This publication uses cookies

We use functional and analytical cookies to improve our website. In addition, third parties place tracking cookies to display personalised advertisements on social media. By clicking accept you consent to the placement of these cookies.

Compliancy

The rules of

cybersecurity clarified

The GDPR legislation and NIS regulations have been in force for 3 years. How have SMEs and large organizations responded? And what does the future hold now that there has been an exponential rise in cyber risks?
The legislation is explained in simple terms and practical tools are offered.

The data processing policy of cities and municipalities

COVID-19 related complaints

Direct marketing (mainly concerning cookies) 

25% more reports about data breaches than in 2019

4 times more complaints than in 2019

Top 3 complaints

In 2020 the National Data Protection Authority received

GDPR is celebrating its third anniversary – enough time to grasp the rules and be fully compliant, or so you’d think. In reality, it’s more a case of growing awareness, and there’s still much to do. “Companies are achieving compliance slowly but surely. We’re also living in an age characterized by massive digital dependence and the emergence of new types of data – a continuous process that raises many questions. And we’re here to answer them,” says Aurélie Waeterinckx, spokesperson for the Data Protection Authority (DPA).

Slowly but surely

The DPA supports companies

The code of conduct as a tool

While companies must adapt to the regulations, GDPR is also continually adapting to the digital revolution and the new ways of implementing existing and emerging technologies. Waeterinckx says there are already tools that can be used: “Too few organizations use the code of conduct to demonstrate compliance with GDPR obligations. Although it doesn’t guarantee compliance, it’s a very useful tool in assessing it, and we are always here to assist and guide companies.”

Aurélie Waeterinckx

has been a communication adviser and spokeswoman at the GBA since May 2019

The GDPR reflex

But what are the main mistakes companies continue to make today? According to Waeterinckx, marketing without consent and a lack of transparency are the biggest offenders. Users aren’t (or are only vaguely) informed about the processing of their personal data. “We’ve also noted the lack of importance companies give to the DPO’s role. The GDPR reflex must become instinctive before a project starts.”

Is your SME GDPR compliant?

The DPA is an independent regulatory body whose task is to secure compliance with the basic principles of the protection of personal data. The DPA took over from the Privacy Commission on 25 May 2018.

Three primary deficiencies

After consultation with over 250 SMEs, the DPA has detected three major weaknesses in practice. The first involves the (fundamental) principle of transparency. The company is aware of its duty to inform with regard to data processing, but doesn’t communicate it, or does so poorly. “The next deficiency involves the principle of impact assessment, a compulsory tool for processing likely to generate high risks. Most of the SMEs questioned are aware of this without actually putting it into practice,” Aurélie Waeterinckx adds. Finally, only 50% of the respondents have implemented the concepts of ‘data controller’ and ‘subcontractor’ within the organization.

Aurélie Waeterinckx
GBA spokeswoman

“SMEs are one of our priorities, and from now on we’re providing them with a real toolbox."

A toolbox for SMEs

SMEs do take action with regard to the GDPR. They scan the web in search of advice, consult their sectoral organization, etc., an observation that the DPA has decided to turn into an opportunity. “SMEs are one of our priorities, and from now on we’re providing them with a real toolbox. I recommend two reference publications, the vade mecum (a handbook) and the 13-step Action Plan, practical information that is supplemented by a FAQ brochure. In short, a real dashboard for SMEs.”

BOOST as support for SMEs

The objective of the BOOST project, developed by the DPA and financed by the European Union, is to help micro, small and medium-sized enterprises in any sector in implementing the GDPR. This major awareness-raising activity is also an unprecedented source of information. “Among other things, we provide letter templates, disseminate information via videos, publish a newsletter and organize webinars. The latest one had 735 attendees, proof of the need in the field and the relevance of our activities,” explained the DPA spokesperson.

The NIS law, which stems from the European NIS Directive, was the first cybersecurity legislation to be passed in Belgium. Three years after it came into force, the Center for Cybersecurity Belgium is relatively happy with companies’ compliance. “However, it’s still too early to fully assess the implementation of the rules. The first internal audits have just been carried out and the first external audits will take place in 2023,” says Valéry Vander Geeten, legal manager at the Center for Cybersecurity Belgium.

Three years later …

Europe expands the scope of its NIS regulations

Up until now, the rules applied to the following sectors: transport, energy, finance, healthcare, drinking water, digital infrastructure and digital service providers. NIS2 provides for the expansion of the types of operators in some of the existing sectors and for the addition of new sectors, such as telecom operators, public administration entities, companies producing electronic products, food, and chemicals. “It should also be noted that prior identification by the competent sectoral authority would no longer be required. If you fall under the legal requirements, you must comply with the directive,” Vander Geeten says.

NIS 2: more sectors covered

Valéry Vander Geeten

is Head of Legal Affairs at the Belgian Cybersecurity Center (CCB) as well as Data Protection Officer. He is also in charge of coordinating the adoption of the NIS directive in Belgium.

Cybersecurity at every level

Stricter legislation is beneficial to any organization, regardless of its size. The energy sector is obviously crucial to all other sectors and the cybersecurity of its industrial systems is a major issue. The same goes for the public sector, as recent incidents have shown. “In the NIS 2 proposal, micro or small businesses would be excluded, with numerous exceptions especially for entities that could impact public security, public safety or public health. Nevertheless, I think that everyone is concerned. Cybersecurity isn’t just an IT issue, it’s part of our corporate culture.”

Votre PME conforme au RGPD

"Cybersecurity isn’t just an IT issue, it’s part of
corporate culture above all.”

Expanded scope to include more sectors and services as either essential or important entities.

Providers of public electronic communications, networks or services

Digital services such as social networking services platforms and a datacenter service

Waste water and waste management

Space 

Manufacturing of certain critical products (such as pharmaceuticals, medical devices, chemicals)

Postal and courier services 

Food

Public administration

NIS2

Hitting the refresh button on cybersecurity rules

What are the new regulations?

NIS 2: Proposal for a directive on measures for a high common level of cybersecurity across the Union.

The first EU-wide law on cybersecurity, the NIS Directive, came into force in 2016 and helped achieve a higher and more even level of security of network and information systems across the EU. In view of the unprecedented digitization in recent years, the time has come to refresh it.

EU Member States improve their cybersecurity capabilities.

NIS

capabilities

A list of administrative sanctions, including fines for breach of the cybersecurity risk management and reporting obligations is established.

More stringent supervision measures and enforcement are introduced.

NIS 2

Increased information sharing and cooperation between Member State authorities with an enhanced role of the Cooperation Group.

Establishment of a European Cyber crises liaison organisation network (EU-CyCLONe) to support coordinated management of large-scale cybersecurity incidents and crises at EU level.

NIS 2

Accountability of the company management for compliance with cybersecurity risk management measures.

Streamlined incident reporting obligations with more precise provisions on the reporting process, content and timeline.

Cybersecurity of the supply chain for key information and communication technologies will be strengthened..

Strengthened security requirements with a list of focused measures including incident response and crisis management, vulnerability handling and disclosure, cybersecurity testing, and the effective use of encryption.

NIS 2

Increased EU-level cooperation.

NIS

Cooperation 

Operators of Essential Services (OES) and Digital Service Providers (DSP) have to adopt risk management practices and notify significant incidents to their national authorities.

NIS

Cybersecurity - risk management

Sectors covered by the NIS directive

Healthcare  

Transport

Banking and financial - Market infrastructure

Digital infrastructure

Water supply

Energy

Digital service providers

NIS

Brigitte Van Gerven

has a degree in civil mechanical-electrical engineering from KU Leuven. She has been a project manager at UBench International since 2017.

Objective vetting

In this context, certification offers a practical way to objectively demonstrate an organization’s data security level. An internationally recognized certificate for data security is ISO 27001. “This is a framework of requirements that a data security system needs to meet,” says Bart Tollebeek, data security consultant at Proximus. “Put simply: the organization examines step by step where possible risks are located. Once the security risks are assessed, proportionate measures are implemented.” An organization that passes the audit, carried out by an accredited auditor, may use the ISO 27001 certificate for three years. “During that period, an annual check takes place,” Bart explains. “The certificate is based on the principle of continuous improvement.”

“Data security is essential for us,” says project manager Brigitte Van Gerven. “We handle a lot of confidential data on our platform.” The volume of that data has, of course, grown hugely since launching UBench International in 2003. “This calls for a systematic, holistic approach in order to maintain an overview. Especially if, like us, you are also seeking to constantly improve data security.” An attitude that is increasingly viewed as a basic principle in the market. “Many tenders set strict requirements for data security.”

UBench confirms data security with ISO certificate

CASE

The GDPR legislation and NIS regulations have been in force for 3 years. How have SMEs and large organizations responded? And what does the future hold now that there has been an exponential rise in cyber risks?
The legislation is explained in simple terms and practical tools are offered.

 clarified

cybersecurity

The rules of

Compliancy

Comply with the EU legislation

GDPR is celebrating its third anniversary – enough time to grasp the rules and be fully compliant, or so you’d think. In reality, it’s more a case of growing awareness, and there’s still much to do. “Companies are achieving compliance slowly but surely. We’re also living in an age characterized by massive digital dependence and the emergence of new types of data – a continuous process that raises many questions. And we’re here to answer them,” says Aurélie Waeterinckx, spokesperson for the Data Protection Authority (DPA).

Slowly but surely

The DPA supports companies

The code of conduct as a tool

While companies must adapt to the regulations, GDPR is also continually adapting to the digital revolution and the new ways of implementing existing and emerging technologies. Waeterinckx says there are already tools that can be used: “Too few organizations use the code of conduct to demonstrate compliance with GDPR obligations. Although it doesn’t guarantee compliance, it’s a very useful tool in assessing it, and we are always here to assist and guide companies.”

Aurélie Waeterinckx

has been a communication adviser and spokeswoman at the GBA since May 2019

The GDPR reflex

But what are the main mistakes companies continue to make today? According to Waeterinckx, marketing without consent and a lack of transparency are the biggest offenders. Users aren’t (or are only vaguely) informed about the processing of their personal data. “We’ve also noted the lack of importance companies give to the DPO’s role. The GDPR reflex must become instinctive before a project starts.”

The data processing policy of cities and municipalities

COVID-19 related complaints

Direct marketing (mainly concerning cookies) 

25% more reports about data breaches than in 2019

4 times more complaints than in 2019

Top 3 complaints

In 2020 the National Data Protection Authority received

Uw kmo
GDPR-conform

Three primary deficiencies

After consultation with over 250 SMEs, the DPA has detected three major weaknesses in practice. The first involves the (fundamental) principle of transparency. The company is aware of its duty to inform with regard to data processing, but doesn’t communicate it, or does so poorly. “The next deficiency involves the principle of impact assessment, a compulsory tool for processing likely to generate high risks. Most of the SMEs questioned are aware of this without actually putting it into practice,” Aurélie Waeterinckx adds. Finally, only 50% of the respondents have implemented the concepts of ‘data controller’ and ‘subcontractor’ within the organization.

Aurélie Waeterinckx
GBA spokeswoman

“SMEs are one of our priorities, and from now on we’re providing them with a real toolbox."

A toolbox for SMEs

SMEs do take action with regard to the GDPR. They scan the web in search of advice, consult their sectoral organization, etc., an observation that the DPA has decided to turn into an opportunity. “SMEs are one of our priorities, and from now on we’re providing them with a real toolbox. I recommend two reference publications, the vade mecum (a handbook) and the 13-step Action Plan, practical information that is supplemented by a FAQ brochure. In short, a real dashboard for SMEs.”

BOOST as support for SMEs

The objective of the BOOST project, developed by the DPA and financed by the European Union, is to help micro, small and medium-sized enterprises in any sector in implementing the GDPR. This major awareness-raising activity is also an unprecedented source of information. “Among other things, we provide letter templates, disseminate information via videos, publish a newsletter and organize webinars. The latest one had 735 attendees, proof of the need in the field and the relevance of our activities,” explained the DPA spokesperson.

The DPA is an independent regulatory body whose task is to secure compliance with the basic principles of the protection of personal data. The DPA took over from the Privacy Commission on 25 May 2018.

NIS 2: Proposal for a directive on measures for a high common level of cybersecurity across the Union.

The first EU-wide law on cybersecurity, the NIS Directive, came into force in 2016 and helped achieve a higher and more even level of security of network and information systems across the EU. In view of the unprecedented digitization in recent years, the time has come to refresh it.

Hitting the refresh button on cybersecurity rules

Sectors covered by the NIS directive

The NIS law, which stems from the European NIS Directive, was the first cybersecurity legislation to be passed in Belgium. Three years after it came into force, the Center for Cybersecurity Belgium is relatively happy with companies’ compliance. “However, it’s still too early to fully assess the implementation of the rules. The first internal audits have just been carried out and the first external audits will take place in 2023,” says Valéry Vander Geeten, legal manager at the Center for Cybersecurity Belgium.

Three years later …

Europe expands the scope of its NIS regulations

Cybersecurity at every level

Stricter legislation is beneficial to any organization, regardless of its size. The energy sector is obviously crucial to all other sectors and the cybersecurity of its industrial systems is a major issue. The same goes for the public sector, as recent incidents have shown. “In the NIS 2 proposal, micro or small businesses would be excluded, with numerous exceptions especially for entities that could impact public security, public safety or public health. Nevertheless, I think that everyone is concerned. Cybersecurity isn’t just an IT issue, it’s part of our corporate culture.”

The Centre for Cybersecurity Belgium is a federal administration, under the authority of the Prime Minister, charged with coordinating cybersecurity policy in Belgium.

What are the new regulations?

Valéry Vander Geeten

is Head of Legal Affairs at the Belgian Cybersecurity Center (CCB) as well as Data Protection Officer. He is also in charge of coordinating the adoption of the NIS directive in Belgium.

Up until now, the rules applied to the following sectors: transport, energy, finance, healthcare, drinking water, digital infrastructure and digital service providers. NIS2 provides for the expansion of the types of operators in some of the existing sectors and for the addition of new sectors, such as telecom operators, public administration entities, companies producing electronic products, food, and chemicals. “It should also be noted that prior identification by the competent sectoral authority would no longer be required. If you fall under the legal requirements, you must comply with the directive,” Vander Geeten says.

NIS 2: more sectors covered

Comply with the EU legislation

"Cybersecurity isn’t just an IT issue, it’s part of
corporate culture above all.”

Providers of public electronic communications, networks or services

Digital services such as social networking services platforms and a datacenter service

Waste water and waste management

Space 

Manufacturing of certain critical products (such as pharmaceuticals, medical devices, chemicals)

Postal and courier services 

Food

Public administration

Expanded scope to include more sectors and services as either essential or important entities.

NIS2

Healthcare  

Transport

Banking and financial - Market infrastructure

Digital infrastructure

Water supply

Energy

Digital service providers

NIS

Strengthened security requirements with a list of focused measures including incident response and crisis management, vulnerability handling and disclosure, cybersecurity testing, and the effective use of encryption.

Streamlined incident reporting obligations with more precise provisions on the reporting process, content and timeline.

Accountability of the company management for compliance with cybersecurity risk management measures.

Cybersecurity of the supply chain for key information and communication technologies will be strengthened..

NIS 2

Operators of Essential Services (OES) and Digital Service Providers (DSP) have to adopt risk management practices and notify significant incidents to their national authorities.

NIS

Cybersecurity - risk management

Increased information sharing and cooperation between Member State authorities with an enhanced role of the Cooperation Group.

Establishment of a European Cyber crises liaison organisation network (EU-CyCLONe) to support coordinated management of large-scale cybersecurity incidents and crises at EU level.

NIS 2

Increased EU-level cooperation.

NIS

Cooperation 

EU Member States improve their cybersecurity capabilities.

NIS

capabilities

A list of administrative sanctions, including fines for breach of the cybersecurity risk management and reporting obligations is established.

More stringent supervision measures and enforcement are introduced.

NIS 2

Comply with the EU legislation

UBench International provides a cloud platform that brings all automotive sector players under one roof: from leasing companies, rental companies and used car sellers to insurers, breakdown services and repairers. With its digital ecosystem, the company from Turnhout is today’s market leader in Belgium and is also active in many other European countries.

Brigitte Van Gerven

has a degree in civil mechanical-electrical engineering from KU Leuven. She has been a project manager at UBench International since 2017.

In this context, certification offers a practical way to objectively demonstrate an organization’s data security level. An internationally recognized certificate for data security is ISO 27001. “This is a framework of requirements that a data security system needs to meet,” says Bart Tollebeek, data security consultant at Proximus. “Put simply: the organization examines step by step where possible risks are located. Once the security risks are assessed, proportionate measures are implemented.” An organization that passes the audit, carried out by an accredited auditor, may use the ISO 27001 certificate for three years. “During that period, an annual check takes place,” Bart explains. “The certificate is based on the principle of continuous improvement.”

Objective vetting

“Data security is essential for us,” says project manager Brigitte Van Gerven. “We handle a lot of confidential data on our platform.” The volume of that data has, of course, grown hugely since launching UBench International in 2003. “This calls for a systematic, holistic approach in order to maintain an overview. Especially if, like us, you are also seeking to constantly improve data security.” An attitude that is increasingly viewed as a basic principle in the market. “Many tenders set strict requirements for data security.”

UBench confirms data security with ISO certificate

CASE