Notification requirement for registrars

Belgium is the first European member state to fully implement the new NIS2 legislation. This means that since 18 October 2024, at least 2,500 Belgian organisations have been required to:  

  1. register on the website atwork.safeonweb.be  
  2. take measures to increase cyber security 
  3. report significant incidents to the Centre for Cybersecurity Belgium (CCB). 

 

Obligatory notifications

Because NIS2 legislation also applies to some of our registrars , we'd like to explain what significant incidents are and when exactly you need to report them. The Safeonweb website has a tool to help you determine whether or not NIS2 applies to your organisation. 

For a full explanation of the application and obligations of NIS2, we refer to CCB's NIS2 landing page and the extensive article series on that site. 

 

Significant incidents 

It has been compulsory since October to report any significant incidents to the CCB.

But what exactly are significant incidents?  

Significant incidents are events that can have a considerable impact on the provision of your services. This concerns incidents:  

  1. which caused a severe operational disruption of one of your services or caused you to suffer financial losses.  
  2. whereby other natural or legal persons were or may be affected resulting in significant material, physical or moral damage. 
  3. which caused or may cause industrial secrets to be leaked
  4. which cause or may cause direct financial losses exceeding 500,000 euros or 5% of total annual sales in the previous financial year. 
  5. whereby there was a successful, presumably malicious and unauthorised access to network and information systems, that may cause a severe operational disruption. 

In other words, an incident on an isolated information system that is unrelated to the provision of your services need not be reported 

Specifically for DNS service providers 

With regard to DNS service providers, an incident (according to Article 3 paragraph 1.g van NIS 2) is significant when it meets one or more of the following criteria: 

  1. A recursive or authoritative domain name resolution service is completely unavailable for more than 30 minutes
  2. During a period of more than one hour, the average response time of a recursive or authoritative domain name resolution service to DNS requests is more than 10 seconds
  3. The integrity, confidentiality or authenticity of data stored, transmitted or processed in connection with the provision of the authoritative domain name resolution service is compromised. When the data of less than 1,000 domain names managed by the DNS service provider are incorrect due to misconfiguration, and those 1,000 domain names don't constitute more than 1% of all domain names managed by the DNS service provider, there's no significant incident. 

 

Recurrent incidents 

A series of incidents that individually don't meet the criteria of significant incidents may jointly still be considered as one significant incident if they meet the following criteria: 

  • They occurred at least twice in six months
  • They have the same root cause
  • They meet the criteria of financial losses and unavailability of services.  

How do you report a significant incident? 

When you discovered a suspicious event or someone alerts you to a potential incident, you need to:  

  • assess the event on time.  
  • determine whether it concerns a significant or non-significant incident. 

If it's a significant incident, you need to report it immediately and in any case within 24 hours to the CCB via https://notif.safeonweb.be.

As a registrar you must subsequently also: 

  • notify your customers.  
  • communicate any actions your customers can take. 
  • submit an interim progress report to the CCB. 
  • submit a final report to the CCB at the latest one month after the report (or in case of a long-term incident after the final settlement). 

Voluntary notifications 

In addition to obligatory notifications, every organisation - including those not covered by the scope of the NIS2 Act - may voluntarily report non-significant and avoided incidents and cyber threats to the CCB.  

A voluntary notification cannot lead to an inspection or extra obligations.  

Let's get started 

On the websites of the CCB and Safeonweb you'll find:

  • a scoping tool that helps you to determine whether NIS2 applies to your organisation.
  • the platform where you can register your organisation.
  • extensive information on NIS 2 and the notification requirement in the NIS2 registration guide.

With this article we support the Sustainable Development Goals of the United Nations.