Wealthy, innovative and fintech-friendly Belgium has become a European leader in digitalization and cybersecurity, ranking highly on several of the European Commission’s Digital and Economy Society Index (DESI) 2020 indicators. DESI notes Belgium’s sustrengths in the digitization of business and economy, use of big data and R&D expenditures in the ICT sector, although its promising trajectory has been significantly damaged by the COVID-19 pandemic.
Belgium was one of world’s worst-affected countries by the pandemic, with the highest global mortality rate amidst two unrelenting waves of infection. The economy contracted by 6.2% in 2020,1 and it is not expected to fully recover until 2022.2 This economic downturn and long recovery period threaten to shrink its fintech landscape and deter new entrants, who might gravitate instead to comparatively unscathed Nordic innovation hubs like Stockholm and Oslo. Belgium’s National Plan for Recovery and Resilience could help in safeguarding against a drastic setback, however, as the plan will allocate 31% (EUR 1.85 billion) of its funds from the EU’s COVID-19 Recovery and Resilience Facility towards digital transformation.
The pandemic further exposed vulnerabilities in Belgium’s cybersecurity. On 4 May 2021, a large-scale cyberattack targeted the Belgian parliament, government agencies, scientific institutions and universities. That same month, Belgium’s Federal Public Service Interior revealed that it had been the victim of a two-year-long cyberattack, which first struck in April 2019. Phishing alone cost Belgians 43 million EUR in 2020,3 and one survey found that 42% of Belgian companies were hit by a cyberattack.4
This growing sophistication and frequency in cybercrime has influenced Belgium’s 2021 digital agenda, which focuses on strengthening its cybersecurity and AML frameworks, alongside raising awareness on data protection and ensuring GDPR compliance. Unlike other advanced European states, Belgium has not launched exploratory research into the development of a central bank digital currency (CBDC).
Financial Regulatory Authorities
Central Bank: The National Bank of Belgium is the country’s central bank.
The Belgian Data Protection Authority (APD) oversees compliance with regulations on data protection such as the GDPR.
The Financial Services and Markets Authority (FSMA) is Belgium’s financial regulatory authority, and seeks to ensure the fair and transparent operation of the financial markets.
Policy, Laws and Regulations
Reporting on operational and security risks related to payment services for payment institutions and electronic money institutions, January 1, 2022
In November, Belgium’s central bank published Circular NBB_2021_26, which took effect January 1, 2022.
Under the regulation, FIs must submit a detailed assessment of the security and operational risks related to current payment services and payment services expected to launch in in the next 12 months.
Per the Circular:
1. “The assessment of each identified risk should include the following elements:
- a description of the identified risk, including its consequences for the institution and its customers if it materializes;
- inherent levels of risk, with an estimate of their likelihood and impact on establishment;
- the identified risk mitigation controls already in place, including a description of their effect on the institution's level of risk and the level of residual risk once the mitigation measures are implemented;
- the measures detected that remain to be implemented to improve the effectiveness of controls, and where appropriate, planning for their implementation.
2. Institutions shall provide an assessment of their compliance with the European Banking Authority’s guidelines on the management of risks related to ICT and security which were introduced in Circular NBB_2020_232. This assessment should present a description of the provisions of these guidelines with which the establishment is not in compliance and an assessment of the effect of this non-compliance on the institution's level of risk.
3. The institutions describe the developments that have taken place since the previous presentation of the report (or since the approval was granted by the Bank).”
The National Security Council (NCS) approved the new Belgian Cybersecurity Strategy 2.0, for 2021-2025. The strategy’s overarching aim is to make Belgium one of the most cybersecure European nations, and it hinges on six main objectives:
- “Strengthen the digital environment and increase confidence in the digital environment
- Arm users and administrators of computers and networks
- Protect Vital Interest Organizations against all cyberthreats
- Respond to cyberthreats
- Improve public, private and university collaborations
- Affirm a clear international commitment”
The Belgian Competition Authority published its strategic priorities for 2021. They include enhanced vigilance and action regarding digital platforms and continued oversight of the digital economy, with special attention to abuses and violations of the right of competition driven by algorithms and data. The focus on tech giants’ dominance comes amidst an EU crackdown on big tech, with its Digital Markets Act and Proposal for Data Governance Act.
The Central Bank’s Report 2020 - Economic and financial developments outlines major developments in 2020, with a primary focus on the impact of the COVID-19 pandemic alongside brief overviews of regulatory responses. Key areas include COVID-19’s influence on the financial sectors, the rise of open banking and evolving cybersecurity challenges.
The COVID-19 pandemic brought Belgium to its worst economic performance since World War II, with an estimated loss of 41 billion EUR to its economy. Despite grim economic indicators, the National Bank of Belgium believes that central banks’ responses helped to keep economic depression at bay in developed nations. Interest rates in the eurozone were already low, banks increased their purchases of financial assets (mainly sovereign bonds) and facilitated the funding of large companies and SMEs.
The main challenge in the payments sector was monitoring compliance with heightened security requirements for electronic payment card transactions in e-commerce, particularly regarding Strong Customer Authentication (SCA) requirements per the Revised Payments Service Directive (PSD2). This required the establishment of new technical protocols, which was difficult amidst a complex landscape with many players. Meanwhile, the bank sought to facilitate fintech companies’ access to credit institution payment account systems.
Due to a rapidly changing risk landscape, the central bank recommends that financial institutions bolster their risk-awareness and take appropriate precautions in mitigating risks. The central bank has sought to strengthen the national cybersecurity framework over the past several years, even before the onslaught of the pandemic, and its 2015 Circular on expectations regarding continuity and operational security for financial institutions remains an important standard. Going forward, cybersecurity remains one of its top priorities, especially with regard to cultivating European and international cooperation.
Data Protection Authority Issues Recommendation on Cleaning Data and Destroying Data Media, 11 December 2020
The Data Protection Authority’s Recommendation on data sanitisation and data medium destruction techniques seeks to help entities comply with GDPR requirements regarding accountability and prevention of the unauthorized disclosure of data. Aimed at data controllers, processors, information security advisors and data protection officers (DPOs), the recommendation outlines various techniques of sanitizing and destroying data, which make access to data impossible.
The recommendation was followed by the Data Protection Authority’s 15 March 2021 release of documents seeking to simplify processes for data controllers, processors and DPOs. The batch of documents includes a personal data communication protocol template, a roadmap for the exchange of personal data by/with federal bodies and a model register of simplified treatment activities for the controllers and subcontractors.
Data Protection Authority Issues Management Plan 2021, 09 December 2020
The Data Protection Authority’s Management Plan outlines strategic priorities for 2021, including raising awareness on data protection, promoting the effectiveness and visibility of the APD and ensuring timely and adequate processing of files. The plan delivers brief recommendations to government actors on optimizing existing techniques in ensuring GDPR compliance; undertaking monitoring of societal, economic and technological developments; coordinating cooperation; and raising awareness and increasing knowledge on data protection issues, amongst other recommendations. The APD has routinely touted the importance of awareness on data protection and has been especially keen to simplify compliance requirements.
Partial Implementation of GDPR and Exceptions Provided for in Article 23, 11 November 2020
The Ordinance October 29, 2020 applying the exceptions provided for by Article 23 of General Data Protection Regulation (GDPR) was published in the official gazette. Article 23 of the GDPR allows for member states to restrict, through legislative means, the scope of obligations and rights outlined in certain GDPR articles, as long as such restrictions respect “the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard” areas like national security and public security. Per the ordinance, the rights to erasure of personal data, access to personal data and rectification may be deferred or limited in certain cases.
The Royal Decree of September 23, 2020 amending the Royal Decree of July 30, 2018 regarding the operating modalities of the ultimate beneficial owner (UBO) register went into effect. The decree implements provisions of the 4AMLD and the 5AMLD and aims to facilitate access to the UBO register and ensure that its information is accurate and updated in a timely manner. Per the 5AMLD, each member state was mandated to create their own UBO register and have it operational by 10 January 2020. UBO registers were required to be interconnected via the European Central Platform by 20 March 2021, in line with the EU’s goal to make AML/CFT measures increasingly harmonized across Europe.
Central Bank Publishes Financial Market Infrastructures and Payment Services Report 2020, 27 September 2020
The Financial Market Infrastructures and Payment Services Report 2020 addresses the payments sector, the central bank’s supervisory role, priorities and landscape changes in 2020. The COVID-19 pandemic had a significant impact on the payments sector, with divergent effects due to the range of available means of payment. “Cash intensive payment services” plunged, while contactless payments rose in popularity. During the first month of the lockdown, e-commerce card transactions surged 20%—in both value and volume—compared to the previous timeframe in 2019. Meanwhile, in-store payments dropped 30%. The central bank predicts that the pandemic will continue to have repercussions across the sector, and some changes, like the trend towards contactless and e-commerce, will prove permanent. This will contribute in fast-tracking the digitalization of the payments sector alongside PSD2.
Bill on Various Financial Provisions Relating to Fight Against Fraud Submitted to Parliament, 07 April 2021
The “Bill on various financial provisions relating to the fight against fraud” was submitted to parliament. Its major change is an amendment to the AML Act, which requires that obliged entities report discrepancies between information available on the ultimate beneficial owner (UBO) register and the information available to them. This supports the recently implemented Royal Decree of September 23, 2020, which aims to ensure that the UBO register is updated with accurate information. An adequate UBO register, especially one that is interconnected across the EU through the European Central Platform, is key in helping EU and member state authorities to harmonize their approach to AML/CFT. The pandemic has highlighted increasing sophistication and transnational cybercrime and ML methodologies, which can be better identified and deterred through information sharing.
On 12 April 2021, the Federal Public Service (FPS) Finance published user manuals and FAQs to help individuals responsible for providing information to the UBO register in complying with regulatory requirements.
Legislative Proposal on Transparency and AI Systems, 06 April 2021
The legislative proposal seeking to amend a 1994 law on access to government information outlines requirements on the use of AI by public authorities. In a move to promote transparency and trust in AI, public authorities must publish algorithmic rules online, especially if they contribute to individual decisions. If administrative documents include individual decisions that were made on the basis of AI, citizens have the right to demand more information on the algorithmic processing and the data processed, amongst other factors. Authorities would also have to conduct and disclose impact assessments per the GDPR. The proposal dovetails with the European Commission’s comprehensive regulatory framework on promoting trust in AI, released in April 2021.
The draft law, amending both the law of December 3, 2017 and the law of December 3, 2017, aims to establish a mechanism by which the Data Protection Authority can issue advance rulings, or “privacy rulings.” If passed, the DPA would be able to issue an advance ruling on how it might apply the law to specific situations regarding the processing of personal data. For an entity to be granted a privacy ruling, they would have to submit a formal request including information on the specific situation and legal or regulatory provisions forming the basis of the decision. A ruling would be issued in three months unless rejected or another timeline was agreed on. The draft law would be significant in providing legal clarity to data controllers, processors and others, and would ensure heightened compliance with the GDPR.
1. Waterbley, Séverine. “Belgium's Economy in a Nutshell - Economic Outlook of February 2021.” Economie, 17 March 2021. https://economie.fgov.be/en/publication/belgiums-economy-nutshell-3.
2. “Economic forecast: Some EU countries will recover in 2021, others must wait until 2022.” Euronews, 11 February 2021. https://www.euronews.com/2021/02/11/economic-forecast-some-eu-countries-will-recover-in-2021-others-must-wait-until-2022.
3. “Phishing in 2020 cost Belgians €34 million, says regulator.” The Brussels Times, 24 March 2021. https://www.brusselstimes.com/news/belgium-all-news/161561/phishing-in-2020-cost-belgians-e34-million-says-regulator/.
4. Hope, Alan. “Report: Pandemic allowed organised crime to flourish.” The Brussels Times, 15 May 2021. https://www.brusselstimes.com/news/belgium-all-news/169676/report-pandemic-allowed-organised-crime-to-flourish-mony-laundering-health-crisis-counterfeit/.
*DISCLAIMER: This information is OneSpan's interpretation of the compliance requirements as of the date of publication. Please note that not all interpretations or requirements of the applicable laws are well-settled and its application is fact- and context-specific. The information contained in this document should not be relied upon as legal advice or to determine how the law applies to your business or organization. We encourage you to seek guidance from your legal counsel with regard to law applying specifically to your business or organization and how to ensure compliance. This information is provided “as-is” and may be updated or changed without notice. OneSpan does not accept liability for the contents of these materials.
Last updated: November 2021