it fails, a referral to the European Court of Justice will follow.
The NIS directive is mainly intended for companies that provide vital infrastructure networks and systems – such as energy producers, drinking water suppliers or airports. However, it also includes digital companies such as cloud services or web platforms. A whole series of measures awaits them, especially in the event of a cyber attack with a ‘significant impact’, for example, the loss of data.
One of the measures is the obligation to report. Companies that are victims of a cyber attack must report this to a central body. The Belgian Centre for Cyber Security (CCB) announced at the end of last year that such a digital platform was in the making and should be operational by the end of 2019. The government must also have a team that coordinates the response to a cyber attack with other countries.
That too is still under construction. The Belgian government introduced legislation on the directive in November 2018 in parliament. In December, the CCB indicated that the draft text was before Parliament for discussion. However, it has yet to be debated by MPs. Given the fall of the government in December and national elections pending in May, it is unlikely to be passed before the deadline set by the Commission.