Act on electronic communications
By “Act on electronic communications” we mean the Act of 13 June 2005 on electronic communications.
Regarding the notion of “operator”, you will find more information by clicking on this link.
Obligations of all operators
Operators must:
- analyse the risks regarding the security of their networks and services (Article 107/2, § 1, subparagraph 1). See the section on the risk analysis below;
- take appropriate and proportionate technical and organisational measures, including encryption if applicable, to appropriately manage the risks as well as to prevent and minimise the impact of security incidents both on users and other networks and services (Article 107/2, § 1, subparagraph 2);
- take all the necessary measures, including preventive ones, to ensure the fullest possible availability of voice communications services and internet access services in the event of exceptional network breakdown or in cases of force majeure (Article 107/2, § 3).
An operator must notify (see also section “Practical information”):
- the BIPT in case of a particular and significant threat of a security incident in a public electronic communications network or a publicly available electronic communications service, and inform their users potentially affected by such a threat (Article 107/3, § 1);
- the BIPT in case of a security incident that has had a significant impact on the operation of the networks or services. What is meant by “significant impact” and the procedures of notification were clarified in the Decision of 14 December 2017 (see section “Practical information”);
- the Belgian data protection authority in case of a breach of personal data which were transferred, stored or processed in a different way in connection with the provision of electronic communications services. That authority shall inform the BIPT without delay. In some cases, the subscriber concerned by the breach must also be informed. The BIPT and the Belgian data protection authority discuss together concerning the management of the incident (Article 107/3, §§ 3 and 4).
In addition to the Act on the status of the BIPT (Act of 17 January 2003 on the status of the regulator of the Belgian postal and telecommunications sectors), the legal framework is the following:
- Articles 2, 68°; 107/2 to 107/4 of the Act on electronic communications;
- The Commission Regulation (EU) of 24 June 2013 on the measures applicable to the notification of personal data breaches;
- BIPT Decision of 14 december 2017 regarding the thresholds and terms and conditions for reporting of security incidents within the electronic communications sector.
Ministerial authorisation for the provision of a 5G network
The following obligations arise from Article 105 of the Act on electronic communications and the Royal Decree of 16 April 2023 on the ministerial authorisation for the provision of a 5G network (hereafter the “Royal Decree on the ministerial authorisation”).
Obligations for: | Obligations: |
---|---|
the following companies when they provide a 5G network:
|
|
A new application will have to be made if the company providing a 5G network wishes to use a network or service that has not yet been the subject of an authorisation.
The Uninterruptible Power Supply (UPS) and batteries used for the central part of the 5G network do not require an authorisation.
Batteries used for the radio access network of the 5G network do not require an authorisation.
An authorisation is not required for passive antennas with RET (Remote Electrical Tilt) systems.
Article 11, subparagraph 1, of the Royal Decree on the ministerial authorisation provides that software or hardware updates do not require additional authorisation, except when they modify the elements listed in the application for authorisation.
The ministerial authorisation is granted by the following ministers: the Prime Minister, the Minister of Telecommunications, the Minister of Defence, the Minister of Justice, the Minister of Home Affairs and the Minister of Foreign Affairs (Article 105, § 1, of the Act on electronic communications).
They can grant the authorisation, grant it subject to certain conditions or reject it.
When reviewing an application, they must:
- assess the risk profile of the provider based on an opinion of the intelligence and security services (probability that the provider will be subject to interference from a country other than an EU Member State) and an opinion of the BIPT (ability of the provider to ensure the supply in terms of deadlines, quantity, overall quality of its products or services and its practices in terms of security), and;
- apply the restrictions laid down in the Royal Decree on the ministerial authorisation.
Certain restrictions for MNOs take into account sensitive areas in Belgium. The latter are listed in the annex to the Royal Decree of 23 October 2022 on sensitive areas within the framework of the Act of 17 February introducing additional security measures for the provision of mobile 5G services. This annex is confidential. MNOs which must apply for a ministerial authorisation and wishing to consult this annex can send an e-mail to the BIPT.
Companies which must get a ministerial authorisation (prior authorisation or regularisation authorisation) must send their application to the BIPT pursuant to the terms set out in the Communication of 15 May 2023 of the BIPT.
Location obligation within the framework of the provision of a 5G network
As of 1 January 2028, the companies referred to in the previous section providing a 5G network must ensure that the following elements are established in the territory of the European Union:
- the persons, equipment, software and data that are necessary for the real-time monitoring of their 5G network or elements of the 5G network core;
- the persons, equipment, software and data related to the monitoring of physical and logical access to their 5G network or elements of the 5G network core.
The persons who do not monitor the network in real time but who may be required to perform a one-off action on the network may be located outside the territory of the European Union, provided that their actions are permanently monitored by one of the above-mentioned persons (Royal Decree of 18 April 2023 on the location requirements for 5G networks).
Furthermore, when an MNO offers electronic communications services in Belgium over a 5G network, the network infrastructure must be located in the territory of the Member States of the European Union (Article 105, § 8, subparagraph 1, of the Act on electronic communications).
NIS Act
By “NIS Act” we mean the Act of 7 April 2019 laying down a framework for the security of networks and information systems of general interest for public safety.
In order to implement this Act the BIPT has been designated as the sectoral authority and inspection service responsible for the digital infrastructure sector. This sector includes at least the following entities: the IXPs (Internet exchange points), the DNS service providers and the registers of top-level domain names.
One of the missions of the sectoral authority is to designate the operators of essential services (OES) of its sector, in consultation with the Centre for Cybersecurity Belgium (CCB) and the Crisis Centre of the FPS Internal Affairs (NCCN).
The NIS Act lays down obligations on the OES regarding security measures (Articles 20 to 23), incident notification (Articles 24 and 25, also see section “Practical information), and audit (Article 38).
An entity of the digital infrastructure sector operating in Belgium and which has not been designated by the BIPT as an OES may notify, on a voluntary basis, any incident with a significant impact on the continuity of the services it provides (see section “Practical information”). This voluntary notification does not result, for the notifying entity, in obligations to which it would not have been subjected, had it not made the notification. While handling notifications, the CCB, the BIPT and the NCCN may give priority to mandatory notifications imposed by the NIS Act against voluntary notifications. Voluntary notifications are only handled when their handling does not create a disproportionate or unnecessary burden on the above-mentioned authorities.
The legal framework is the following:
- Act of 17 January 2003 on the status of the regulator of the Belgian postal and telecommunications sectors;
- Act of 7 April 2019 laying down a framework for the security of networks and information systems of general interest for public safety;
- Royal Decree of 12 July 2019 implementing the Act of 7 April 2019 laying down a framework for the security of networks and information systems of general interest for public safety and the Act of 1 July 2011 on the security and protection of critical infrastructures;
- Royal Decree of 15 December 2021 establishing the identification cards of the statutory agents and contractual agents of the Belgian Institute for Postal Services and Telecommunications.
You will find more information on the CCB website.
Risk analysis
The BIPT has implemented a risk analysis tool regarding the security of networks and information systems, SERIMA.be (which stands for Security Risk Management).
The BIPT intends to ask certain electronic communications operators and operators of essential services (OES) it has designated based on the NIS Act to submit an annual risk analysis via this platform.
The other electronic communications operators may use the platform upon request to the BIPT. More information is available in the communication of 12 April 2023 on risk analyses regarding the security of networks and information systems (see section “Documents”).
Critical Infrastructures Act
By “Critical Infrastructures Act” we mean the Act of 1 July 2011 on the security and protection of critical infrastructures.
In order to implement this Act, the BIPT has been designated as the sectoral authority and inspection service responsible for the electronic communications sector (including the digital infrastructures sector).
As a sectoral authority, the BIPT must designate critical infrastructure operators within its sector and identify their critical infrastructures, and this in consultation with the Crisis Centre of the FPS Internal Affairs (NCCN) and the Centre for Cybersecurity Belgium (CCB).
The main obligation of a critical infrastructure operator (see Article 13 of the Act) is to design and implement a security plan, which includes at least the permanent internal security measures (applicable in all circumstances) and graduated internal security measures (to be applied depending on the threat).
The operator must report any event which may threaten the security of the critical infrastructure (see Article 14 of the same Act).
The BIPT conducts inspections of the critical infrastructures.
The legal framework is the following:
- Act of 17 January 2003 on the status of the regulator of the Belgian postal and telecommunications sectors;
- Act of 1 July 2011 on the security and protection of critical infrastructures;
- Royal Decree of 27 May 2014 implementing in the electronic communications sector Article 13 of the Act of 1 July 2011 on the security and protection of critical infrastructures;
- Royal Decree of 14 June 2017 appointing for the electronic communications sector the inspection service established by the Act of 1 July 2011 on the security and protection of critical infrastructures;
- Royal Decree of 15 December 2021 establishing the identification cards of the statutory agents and contractual agents of the Belgian Institute for Postal Services and Telecommunications.
Act on security advices
By “Act on security advices” we mean the Act of 11 December 1998 on classification and security clearances, security certificates and security advices.
To implement this Act, the BIPT has been designated as the competent authority for the “electronic communications and digital infrastructures sector”, except for the security advices for the members of the (Justice) Coordination Cell of the electronic communications operators. The Minister of Justice is the competent administrative authority for these advices.
The BIPT has the responsibility, as the competent administrative authority, to propose to the ANS (“Autorité nationale de sécurité” or National Seucurity Authority) the positions which should be subject to a security advice as well as the operators to which this measure is applicable. The ANS takes the decision in this matter. Once the decision is taken, the advice requests must be transmitted via the BIPT.
The legal framework is the following:
- Act of 11 December 1998 on classification and security clearances, security certificates and security advices;
- Act of 11 December 1998 establishing an appeal body regarding security clearances, security certificates and security advices;
- Royal Decree of 24 March 2000 implementing the Act of 11 December 1998 on classification and security clearances, security certificates and security advices;
- Royal Decree of 8 May 2018 laying down the areas of activity and the competent administrative authorities referred to in Article 22quinquies, § 7, of the Act of 11 December 1998 on classification and security clearances, security certificates and security advices;
- Royal Decree of 8 May 2018 laying down the list of data and information which may be accessed within the framework of a security check;
- Royal Decree of 8 May 2018 laying down the payments for security clearances, security certificates and security advices issued by the National security authority and for the security certificates issued by the Federal Agency for Nuclear Control, as well as the distribution keys referred to in Article 22septies, subparagraphs 6 and 8, of the Act of 11 December 1998 on classification and security clearances, security certificates and security advices.
Federal emergency phase
The website of the National Crisis Center (NCCN) summarises the actions taken by the 4 committees that are activated following the activation of the federal emergency phase as follows:
“During a federal phase, the Minister of the Interior is in charge. When a Minister declares a federal phase, four different committees come together:
- The evaluation committee collects information, evaluates the situation and gives advice to COFECO. This committee is composed of experts and scientists from the various competent authorities or services.
- The Federal Coordination Committee or COFECO assesses the situation and its evolution, proposes measures to protect the population to the policy committee and distributes available supra-local resources. This committee is composed of representatives of disciplines and public services.
- The policy committee endorses the measures proposed by COFECO. This committee is composed of the competent ministers. They have the power to adopt measures and bear the political responsibility for them.
- The information committee communicates about the measures. This committee is made up of the Communications Officers or spokespersons of the departments involved.
The Federal Coordination Committee is always in contact with the provincial crisis cell(s) and departmental or regional crisis centres, which implement the decisions within their own areas of competence.”
An assessment cell (CELEVAL) has been established for the telecoms sector (“CELEVAL telecoms”). The composition of this cell depends on the type of incident. It generally includes, among others, the electronic communications operators concerned, the Centre for Cybersecurity Belgium (CCB), the FPS Economy, the BIPT, the National Crisis Center (NCCN), the A.S.T.R.I.D. limited company, the Federal Police and the Directorate-General Civil Security. The BIPT chairs this cell.
COFECO is chaired by the National Crisis Center (NCCN) and includes, among others, the BIPT if telecom elements are discussed in this cell.
The BIPT, as chair of CELEVAL telecoms, is responsible for:
- Reporting to COFECO on the situation of the whole telecoms sector;
- Following up COFECO’s requests to the telecoms sector.
The legal framework applicable to the federal phase is point 4.4. of the annex to the Royal Decree of 31 January 2003 establishing the emergency plan for crisis events and situations requiring nationwide coordination or management.
ENISA (European Network and Information Security Agency) documents
- Technical Guideline on Minimum Security Measures
- Technical Guideline on Incident Reporting
- Technical Guideline on Threats and Assets
- Security Guide for ICT Procurement
- Secure ICT Procurement in Electronic Communications
- Protection of Underground Electronic Communications Infrastructure
- Power Supply Dependencies in the Electronic Communications Sector
- Signalling Security in Telecom SS7/Diameter/5G
- National Roaming for Resilience
- Guideline on assessing security measures in the context of Article 3(3) of the Open Internet regulation
- 7 Steps to shore up the Border Gateway Protocol (BGP)
Documents
- Judgement of the Market Court of 10 May 2023 on the BIPT Decision of 23 August 2022 regarding the lack of adequate security measures taken by Telenet for its site in [confidential]
- Communication of 15 May 2023 on the application for a ministerial authorisation for security purposes regarding a 5G network
- Communication of 12 April 2023 on the platform SERIMA.be
- Decision of 23 August 2022 regarding the lack of adequate security measures taken by Telenet for its site in [confidential]
- Communication of 5 July 2022 on the platform SERIMA.be
- Communication on the platform SERIMA.be (risk analyses regarding the security of networks and information systems)
- Consultation on the communication project on the risk analyses regarding the security of networks and information systems
- Communication on the COVID-19 virus following the communication of the Belgian government of 17 March 2020
- Communication on the COVID-19 virus
- Opinion of 15 May 2019 on the draft Royal Decree implementing the NIS Act as well as certain provisions of the “Critical Infrastructures Act”
- Support document for the preparation of a security plan
- Decision of 14 Dcember 2017 regarding the thresholds and terms and conditions for reporting of security incidents within the electronic communications sector
- Consultation draft decision on the thresholds and terms and conditions for the notification of security incidents
- Communication of 18 november 2015 about the risk of power cuts during winter 2015/2016
- FAQ Planned power cut-offs winter 2014-2015
- Decision of 1 April 2014 laying down the circumstances in which the operators have to notify BIPT of a security incident and the terms and conditions of this notification
- Communication of 16 September 2013 regarding hacking at Belgacom
- Consultation on the draft Royal Decree implementing in the electronic communications sector Article 13 of the Act of 1 July 2011 on the security and protection of critical infrastructures
- Communication of 30 April 2013 on the possible risks of a safety breach regarding the mobile telephony networks and services in the context of the 2G and 2.5G technology
- Draft decision of 3 May 2013 laying down the situations in which operators have to report a security incident to BIPT, as well as the terms and conditions of such notification
- Opinion of 17 February 2012 to Minister Vande Lanotte on the potential risks of security violation in mobile telephone networks and services within the framework of 2G and 2.5G technologies
Contact
BIPT - NetSec Department
Ellipse Building C
Boulevard du Roi Albert II 35 box 1
B-1030 Brussels
E-mail
Tel: +32 (0)2 226 88 15
Last updated on 20/06/2024