ARTICLE
1 December 2025

Protecting Ethical Hackers Under Belgian Law – And How Organisations Should Respond To Vulnerabilities Disclosed To Them

T
Timelex

Contributor

Timelex logo

Timelex is a leading niche law firm specialised in the legal aspects of information technology (IT), privacy & data protection (GDPR), intellectual property, and media & electronic communications. Every day we strive to match law and innovation.

While we focus on the areas in which we excel, we also advise clients on various issues of general commercial and business law, such as about distribution and franchising networks, commercial agency, unfair competition and market practices, consumer protection, product safety and product liability, general sales and purchase terms and conditions, etc.

Explore Firm Details
The security of IT systems and the data they contain is becoming increasingly crucial for businesses and public institutions, to the point of becoming a political priority in the face of what are now global and sometimes state-run IT threats.
Belgium Technology
Janvier Parewyck and Seliha Buelens

This blog article is available in English, French and Dutch.

The security of IT systems and the data they contain is becoming increasingly crucial for businesses and public institutions, to the point of becoming a political priority in the face of what are now global and sometimes state-run IT threats. From a legal point of view, security requirements are increasing exponentially (particularly since the GDPR, the Cybersecurity Act, the NIS2 and CER directives, the CRA and DORA regulations, etc). It is in these circumstances that the Belgian legislator has chosen to confer a special protection regime on ethical hackers.

Ethical hackers are cybersecurity specialists who use their hacking skills to identify vulnerabilities in computer systems and communicate them to the organisation concerned before they can be exploited by malicious hackers ("black hat hackers").

Organisations (both companies and public institutions) can hire such specialists and auditors, either internal or external, to carry out penetration tests ("pentest") to search for, discover and correct vulnerabilities and improve the security of their systems.

Another interesting opportunity for organisations is to take advantage of the spontaneous intervention of certain ethical hackers – individuals who, autonomously and without prior contact, identify vulnerabilities and decide to report them responsibly. Owing to their sheer number and the diversity of their skills, these ethical hackers can sometimes bring to light previously unnoticed vulnerabilities, and should therefore be seen as a valuable additional lever in any cybersecurity strategy.

However, historically, (attempted) intrusion into a computer system may be punishable under criminal law if the ethical hacker has not received prior authorisation – which is of course a significant barrier. To overcome this challenge, some organisations choose to adopt a Coordinated Vulnerability Disclosure Policy (or "CVDP") explicitly authorising ethical hackers to test their systems under certain conditions, or even Bug Bounty programmes designed to encourage the search for and reporting of such vulnerabilities. In some cases, implementing such a policy is a legal requirement.

Furthermore, even if the organisation does not have a CVDP in place, or if the ethical hacker acts beyond the CVDP, the Belgian legislator has chosen to grant special legal protection to ethical hackers in order to prevent them from exposing themselves to criminal prosecution when pursuing a "noble cause". This way, ethical hackers can report vulnerabilities without fear of reprisals.

This blog post will first focus on this protective regime and its conditions of application, before looking at the obligations of organisations that are notified of vulnerabilities.

1. Protection from criminal prosecution

The protection regime is conferred by the Belgian law of 26 April 2024. This law transposes the NIS2 directive, but it is not necessary for the organisation to be subject to NIS2 for the ethical hacker to be protected (as the law covers vulnerabilities in any "ICT service or product" within the meaning of the Cybersecurity Act).

Article 23 of the Belgian law protects ethical hackers (both natural and legal persons) from criminal prosecution in Belgium.

Ethical hackers must thus be vigilant as to the laws applicable outside Belgium. If they are acting from another country, if the targeted company is established in another jurisdiction, or if the IT infrastructure is hosted outside Belgium, they could be subject to local laws, which may differ and entail legal risks, even in cases of good faith.

Belgian protection applies to the criminal offences listed (relating to intrusion into computer systems, interception of data and breach of professional secrecy by persons subject to such obligation) and applies if the following five, or even six cumulative conditions are met:

  1. No intent to defraud/ harm.
  2. The hacker makes a simplified notification to the organisation and to the Belgian Computer Security Incident Response Team (CSIRT) (within 24 hours of discovery). It should be noted that if the ethical hacker is acting in the context of a CVDP, the CSIRT considers that it does not need to be notified. This seems logical since, in such cases, the ethical hacker is already duly authorised to search for and report vulnerabilities, so that their actions do not in principle constitute a criminal offence. However, hackers intending to avail themselves of the CVDP should take great care to follow all the terms and conditions and, in case of doubt, notify the CSIRT anyway. It should also be noted that in the event of notification, the CSIRT must preserve the anonymity of the ethical hacker if they so request.
  3. The hacker makes a full notification to the organisation and to the Belgian CSIRT (within 72 hours).
  4. Not to have acted beyond what was necessary and proportionate.
  5. No public disclosure of the vulnerability.
  6. In certain cases, to have concluded an a priori agreement (see next heading).

2. Additional condition (for vulnerabilities in the IT systems and information of intelligence services, police forces, judicial bodies, etc.)

For the reporting of vulnerabilities relating to certain entities such as the police, intelligence services, judicial bodies, etc., it is necessary to conclude an a priori agreement defining the research procedures.

It is therefore important that this agreement is in place before security testing begins, and not after a vulnerability has been discovered. If this additional condition is met, the same protection is conferred on the ethical hacker.

3. Another possible protection regime: the whistleblowers directive

It is worth noting that if one of the six conditions is not met – for example, if the prior agreement was not concluded or could not be respected – the and its national transpositions could potentially offer similar protection to the ethical hacker, provided that the legal requirements for whistleblowers are strictly respected. Caution is advised, and national transposition laws should be carefully considered in order to carry out a thorough, context-specific assessment.

If you, or your company, have discovered a vulnerability (whether or not in the context of a whistleblowing procedure) and are wondering how you should react, please do not hesitate to contact us.

4. There is no specific obligation for the company or entity concerned to compensate the ethical hacker financially or through public recognition.

As already mentioned, organisations are free (or even required, for example under the CRA, cybersecurity certification or benchmark) to set up a CVDP, and may also provide for reward schemes for ethical hackers who discover vulnerabilities and report them, for example in the form of money and/or public recognition (e.g. on a dedicated "Acknowledgments" or "Security Hall of Fame" page).

In the absence of a CVDP with a reward programme, the organisation is not in principle obliged to reward the ethical hacker.

Indeed, the Belgian law of 26 April 2024 grants protection but does not provide for any obligation to compensate.

An ethical hacker who demands compensation of any kind in the absence of such a programme would more than likely be acting beyond the conditions set out in article 23, as the actions of the ethical hacker covered by the protection are limited (4th condition of the law: the hacker may not act beyond what is strictly necessary and proportionate to verify the existence of a vulnerability and report it, and therefore claim any form of remuneration or recognition).

Even if an ethical hacker felt that they were entitled to a reward or compensation for their work, they could under no circumstances "blackmail" by keeping part of the information relating to the vulnerability, because:

- the 2nd and 3th conditions oblige them to disclose all relevant information on the vulnerability to the entity and to the CSIRT within the time limits;

- the 1st condition prohibits fraudulent or harmful intent, and blackmail would be tantamount to ransom. Finally, the ethical hacker would also not be able to publicly disclose the vulnerability (5th condition).

That said, it is generally in the interests of organisations to provide financial compensation, or at least a degree of visibility, to ethical hackers who report vulnerabilities, as more ethical hackers will test their systems and, if a vulnerability is discovered, will choose to report it via secure channels and in ways determined by the organisation (instead of sometimes illegally selling it to third parties).

Ethical hackers will certainly appreciate that the Centre for Cybersecurity Belgium (which includes the Belgian CSIRT) has put a "Wall of Fame" online and maintains it.

5. What are the obligations of an organisation informed of a vulnerability?

The first part of this article focused on the protection and obligations of ethical hackers. What follows is an overview of the obligations of organisations following the reporting of a vulnerability.

If a vulnerability is discovered by an ethical hacker, the best course of action for the organisation is to investigate promptly and address it, thereby reducing the risk of negative impacts. If necessary, the CSIRT can provide assistance.

Legal obligations arising from different legislation may also apply, sometimes cumulatively.

5.1. Obligations under the NIS2 Directive

If the organisation is subject to the NIS2 Directive and its transposing legislation, an obligation to notify (not of the vulnerability, but of the incidents it may have caused), as well as an obligation to ensure that corrective measures or measures to mitigate the vulnerability are in place, may apply.

If a vulnerability is discovered by an ethical hacker and reported to the organisation concerned, the latter should first conduct an internal investigation to determine whether this vulnerability has been exploited by malicious actors and has caused, or is likely to cause, a serious operational disruption ("significant incident"), in which case there is an obligation to notify the Belgian CSIRT.

In certain cases, the organisation must also notify the significant incident to the recipients of its services.

Please note that these notification obligations exist even if the ethical hacker has already notified the vulnerability in accordance with the protection conditions set out above.

In addition, all organisations, whether subject to the NIS2 directive or not, can make voluntary notifications.

Finally, whether or not the incident is notifiable, Article 21 of the Directive (Article 30 of the Belgian law) imposes a general obligation to ensure security and to examine the "appropriate and proportionate technical, operational and organisational" measures that need to be taken to manage the risks – including, therefore, those posed by the vulnerability that the ethical hacker reported.

5.2. Obligations under the GDPR

A vulnerability discovered by an ethical hacker may have been exploited by malicious actors to breach the security of personal data.

If a vulnerability exploit has led to "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed", Article 33 of the GDPR is applicable.

  • If the organisation is the data controller, it is subject to an obligation to notify the data protection authority, unless the data leak is not likely to give rise to a risk to the rights and freedoms of natural persons. In certain cases, Article 34 of the GDPR also requires the data subjects to be notified.
    It should be noted that, although the Belgian national cybersecurity authority (of which the CSIRT is a part) itself has an obligation to collaborate with the data protection authorities and even, in certain cases, to inform them of a (potential) data breach that has been notified to it, the GDPR notification obligation to which the data controller is subject is a separate obligation.
  • If the organisation is a processor, it must notify the breach "without undue delay" to the controller to enable it in turn to notify the authority. Please note: attention should also be paid to the processing agreement concluded between the organisation and the controller, which may stipulate more precise deadlines and render the organisation contractually liable.

Furthermore, in accordance with the principle of integrity and confidentiality (article 5.1.f) and the principle of accountability (article 5.2) of the GDPR, the controller is obliged to guarantee and be able to demonstrate that its processing of personal data is secure. Consequently, the controller should always investigate a vulnerability that has been reported to it by an ethical hacker.

Furthermore, Article 32 of the GDPR requires both controllers and processors to "implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk". Ignoring a vulnerability and/or failing to provide any corrective measures could constitute a breach of this duty to ensure the security of processing.

5.3. Other potential obligations

Other EU or national obligations may also apply, for example if the organisation is an essential entity within the meaning of the CER Directive, is subject to CRA, or is a provider of public electronic communications services.

If your organisation discovers a vulnerability, possibly thanks to an ethical hacker, is faced with a security incident or wishes to implement policies for the disclosure of vulnerabilities, do not hesitate to contact us for legal assistance and to determine your precise obligations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Janvier Parewyck
Janvier Parewyck
Photo of Seliha Buelens
Seliha Buelens
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More