Security of networks and information systems

Act on electronic communications

By “Act on electronic communications” we mean the Act of 13 June 2005 on electronic communications.

Regarding the notion of “operator”, you will find more information by clicking on this link.

Obligations of all operators

Operators must:

analyse the risks regarding the security of their networks and services (Article 107/2, § 1, subparagraph 1). See the section on the risk analysis below;
take appropriate and proportionate technical and organisational measures, including encryption if applicable, to appropriately manage the risks as well as to prevent and minimise the impact of security incidents both on users and other networks and services (Article 107/2, § 1, subparagraph 2);
take all the necessary measures, including preventive ones, to ensure the fullest possible availability of voice communications services and internet access services in the event of exceptional network breakdown or in cases of force majeure (Article 107/2, § 3).

An operator must notify (see also section “Practical information”):

the BIPT in case of a particular and significant threat of a security incident in a public electronic communications network or a publicly available electronic communications service, and inform their users potentially affected by such a threat (Article 107/3, § 1);
the BIPT in case of a security incident that has had a significant impact on the operation of the networks or services. What is meant by “significant impact” and the procedures of notification were clarified in the Decision of 14 December 2017 (see section “Practical information”);
the Belgian data protection authority in case of a breach of personal data which were transferred, stored or processed in a different way in connection with the provision of electronic communications services. That authority shall inform the BIPT without delay. In some cases, the subscriber concerned by the breach must also be informed. The BIPT and the Belgian data protection authority discuss together concerning the management of the incident (Article 107/3, §§ 3 and 4).

In addition to the Act on the status of the BIPT (Act of 17 January 2003 on the status of the regulator of the Belgian postal and telecommunications sectors), the legal framework is the following:

Articles 2, 68°; 107/2 to 107/4 of the Act on electronic communications;
The Commission Regulation (EU) of 24 June 2013 on the measures applicable to the notification of personal data breaches;
BIPT Decision of 14 december 2017 regarding the thresholds and terms and conditions for reporting of security incidents within the electronic communications sector.

Ministerial authorisation for the provision of a 5G network

The following obligations arise from Article 105 of the Act on electronic communications and the Royal Decree of 16 April 2023 on the ministerial authorisation for the provision of a 5G network (hereafter the “Royal Decree on the ministerial authorisation”).

Obligations for:	Obligations:
the following companies when they provide a 5G network: MNOs (Mobile Network Operators, see definition in Article 2, 89°, of the aforementioned Act); “full” MVNOs (Mobile Virtual Network Operator, see definition in Article 2, 90°, of the aforementioned Act), i.e. MVNOs owning certain network elements; the A.S.T.R.I.D. limited company; Companies which have been designated as operators of critical infrastructures within the meaning of the Act of 1 July 2011 on the security and protection of critical infrastructures, provided that elements of the private 5G network are used in one of these critical Infrastructures; Companies which have been designated as operators of essential services within the meaning of the Act of 7 April 2019 laying down a framework for the security of network and information systems of general interest for public safety (NIS Act), provided that the provision of an essential service makes use of the private 5G network.	applying for and receiving a ministerial authorisation before using an element of the 5G network (prior authorisation), or; if this network element is already in use at the time of entry into force of the Royal Decree on the ministerial authorisation, applying for and receiving a ministerial authorisation within two months following this date (regularisation authorisation), and; applying for and receiving a ministerial authorisation before using a service provider for the management and supervision of their 5G network elements, with the exception of using equipment manufacturers providing support services, when this service is included in the contract regarding the provision of network elements (prior authorisation), or; if the use of such a service provider is already effective at the time of entry into force of the Royal Decree on the ministerial authorisation, applying for a ministerial authorisation within two months following this date and receiving it (regularisation authorisation).

Obligations for:

Obligations:

the following companies when they provide a 5G network:

MNOs (Mobile Network Operators, see definition in Article 2, 89°, of the aforementioned Act);
“full” MVNOs (Mobile Virtual Network Operator, see definition in Article 2, 90°, of the aforementioned Act), i.e. MVNOs owning certain network elements;
the A.S.T.R.I.D. limited company;
Companies which have been designated as operators of critical infrastructures within the meaning of the Act of 1 July 2011 on the security and protection of critical infrastructures, provided that elements of the private 5G network are used in one of these critical Infrastructures;
Companies which have been designated as operators of essential services within the meaning of the Act of 7 April 2019 laying down a framework for the security of network and information systems of general interest for public safety (NIS Act), provided that the provision of an essential service makes use of the private 5G network.

applying for and receiving a ministerial authorisation before using an element of the 5G network (prior authorisation), or;
if this network element is already in use at the time of entry into force of the Royal Decree on the ministerial authorisation, applying for and receiving a ministerial authorisation within two months following this date (regularisation authorisation), and;
applying for and receiving a ministerial authorisation before using a service provider for the management and supervision of their 5G network elements, with the exception of using equipment manufacturers providing support services, when this service is included in the contract regarding the provision of network elements (prior authorisation), or;
if the use of such a service provider is already effective at the time of entry into force of the Royal Decree on the ministerial authorisation, applying for a ministerial authorisation within two months following this date and receiving it (regularisation authorisation).

A new application will have to be made if the company providing a 5G network wishes to use a network or service that has not yet been the subject of an authorisation.

The Uninterruptible Power Supply (UPS) and batteries used for the central part of the 5G network do not require an authorisation.

Batteries used for the radio access network of the 5G network do not require an authorisation.

An authorisation is not required for passive antennas with RET (Remote Electrical Tilt) systems.

Article 11, subparagraph 1, of the Royal Decree on the ministerial authorisation provides that software or hardware updates do not require additional authorisation, except when they modify the elements listed in the application for authorisation.

The ministerial authorisation is granted by the following ministers: the Prime Minister, the Minister of Telecommunications, the Minister of Defence, the Minister of Justice, the Minister of Home Affairs and the Minister of Foreign Affairs (Article 105, § 1, of the Act on electronic communications).

They can grant the authorisation, grant it subject to certain conditions or reject it.

When reviewing an application, they must:

assess the risk profile of the provider based on an opinion of the intelligence and security services (probability that the provider will be subject to interference from a country other than an EU Member State) and an opinion of the BIPT (ability of the provider to ensure the supply in terms of deadlines, quantity, overall quality of its products or services and its practices in terms of security), and;
apply the restrictions laid down in the Royal Decree on the ministerial authorisation.

Certain restrictions for MNOs take into account sensitive areas in Belgium. The latter are listed in the annex to the Royal Decree of 23 October 2022 on sensitive areas within the framework of the Act of 17 February introducing additional security measures for the provision of mobile 5G services. This annex is confidential. MNOs which must apply for a ministerial authorisation and wishing to consult this annex can send an e-mail to the BIPT.

Companies which must get a ministerial authorisation (prior authorisation or regularisation authorisation) must send their application to the BIPT pursuant to the terms set out in the Communication of 15 May 2023 of the BIPT.

Location obligation within the framework of the provision of a 5G network

As of 1 January 2028, the companies referred to in the previous section providing a 5G network must ensure that the following elements are established in the territory of the European Union:

the persons, equipment, software and data that are necessary for the real-time monitoring of their 5G network or elements of the 5G network core;
the persons, equipment, software and data related to the monitoring of physical and logical access to their 5G network or elements of the 5G network core.

The persons who do not monitor the network in real time but who may be required to perform a one-off action on the network may be located outside the territory of the European Union, provided that their actions are permanently monitored by one of the above-mentioned persons (Royal Decree of 18 April 2023 on the location requirements for 5G networks).

Furthermore, when an MNO offers electronic communications services in Belgium over a 5G network, the network infrastructure must be located in the territory of the Member States of the European Union (Article 105, § 8, subparagraph 1, of the Act on electronic communications).

NIS2 Act

Network and information systems security

By “NIS2” Law we mean the Law of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security, which constitutes the Belgian transposition of the NIS2 Directive and supersedes the preceding law of 7 April 2019.

To implement the NIS2 Law, the BIPT has been designated as the sectoral authority and sectoral inspectorate for the digital infrastructure sector, excluding providers of trust services in the sense of Article 8, 24° of this Law, and for the postal and courier services sector. Thus, under the BIPT's authority regarding the digital infrastructures sector, the following subsectors are covered: Internet providers, DNS service providers, excluding root name server operators, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, the providers of public electronic communication networks and the providers of public electronic communication services.

The CCB, as the central cybersecurity authority within the NIS2 Law, has already outlined a clear and comprehensive overview of:

the scope of the NIS2 Law (entities no longer have to be identified by the competent authorities, but are automatically either essential or important entities because of their size in combination with the (sub)sector in which they provide services);
the obligations of the essential and significant entities (mainly registering via safeonweb@work, taking the necessary cybersecurity risk management measures and reporting significant incidents), and;
the applicable supervision and sanctioning regime (in terms of supervision, the entity should opt for certification or submit to inspections).

For this general framework, we would therefore like to refer to the CCB website.

The BIPT hereby wishes to emphasise that its Decision of 14 December 2017 on incident reporting is no longer applicable due to the entry into force of the NIS2 Law. The CCB has prepared a reporting guide, which explains how incident reporting should be done nowadays. In any case, DNS service providers, providers of public electronic communication networks and providers of public electronic communication services will no longer have to address the BIPT in the first instance (with the exception of entities designated as operators of critical infrastructure, or when it comes to an incident impacting the emergency services). Every essential and important entity will have to report a significant incident via the standardised form prepared by the CCB.

In addition, the European Commission issued an Implementing Regulation setting out the technical and methodological requirements of the cybersecurity measures referred to in the NIS2 Directive that apply to the relevant entities (being those entities subject to the jurisdiction regime of the headquarters). This Regulation also clarifies when incidents for those relevant entities should be considered ‘significant’ in the sense of Article 23 of the NIS2 Directive and served as the basis for the Belgian notification guide mentioned above.

Moreover, as regards the (sub-)sectors within the BIPT’s brief, the BIPT and the CCB concluded a cooperation protocol. In doing so, the following was provided for:

The providers of public electronic communications networks and the providers of public electronic communications services (the operators in the sense of the Act of 13 June 2005 on electronic communications) must supplement their notification to the BIPT with the information necessary for NIS2, for which the BIPT provided the necessary forms (following which these operators have fulfilled their registration obligation). If they have registered via the usual procedure on safeonweb@work, this is already sufficient and there is no need to return these forms filled in, although this is strongly encouraged;
If the entity opts for a regular conformity assessment based on certification, this will be exclusively monitored by the CCB. However, if the entity chooses to submit to inspections, the ex-ante supervision exercised will depend on the type of entity:
- As regards entities that are also designated as operators of critical infrastructure, only the BIPT will carry out these inspections;
- As regards the other entities, the CCB and the BIPT will draw up an annual inspection plan and each will carry out part of the inspections;
As regards the follow-up of significant incidents, the CCB will take care of those incidents whose probable cause is a potentially illegal or malicious computer attack, while the BIPT will take care of all other types of incidents. If the incident has multiple causes, the CCB and the BIPT may cooperate.

In addition to the provisions of the NIS2 Law, the provisions regarding the security of electronic communications of the Act of 13 June 2005 on electronic communications (more specifically, Articles 107/2 to 107/4), albeit in amended form and extending their scope of application to digital infrastructures with the exception of trust service providers, continue to apply simultaneously.

Collecting of domain name registration data

In addition, the BIPT will monitor compliance with Article 164/3 of the Act of 13 June 2005 on electronic communications (transposition of Article 28 of the NIS2 Directive). This Article obliges top-level domain name registries and entities providing domain name registration services to collect and maintain domain name registration data in a special database. These data contain the information necessary to identify the domain name holders and the contact points managing the domain names under the top-level domain names. This information shall include, at least:

the domain name;
the registration date;
the name of the domain name holder, his email address and his telephone number;
the email address and telephone number of the point of contact managing the domain name in the event that they are different from those of the domain name holder.

The top-level domain name registries and the entities providing domain name registration services have to have policies and procedures, including verification procedures, in place to ensure that the databases referred to above include accurate and complete information. In addition, these entities must provide domain name registration details to any legitimate access requesting party upon a reasoned request, free of charge, within 72 hours of receiving the request, or within 24 hours of receiving the request in case of urgency.

Legal framework

The legal framework is as follows:

the Implementing Regulation of 17 October 2024 the Committee regarding critical entities and networks
the Law of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security;
the Act of 13 June 2005 on electronic communications;
the Act of 17 January 2003 on the status of the regulator of the Belgian postal and telecommunications sectors;
the Royal Decree of 15 December 2021 laying down the identification cards of the contractual and statutory staff of the Belgian Institute for postal services and telecommunications.

Risk analysis

The BIPT has implemented a risk analysis tool regarding the security of networks and information systems, SERIMA.be (which stands for Security Risk Management).

The BIPT intends to ask certain electronic communications operators and operators of essential services (OES) it has designated based on the NIS Act to submit an annual risk analysis via this platform.

The other electronic communications operators may use the platform upon request to the BIPT. More information is available in the communication of 12 April 2023 on risk analyses regarding the security of networks and information systems (see section “Documents”).

Critical Infrastructures Act

By “Critical Infrastructures Act” we mean the Act of 1 July 2011 on the security and protection of critical infrastructures.

In order to implement this Act, the BIPT has been designated as the sectoral authority and inspection service responsible for the electronic communications sector (including the digital infrastructures sector).

As a sectoral authority, the BIPT must designate critical infrastructure operators within its sector and identify their critical infrastructures, and this in consultation with the Crisis Centre of the FPS Internal Affairs (NCCN) and the Centre for Cybersecurity Belgium (CCB).

The main obligation of a critical infrastructure operator (see Article 13 of the Act) is to design and implement a security plan, which includes at least the permanent internal security measures (applicable in all circumstances) and graduated internal security measures (to be applied depending on the threat).

The operator must report any event which may threaten the security of the critical infrastructure (see Article 14 of the same Act).

The BIPT conducts inspections of the critical infrastructures.

The legal framework is the following:

Act of 17 January 2003 on the status of the regulator of the Belgian postal and telecommunications sectors;
Act of 1 July 2011 on the security and protection of critical infrastructures;
Royal Decree of 27 May 2014 implementing in the electronic communications sector Article 13 of the Act of 1 July 2011 on the security and protection of critical infrastructures;
Royal Decree of 14 June 2017 appointing for the electronic communications sector the inspection service established by the Act of 1 July 2011 on the security and protection of critical infrastructures;
Royal Decree of 15 December 2021 establishing the identification cards of the statutory agents and contractual agents of the Belgian Institute for Postal Services and Telecommunications.

Act on security advices

By “Act on security advices” we mean the Act of 11 December 1998 on classification and security clearances, security certificates and security advices.

To implement this Act, the BIPT has been designated as the competent authority for the “electronic communications and digital infrastructures sector”, except for the security advices for the members of the (Justice) Coordination Cell of the electronic communications operators. The Minister of Justice is the competent administrative authority for these advices.

The BIPT has the responsibility, as the competent administrative authority, to propose to the ANS (“Autorité nationale de sécurité” or National Seucurity Authority) the positions which should be subject to a security advice as well as the operators to which this measure is applicable. The ANS takes the decision in this matter. Once the decision is taken, the advice requests must be transmitted via the BIPT.

The legal framework is the following:

Act of 11 December 1998 on classification and security clearances, security certificates and security advices;
Act of 11 December 1998 establishing an appeal body regarding security clearances, security certificates and security advices;
Royal Decree of 24 March 2000 implementing the Act of 11 December 1998 on classification and security clearances, security certificates and security advices;
Royal Decree of 8 May 2018 laying down the areas of activity and the competent administrative authorities referred to in Article 22quinquies, § 7, of the Act of 11 December 1998 on classification and security clearances, security certificates and security advices;
Royal Decree of 8 May 2018 laying down the list of data and information which may be accessed within the framework of a security check;
Royal Decree of 8 May 2018 laying down the payments for security clearances, security certificates and security advices issued by the National security authority and for the security certificates issued by the Federal Agency for Nuclear Control, as well as the distribution keys referred to in Article 22septies, subparagraphs 6 and 8, of the Act of 11 December 1998 on classification and security clearances, security certificates and security advices.

Federal emergency phase

The legal framework applying to the federal phase is defined in Chapter 4 of the Annex to the Royal Decree of 26 April 2024 establishing the national emergency plan. This legal framework is outlined below.

The Federal Coordination Committee (COFECO) is the centralised expert environment that directs and coordinates interdepartmental crisis management at the national level. This Committee is chaired by the National Crisis Centre (NCCN), and the BIPT is also part of the basic composition.

An Evaluation Cel was created for the telecom sector (“Telecom CELEVAL”). The Telecom CELEVAL meets at the request of the COFECO Chair to support COFECO in its coordination task.

The coordination of the Telecom CELEVAL exists in relevant technical and scientific information relating to the risk from which a national crisis arises and the current situation of the crisis. It should also evaluate the situation at sectoral level and its technical implications in order to advise COFECO on the precautionary and protective measures to be taken. This should take into account the expected evolution of the situation at the technical level, as well as the impact of deteriorating conditions that may arise.

The Telecom CELEVAL is chaired by the BIPT and consists of representatives and experts from the following public authorities and entities:

the BIPT;
the operators impacted by the crisis;
the DG Civil Security;
the Federal Police;
Astrid NV;
the National Crisis centre (NCCN);
Any person, entity or authority necessary to carry out the evaluation.

As Chair of the Telecom CELEVAL, the BIPT is also, among other things, tasked with the following:

centralising relevant information from the different operators in terms of impact or particular risk with a view to a coordinated communication with COFECO;
follow-up of the questions of COFECO aimed at the telecom sector;
taking the necessary measures to meet the expectations of the parties involved.

The policy committee endorses the measures proposed by COFECO. This committee is composed of the competent ministers. They have the power to adopt measures and bear the political responsibility for them.

The information committee communicates about the measures. This committee is made up of the Communications Officers or spokespersons of the departments involved.

ENISA (European Network and Information Security Agency) documents

Technical Guideline on Minimum Security Measures
Technical Guideline on Incident Reporting
Technical Guideline on Threats and Assets
Security Guide for ICT Procurement
Secure ICT Procurement in Electronic Communications
Protection of Underground Electronic Communications Infrastructure
Power Supply Dependencies in the Electronic Communications Sector
Signalling Security in Telecom SS7/Diameter/5G
National Roaming for Resilience
Guideline on assessing security measures in the context of Article 3(3) of the Open Internet regulation
7 Steps to shore up the Border Gateway Protocol (BGP)

Documents

Judgement of the Market Court of 10 May 2023 on the BIPT Decision of 23 August 2022 regarding the lack of adequate security measures taken by Telenet for its site in [confidential]
Communication of 15 May 2023 on the application for a ministerial authorisation for security purposes regarding a 5G network
Communication of 12 April 2023 on the platform SERIMA.be
Decision of 23 August 2022 regarding the lack of adequate security measures taken by Telenet for its site in [confidential]
Communication of 5 July 2022 on the platform SERIMA.be
Communication on the platform SERIMA.be (risk analyses regarding the security of networks and information systems)
Consultation on the communication project on the risk analyses regarding the security of networks and information systems
Communication on the COVID-19 virus following the communication of the Belgian government of 17 March 2020
Communication on the COVID-19 virus
Opinion of 15 May 2019 on the draft Royal Decree implementing the NIS Act as well as certain provisions of the “Critical Infrastructures Act”
Support document for the preparation of a security plan
Decision of 14 Dcember 2017 regarding the thresholds and terms and conditions for reporting of security incidents within the electronic communications sector
Consultation draft decision on the thresholds and terms and conditions for the notification of security incidents
Communication of 18 november 2015 about the risk of power cuts during winter 2015/2016
FAQ Planned power cut-offs winter 2014-2015
Decision of 1 April 2014 laying down the circumstances in which the operators have to notify BIPT of a security incident and the terms and conditions of this notification
Communication of 16 September 2013 regarding hacking at Belgacom
Consultation on the draft Royal Decree implementing in the electronic communications sector Article 13 of the Act of 1 July 2011 on the security and protection of critical infrastructures
Communication of 30 April 2013 on the possible risks of a safety breach regarding the mobile telephony networks and services in the context of the 2G and 2.5G technology
Draft decision of 3 May 2013 laying down the situations in which operators have to report a security incident to BIPT, as well as the terms and conditions of such notification
Opinion of 17 February 2012 to Minister Vande Lanotte on the potential risks of security violation in mobile telephone networks and services within the framework of 2G and 2.5G technologies

Contact

BIPT - NetSec Department
Boulevard du Roi Albert II 32 box 10
1000 Brussels
E-mail
Tel: +32 (0)2 226 88 15

Your Europe: Feedback on quality

Last updated on 17/01/2025