Belgium

EU Member State: Belgium is a member of the European Union and is therefore subject to the General Data Protection Regulation (GDPR), the Law Enforcement Directive, the ePrivacy Directive, and other EU-level data protection instruments. For a detailed treatment of the EU framework, see the EU Framework page. This page covers Belgium’s national implementing legislation, domestic enforcement record, intelligence and surveillance laws, and its role in the Fourteen Eyes intelligence alliance.

Overview

Belgium’s data protection authority has handled several cases with Europe-wide impact. As the host country of the EU institutions in Brussels, Belgium’s data protection authority frequently finds itself at the center of cases with continent-wide implications. The most significant of these (the IAB Europe Transparency and Consent Framework (TCF) case) produced a ruling with implications for how consent is managed across the online advertising ecosystem, affecting billions of daily ad transactions.^[1]

On the intelligence side, Belgium operates the world’s oldest intelligence service. The Veiligheid van de Staat / Sûreté de l’État (VSSE) was founded on October 15, 1830, just weeks after Belgium declared independence from the United Kingdom of the Netherlands, making it older than even the Vatican’s intelligence apparatus.^[2] For most of its existence, the VSSE operated almost exclusively through human intelligence (HUMINT), a legacy of scandals in the 1980s that stripped it of technical surveillance capabilities for decades. It was not until the BIM Law of 2010 that Belgian intelligence services were authorized to conduct signals intelligence and electronic surveillance.^[3]

Belgium is also a member of the Fourteen Eyes intelligence alliance (formally the SIGINT Seniors of Europe, or SSEUR), contributing intelligence from both its civilian and military services to the broader Western signals intelligence sharing network.^[4] The combination of an active data protection authority based in the capital of the European Union, a historically cautious intelligence service that only recently acquired electronic surveillance powers, and an active role in multinational intelligence sharing creates a distinctive privacy landscape.

Data Protection Authority: APD/GBA

The Autorité de protection des données (APD) in French, or Gegevensbeschermingsautoriteit (GBA) in Dutch, is Belgium’s national data protection supervisory authority. It was established by the Law of 3 December 2017, replacing the former Commission for the Protection of Privacy (Commission de la protection de la vie privée), which had served as Belgium’s data protection body since 1992.^[5]

The restructuring introduced substantive changes. The 2017 law created a significantly more powerful institution, organized into six distinct bodies: a General Secretariat, a First-Line Service, a Knowledge Centre, an Inspection Service, a Litigation Chamber (which imposes fines and corrective measures), and a General Assembly. This multi-chamber architecture gives the APD/GBA both advisory and enforcement capabilities: the Inspection Service investigates, and the Litigation Chamber adjudicates, creating an internal separation of functions.^[5]

As a bilingual authority operating in both French and Dutch, reflecting Belgium’s linguistic divide, the APD/GBA is uniquely positioned within the EU supervisory landscape. Its location in Brussels means it frequently handles cases involving EU institutions, international organizations, and the headquarters of major industry bodies. This geographic circumstance was a factor when the authority took on the IAB Europe TCF case.

The IAB Europe TCF Case

The APD/GBA’s most notable enforcement action targeted the very infrastructure of consent management in online advertising. The Transparency and Consent Framework (TCF), developed by IAB Europe (the Interactive Advertising Bureau’s European arm), is the technical standard used by most websites across Europe to collect and transmit user consent preferences to advertising partners. When a user clicks “Accept” or “Reject” on a cookie banner, the TCF generates a TC String, an encoded text string that records those preferences and is passed through the real-time bidding chain to hundreds of advertising intermediaries.^[1]

In February 2022, the APD/GBA ruled that the TC String constitutes personal data (because it can be linked to an identifiable user via IP address) and that IAB Europe was a joint controller for its processing. The authority imposed a fine of EUR 250,000 and ordered IAB Europe to bring the TCF into GDPR compliance within six months. The violations included lack of a valid legal basis for processing, transparency failures, and inadequate security measures.^[1]

IAB Europe appealed to the Belgian Market Court (a division of the Brussels Court of Appeal). In March 2024, the Court of Justice of the European Union (CJEU) weighed in with a preliminary ruling confirming that TC Strings are personal data and that a framework organizer like IAB Europe can be a joint controller, but only for specific processing operations, not for everything that TCF participants do with the data downstream.^[6]

In May 2025, the Belgian Market Court delivered its final ruling. The court upheld the EUR 250,000 fine but significantly narrowed the scope of IAB Europe’s joint controllership. The court held that IAB Europe is a joint controller with TCF participants only for the creation and use of TC Strings by publishers and vendors, not for all downstream advertising processing carried out by TCF participants. The court also rejected the APD/GBA’s position that IAB Europe bore responsibility for the advertising processing activities of the hundreds of companies participating in the TCF.^[7]

The practical implications are significant. The TCF underpins consent management on millions of websites. The ruling establishes that industry bodies that design and govern data-sharing standards can be held responsible as joint controllers for the processing those standards facilitate, even if the body itself never directly handles user data. For the adtech industry, this creates a new category of GDPR liability that extends far beyond traditional controller/processor relationships.^[8]

Other Notable Enforcement (2024–2025)

Beyond the IAB Europe case, the APD/GBA has maintained an active enforcement posture across a range of issues:

These decisions reveal the APD/GBA’s enforcement priorities: the authority has shown a particular willingness to penalize organizations that fail to comply with data subject rights requirements, whether by ignoring erasure requests, delaying access requests, or deploying biometric systems without proper justification. The data broker fine in Decision 07/2024 is especially notable, as it directly challenged the common industry practice of relying on “legitimate interest” as a legal basis for collecting personal data from third-party sources, a practice many data brokers across Europe still rely on.^[9]

National Framework

Law of 30 July 2018 (Loi du 30 juillet 2018 relative à la protection des personnes physiques à l’égard des traitements de données à caractère personnel)

Belgium’s primary data protection statute is the Law of 30 July 2018, which entered into force on September 5, 2018 upon publication in the Moniteur belge. This law replaced the Privacy Protection Act of 8 December 1992 and serves as Belgium’s national implementation of the GDPR, exercising the margin of maneuver that the regulation grants to Member States.^[11]

Key provisions include:

• Age of digital consent set at 13: Belgium exercised the GDPR’s Article 8 derogation to lower the age at which children can independently consent to information society services from the GDPR default of 16 to 13 years. Below that age, consent must be given by a legal representative. This places Belgium among the most permissive EU Member States on this point, alongside Denmark, Sweden, and the United Kingdom (which also chose 13).^[12]
• Collective redress for GDPR infringements: The law enables representative actions for data protection violations, a mechanism open to small and medium-sized enterprises (SMEs) as well as advocacy organizations, broadening access to enforcement beyond regulators alone.^[11]
• Extended DPO obligations: Beyond the GDPR’s mandatory DPO requirements, Belgian law extends Data Protection Officer obligations to federal public authority processors and to organizations carrying out archiving or research activities in the public interest.^[11]
• Injunctive relief via summary proceedings: Data subjects can seek injunctions through Belgian summary proceedings (procédure en référé), providing a rapid judicial remedy for ongoing GDPR violations without waiting for the APD/GBA’s administrative process.^[13]
• Criminal justice data processing: Title II of the law transposes Directive (EU) 2016/680 on the processing of personal data in the prevention, investigation, detection, or prosecution of criminal offenses, including the establishment of the Control Body on Police Information (COC).^[11]
• Intelligence services data processing: The law also regulates data processing by Belgian intelligence services, creating a specific legal framework that balances national security needs with data protection principles.^[11]

Electronic Communications Act (Loi du 13 juin 2005 relative aux communications électroniques)

Belgium’s Electronic Communications Act of 13 June 2005 implements the EU ePrivacy Directive and governs cookie consent, electronic marketing, and telecommunications privacy. The law was significantly amended on December 21, 2021 to transpose the European Electronic Communications Code (EECC).^[14]

Belgium’s cookie consent rules are among the stricter in Europe:

• Cookie walls are prohibited: Websites may not condition access to content on the acceptance of non-essential cookies. Users must be able to access the service regardless of their cookie preferences.^[15]
• Granular consent required: Consent must be obtained per cookie or at minimum per category of cookies. Blanket “accept all” without granular options does not constitute valid consent.^[15]
• No pre-ticked boxes: In line with the CJEU’s Planet49 ruling, consent must be obtained through an affirmative action by the user. Pre-selected checkboxes or sliders do not satisfy the consent requirement.^[16]
• Exemptions: Cookies strictly necessary for the transmission of a communication or for providing a service explicitly requested by the user are exempt from the consent requirement.^[14]

The APD/GBA has actively enforced these rules, ordering multiple controllers to redesign their cookie banners to include a clearly visible “reject all” option on the first layer, not hidden behind a “settings” or “manage preferences” screen.^[16]

Surveillance and Intelligence

VSSE (Veiligheid van de Staat / Sûreté de l’État)

The VSSE is Belgium’s civilian intelligence and security service. As noted in the Overview, it is the world’s oldest continuously operating intelligence service, originally established as the Public Security office tasked with stabilizing the nascent state against internal subversion and external interference.^[2]

The VSSE operates under the authority of the Minister of Justice and is responsible for counterintelligence, counterterrorism, countering extremism, protection of the scientific and economic potential of Belgium, and proliferation-related threats. It maintains contacts with over 90 sister intelligence services worldwide and participates in the Club de Berne (an informal grouping of European intelligence chiefs) and the Counter Terrorism Group (CTG).^[17]

As described above, the VSSE’s decades-long restriction to HUMINT methods following the 1980s scandals left it without technical intelligence capabilities until the BIM Law of 2010 restored those powers (see the dedicated BIM Law section below).^[3]

SGRS/ADIV (Service Général du Renseignement et de la Sécurité / Algemene Dienst Inlichting en Veiligheid)

Belgium’s military intelligence service operates under the authority of the Minister of Defence. The SGRS/ADIV is responsible for military intelligence collection, military counterintelligence, and information security within the Belgian armed forces.^[18]

The SGRS/ADIV possesses significantly broader technical capabilities than the civilian VSSE. Notably, the military service is authorized to employ BIM methods outside Belgium’s borders, including the ability to break into computer systems, intercept communications, and record images in foreign territories, capabilities that the VSSE may only exercise domestically.^[18] The SGRS/ADIV has developed a particularly strong cyber intelligence capacity, reflecting Belgium’s role as host of both NATO headquarters and numerous EU institutions, which makes it a high-value target for state-sponsored cyber espionage.

Intelligence and Security Services Act 1998 (Law of 30 November 1998)

The Organic Act of 30 November 1998 provides the legal foundation for both the VSSE and the SGRS/ADIV. This law defines the missions, powers, and operational boundaries of Belgium’s two intelligence services and established the framework later expanded by the BIM Law.^[19]

The 1998 Act classifies intelligence methods into three tiers of increasing intrusiveness:

• Ordinary methods: Open source intelligence, analysis of publicly available data, and general surveillance that does not require special authorization
• Specific methods: More intrusive techniques such as targeted physical surveillance, observation of communications metadata, and covert searches of luggage or vehicles, requiring authorization from the service director
• Exceptional methods: The most intrusive techniques, reserved exclusively for grave threats to national security, including wiretapping, interception of communications content, computer network exploitation, and covert entry into private residences. These require authorization from a commission of magistrates and ongoing oversight by the Standing Committee I^[19]

BIM Law (2010 Amendment)

The Wet op de Bijzondere Inlichtingenmethoden (Special Intelligence Methods Act), adopted on January 21, 2010, ended the decades-long restriction on technical intelligence collection described in the Overview. The law authorized the following capabilities:^[3]

• Targeted interception of telecommunications and electronic communications
• Electronic data inspection and metadata collection
• Physical surveillance using technical devices
• Computer network exploitation (CNE) – the ability to access and extract data from computer systems remotely
• Covert recording of images and audio in private and public spaces

All BIM methods are subject to judicial approval (via a commission of magistrates known as the BIM Commission) and ongoing oversight by the Standing Committee I. The BIM Commission reviews requests for the most intrusive methods before they are authorized, while the Standing Committee I monitors operations during and after execution and can suspend intelligence methods at any time if it determines they are unlawful.^[20]

Standing Committee I (Comité permanent de contrôle des services de renseignements)

The Standing Committee I (also known as Comité R or Comité I) is Belgium’s independent intelligence oversight body. Established by the Act of 18 July 1991 and operational since May 1993, it reports directly to the Federal Parliament and exercises external oversight over both the VSSE and the SGRS/ADIV, as well as the Coordination Unit for Threat Analysis (OCAM/OCAD).^[20]

The Standing Committee I possesses several powers that distinguish it from oversight bodies in other EU member states:

• Real-time oversight: The committee monitors the use of BIM methods both during and after operations, not merely in retrospective review
• Suspension power: The Standing Committee I can suspend the application of any intelligence method at any time if it determines the method is being used unlawfully or disproportionately^[20]
• Double-check mechanism: For the most intrusive methods (wiretapping, hacking, eavesdropping), the BIM Commission of magistrates first grants permission, and the Standing Committee I then independently verifies the authorization, creating a dual-layer oversight structure^[21]
• Data protection supervisory authority: Following a 2018 reform, the Standing Committee I was designated as the supervisory authority for all data processing by intelligence services, effectively serving as the “data protection authority” for the intelligence community, a function that the APD/GBA does not exercise^[21]

This oversight architecture, combining a magistrates’ commission for prior authorization with an independent parliamentary committee empowered to suspend operations in real time, combines prior judicial authorization with independent parliamentary oversight. The designation of Standing Committee I as data protection supervisor for intelligence services is particularly notable, as it creates a specialized body with both the security clearance and the institutional independence to meaningfully scrutinize intelligence data processing.

Fourteen Eyes: SIGINT Seniors of Europe

As introduced in the Overview, Belgium is a member of the Fourteen Eyes alliance (SSEUR), participating as a third-tier partner alongside Germany, Italy, Spain, and Sweden.^[4]

The SSEUR has existed in some form since 1982, with the purpose of coordinating the exchange of military signals intelligence among its members. Both the VSSE and the SGRS/ADIV contribute to Belgium’s intelligence sharing obligations under this framework.^[22]

Belgium’s position within the Fourteen Eyes is distinctive. Given the VSSE’s historical HUMINT-only posture, Belgium’s contribution to the alliance has traditionally been weaker than that of larger intelligence powers. However, the capabilities restored by the 2010 BIM Law, combined with the SGRS/ADIV’s growing cyber capabilities, have increased Belgium’s relevance as a signals intelligence partner.^[3]

As with all 3rd Party UKUSA partners, Belgium’s participation in the Fourteen Eyes does not automatically protect it from being targeted by the intelligence services of its own alliance partners. An internal NSA document disclosed during the Snowden revelations stated: “The NSA can, and often do, target the signals of most 3rd party foreign partners.”^[23] This dual reality, sharing intelligence with allies who may simultaneously be collecting against you, is a structural feature of the Five/Nine/Fourteen Eyes architecture.

Data Retention

Belgium’s data retention regime has a complex legal history, with three Constitutional Court challenges in a decade and an ongoing referral to the CJEU that leaves the current framework in legal limbo.

2015: First Annulment

In June 2015, the Belgian Constitutional Court annulled the national data retention law, following the CJEU’s landmark Digital Rights Ireland judgment (2014), which struck down the EU Data Retention Directive as incompatible with the right to privacy under the Charter of Fundamental Rights.^[24]

2022: Geographic Risk Zones Framework

In response, Belgium enacted a new data retention framework in 2022 that attempted to comply with CJEU jurisprudence by introducing differentiated and targeted retention based on geographic risk zones. Under this framework, telecommunications providers are required to retain data in zones deemed to present heightened risk of serious crime or threats to public safety, such as airports, train and metro stations, border zones, hospitals, motorways, judicial and police buildings, and municipalities hosting critical infrastructure.^[25]

Critics, including digital rights organizations and the European Pirate Party politician Patrick Breyer, have pointed out that these “targeted” geographic zones, when mapped, effectively cover the entire Belgian national territory and its entire population, amounting to general, indiscriminate retention relabeled as “targeted.”^[26]

September 2024: Third Constitutional Court Ruling

On September 26, 2024, the Constitutional Court issued its third ruling on data retention, upholding the majority of the 2022 law but referring preliminary questions to the CJEU regarding the legality of geolocation data retention obligations. The court sought clarification on whether the geographic targeting model satisfies the CJEU’s requirements for “targeted retention” as articulated in La Quadrature du Net (2020) and subsequent case law.^[25]

The outcome of the pending CJEU ruling will determine whether Belgium’s geographic risk zone approach survives or whether the country will need to devise yet another data retention framework, potentially its fourth attempt in a decade. The Belgian ISP industry association (ISPA Belgium) has criticized the ongoing uncertainty, noting the difficulty of implementing data retention infrastructure that may be struck down before it becomes fully operational.^[27]

Commercial Surveillance Procurement: NSO Group Pegasus

Belgium has been confirmed as a customer of NSO Group’s Pegasus spyware, the sophisticated mobile device exploitation tool capable of remotely accessing encrypted communications, activating cameras and microphones, and extracting all data from targeted smartphones. The procurement places Belgium among dozens of governments worldwide using the same commercial spyware platform.^[28]

The use of Pegasus by Belgian intelligence agencies raises questions about oversight and proportionality. When Belgian intelligence services conduct surveillance activities under the Special Intelligence Methods Act of 2010, those operations are subject to legal safeguards and oversight by the Standing Intelligence Agencies Review Committee (the “Committee I”). However, Pegasus operates as a total compromise tool: once deployed on a target device, it provides unrestricted access to all communications, photographs, location data, passwords, and encrypted messaging, with no technical mechanism to limit collection to what is necessary and proportionate for a specific investigation.

The procurement of commercial spyware creates a regulatory asymmetry. Surveillance capabilities developed domestically can be designed with oversight mechanisms and technical safeguards built into the architecture. When Belgian agencies purchase Pegasus from NSO Group, a vendor selling to dozens of governments globally, they acquire a system designed for broad applicability across different legal regimes, not necessarily optimized for Belgian constitutional and legal constraints on intelligence collection.

The use of NSO spyware also illustrates how commercial surveillance markets can undermine democratic accountability. The same tool used by Belgian intelligence for legitimate national security purposes has been deployed by authoritarian regimes to target journalists, human rights defenders, and political opposition. By procuring from vendors with clients spanning democracies and dictatorships, Belgium indirectly supports a surveillance industry that enables systematic human rights abuses worldwide.

International Data Sharing Agreements

Despite Belgium’s robust GDPR enforcement by the Gegevensbeschermingsautoriteit (GBA/APD) and the Belgian Data Protection Act (July 30, 2018), Belgium participates in extensive international data sharing frameworks that provide foreign agencies with pathways to access Belgian person data through processes that often operate outside domestic judicial oversight.

Mutual Legal Assistance Treaty with the United States

Belgium maintains a bilateral MLAT with the United States, supplemented by the EU-US MLAT framework. Belgian authorities process MLAT requests, EIO requests, and spontaneous information sharing for obtaining electronic evidence. The MLAT allows Belgian law enforcement to request data on US persons, and US law enforcement to request data on Belgian persons, through diplomatic channels with average processing times of 10 months.^[29]

The Belgian Data Protection Act implements GDPR and Directive 2016/680, including specific provisions on criminal data processing. However, MLAT requests operate through diplomatic channels that may involve different evidentiary standards than Belgian judicial warrants.

Fourteen Eyes (SIGINT Seniors Europe)

As detailed in the Fourteen Eyes section above, Belgium participates in the Fourteen Eyes alliance, coordinating the exchange of military signals intelligence with its partner nations.^[30]

Information flows hierarchically within the alliance: Five Eyes members have access to all Fourteen Eyes intelligence, but Belgium as a Fourteen Eyes member has more limited access. Belgian intelligence services share signals intelligence with the alliance, while receiving intelligence collected globally by partner agencies.

EU Law Enforcement Data Sharing Frameworks

Schengen Information System (SIS II): Belgium participates in the EU’s largest law enforcement database. Belgian federal and local police can query SIS II in real time and contribute alerts visible to law enforcement across all Schengen countries.

European Investigation Order (EIO): Belgium participates in the EIO framework, allowing Belgian judges and magistrates to make binding requests to other EU member states for evidence, witness hearings, telephone interceptions, and banking information based on mutual recognition.

Prüm Convention: Belgium was an original signatory of the Prüm Convention (2005) and participates in automated DNA, fingerprint, and vehicle registration data comparison across EU member states. The Prüm II Regulation (2024) expands this to include facial images and police records.

SWIFT Headquarters and TFTP Agreement: A Unique Position

Belgium occupies a unique position in international financial surveillance because it hosts the headquarters of SWIFT (Society for Worldwide Interbank Financial Telecommunication), the Belgium-based company operating the worldwide financial messaging system. Under the Terrorist Finance Tracking Program (TFTP) agreement that entered into force August 1, 2010, the US Treasury issues subpoenas to SWIFT for financial transaction data from SWIFT’s EU operations center.^[31]

The TFTP agreement requires Europol to verify each US request before SWIFT provides data, but the Snowden disclosures alleged that the NSA was systematically undermining the agreement by collecting SWIFT data through other channels. The arrangement means that Belgium hosts the infrastructure for a global financial surveillance system where US authorities can access international wire transfer data affecting Belgian persons and EU citizens, with Europol verification serving as the primary oversight mechanism.

The European Parliament passed a non-binding vote calling for suspension of the TFTP agreement following the Snowden revelations, but the agreement remains in force. For Belgian persons, every international wire transfer that passes through the SWIFT messaging system is potentially subject to US Treasury subpoenas under TFTP.

EU-US Data Sharing Frameworks

EU-US Umbrella Agreement: Entered into force February 1, 2017, governing personal data exchanged between EU and US law enforcement. Grants Belgian citizens judicial redress rights before US courts.

PNR Agreements: Belgium participates in the EU-US PNR agreement, enabling transfer of passenger data from Belgian air carriers to US CBP. Every passenger on Belgium-US flights has comprehensive personal data shared.

Operation Socialist: When Belgium Was the Target

In 2013, it was revealed that UK GCHQ had conducted Operation Socialist, a sophisticated cyberattack against Belgacom (Belgium’s primary telecommunications provider) to gain access to its network infrastructure. GCHQ used watering hole attacks and the NSA’s QUANTUM injection system to compromise Belgacom engineers, then installed implants on routers and switches to intercept communications passing through Belgium, including traffic from EU institutions routing through Brussels.^[32]

Belgian prosecutors opened a criminal investigation, and the incident strained UK-Belgian relations, but no charges were filed against GCHQ personnel. The operation demonstrated that even countries participating in intelligence sharing alliances (Belgium in Fourteen Eyes) can be targets of surveillance by alliance partners when strategic interests diverge. For Belgian persons and EU institutions based in Brussels, the operation showed that international data sharing agreements provide no protection against surveillance by partner nations operating outside those frameworks.

Multilateral Frameworks

Interpol I-24/7: Belgium participates in Interpol’s global network (195 countries, 100,000+ messages daily) for criminal intelligence sharing.

Egmont Group: The Belgian FIU (CTIF-CFI) participates in the Egmont Group network of 164+ Financial Intelligence Units, sharing financial intelligence on money laundering and terrorist financing.

Europol: Belgium is a major contributor to Europol data sharing, which includes cooperation agreements with US FBI (intelligence sharing increased 30% recently).

The Privacy Backdoor Effect

Despite GDPR enforcement by the GBA/APD and the Belgian Data Protection Act’s implementation of criminal data processing safeguards, international data sharing agreements create alternative pathways for accessing Belgian person data:

• Fourteen Eyes Sharing: Belgian intelligence shares SIGINT with Five Eyes partners; NSA/GCHQ can collect on Belgian persons and share with Belgian intelligence
• EU Framework Sharing: Belgian person data entered into SIS II, Prüm, or EIO channels becomes accessible to 27 EU member states, and through Europol, potentially to US FBI
• MLAT Bypass: US authorities can request data via MLAT, potentially with lower evidentiary standards than Belgian judicial warrants
• SWIFT/TFTP Financial Surveillance: Belgium hosts SWIFT headquarters; US Treasury subpoenas access international wire transfers affecting Belgian persons with Europol verification
• Operation Socialist Precedent: Even as a Fourteen Eyes member, Belgium was targeted by GCHQ cyberattack on Belgacom to intercept EU institutional traffic

For Belgian persons, this means data nominally protected by GDPR and the Belgian Data Protection Act can be accessed through Fourteen Eyes intelligence sharing, EU law enforcement frameworks (SIS II, EIO, Prüm, Europol), MLAT channels, or SWIFT/TFTP financial surveillance. The hosting of SWIFT headquarters in Belgium creates a unique vulnerability: Belgian infrastructure enables US financial surveillance of international transactions, with oversight limited to Europol verification of Treasury subpoenas.

Recent Developments

IAB Europe TCF: Action Plan Annulled (January 2026)

On January 7, 2026, the Belgian Market Court delivered a further blow to the APD/GBA’s handling of the IAB Europe TCF case by annulling the authority’s January 2023 decision that had validated IAB Europe’s corrective action plan and imposed a six-month implementation deadline. The court found the validation decision legally flawed on two grounds: first, several measures in the action plan were based on the APD/GBA’s original assumption that IAB Europe was a joint controller for all downstream advertising processing, a position the same court had already overturned in its May 2025 ruling; and second, the APD/GBA violated IAB Europe’s right to be heard by adopting the validation decision without permitting the organization to state its position. The court referred the case back to the APD/GBA, which must now issue a new decision reflecting IAB Europe’s more limited controllership, confined to the creation and use of TC Strings by publishers and vendors. The ruling effectively resets the regulatory process, leaving the TCF’s compliance status in continued uncertainty while the APD/GBA formulates a narrower set of corrective measures.^[33]

Arizona Coalition Government (February 2025)

On February 3, 2025, Belgium’s new federal government was sworn in under the so-called “Arizona” coalition (named after the colors of the Arizona state flag), led by Bart De Wever (N-VA) as Prime Minister, alongside CD&V, Vooruit, MR, and Les Engagés. The coalition agreement contains significant surveillance expansion commitments. It provides for amendments to camera legislation to enable smart camera surveillance, the establishment of a “living lab” for intelligence and security services to experiment with new technology, and pilot projects for new operational applications including facial recognition technology for detecting convicts and suspects. The agreement designates the BIPT as the central regulator for implementing European digital legislation including the AI Act, the Data Act, and the Gigabit Infrastructure Act. For privacy, the agreement creates a tension between Belgium’s historically strong data protection enforcement record and a government that has explicitly committed to expanding technological surveillance capabilities.^[34]

NIS2 Directive Transposition (October 2024)

The Law of 26 April 2024 establishing a framework for the cybersecurity of network and information systems of general interest for public security transposed the NIS2 Directive (Directive (EU) 2022/2555) into Belgian law. The law was published in the Moniteur belge on May 17, 2024 and entered into force on October 18, 2024. The Centre for Cybersecurity Belgium (CCB), established by Royal Decree of 14 October 2014, serves as Belgium’s national cybersecurity authority, national CSIRT, and the supervisory body for essential and important entities under NIS2. A supplementing Royal Decree of 9 June 2024 provides the implementing details for incident notification obligations. Essential and important entities had until March 18, 2025 to register with the CCB, and all NIS2 entities are required to notify the CCB about significant incidents via its dedicated platform. Belgium was among the first EU Member States to complete NIS2 transposition, ahead of the Directive’s October 17, 2024 deadline.^[35]

Digital Services Act: BIPT as Digital Services Coordinator

Belgium has designated four competent authorities for the enforcement of the Digital Services Act (DSA) (Regulation (EU) 2022/2065). At the federal level, the BIPT (Belgian Institute for Postal Services and Telecommunications) was designated by the Act of 21 April 2024 as the Digital Services Coordinator, responsible for coordinating all matters related to DSA monitoring and enforcement at the Belgian level. The three remaining competent authorities reflect Belgium’s federal structure along linguistic community lines: the Vlaamse Regulator voor de Media (VRM) for the Flemish Community, the Conseil Supérieur de l’Audiovisuel (CSA) for the French Community, and the Medienrat for the German-speaking Community. A cooperation agreement concluded on May 3, 2024 between the Federal State and the Communities organizes coordinated enforcement, information sharing, a unified Belgian position in European forums, and centralized complaint handling.^[36]

EU AI Act: BIPT Designated, Governance Delayed

The Arizona coalition agreement designated the BIPT as the principal regulator for Belgium’s implementation of the EU AI Act (Regulation (EU) 2024/1689). However, Belgium missed the August 2, 2025 deadline for establishing national governance structures, including the designation of competent authorities and a single point of contact for the European Commission. As of early 2026, Belgium has not publicly confirmed a finalized list of competent authorities or a formal single point of contact. While the BIPT has created an information page on AI Act application and mapping work is underway to assign regulatory roles, Belgium’s institutional machinery for AI governance remains incomplete, meaning obligations that took effect at the EU level in August 2025, including the prohibition on certain AI practices, arrived without a fully operational domestic enforcement framework.^[37]

APD/GBA Direct Marketing Recommendation (March 2025)

On March 10, 2025, the APD/GBA published Draft Recommendation 01/2025 on data processing activities for direct marketing purposes. This recommendation updates the authority’s earlier Recommendation 01/2020 to reflect new case law, Litigation Chamber decisions, and European Data Protection Board (EDPB) guidelines. Key changes include a broadened definition of direct marketing as “all activities resulting in the direct communication of messages with promotional content to one or more identified or identifiable natural persons,” and a refined “reasonable expectations” test for controllers relying on legitimate interest as a legal basis: if the data subject could not reasonably expect processing for direct marketing purposes based on the circumstances under which data was originally collected, the legitimate interest basis is unavailable. Given the APD/GBA’s 2024 enforcement record against data brokers and direct marketing companies (including the EUR 174,640 and EUR 172,431 fines detailed in the Enforcement section), the recommendation signals stricter scrutiny of the practices underpinning Belgium’s direct marketing industry.^[38]

Chat Control and Encryption Access

Belgium has occupied a conflicted position on the EU’s proposed Child Sexual Abuse (CSA) Regulation, commonly known as “Chat Control.” During its 2024 Council Presidency, Belgium proposed a compromise version that restricted scanning to shared media and URLs contingent on user consent, an approach critics labeled “upload moderation” that effectively required client-side scanning. Belgium later moved to oppose the regulation, with officials describing the proposal as “a monster that invades your privacy and cannot be tamed.” However, Belgium’s position has not been consistent: the country shifted back to “undecided” ahead of the October 2025 Council vote. Meanwhile, Belgium’s National Drug Commissioner Ine Van Wymersch publicly called in December 2025 for the EU to use its regulatory power to force encrypted communication platforms, specifically naming Signal and Telegram, to cooperate with law enforcement in combating drug trafficking, arguing that these companies are facilitating criminal communications by refusing to collaborate. The tension between Belgium’s data protection establishment (which opposes mandatory scanning as incompatible with encryption) and its law enforcement community (which demands access to encrypted communications) mirrors the broader European debate and leaves Belgium’s ultimate position unresolved.^[39][40]

DORA: Financial Sector Resilience (January 2025)

The Digital Operational Resilience Act (DORA) (Regulation (EU) 2022/2554) became applicable across the EU on January 17, 2025. A Belgian implementing law adopted on January 30, 2025 allocates supervisory powers between Belgium’s two financial regulators: the FSMA (Financial Services and Markets Authority) supervises compliance for investment firms, fund managers, (re)insurance intermediaries, and crowdfunding service providers, while the NBB (National Bank of Belgium) supervises credit institutions, insurance undertakings, and payment institutions. The Belgian law grants both regulators investigative and enforcement powers, including the ability to impose fines of up to 10% of annual turnover or EUR 5 million, as well as periodic penalty payments.^[41]

Data Act Implementation

The EU Data Act (Regulation (EU) 2023/2854) entered into force on January 11, 2024, with most obligations becoming applicable from September 12, 2025. The BIPT has indicated it will be designated as the national competent authority for Data Act enforcement in Belgium, though formal designation has not yet been finalized. The BIPT’s 2025 operational plan identifies Data Act implementation as a priority area. Key provisions now in effect include data access and portability obligations for connected products and related services, as well as switching provisions for data processing services. The “access by design” obligation for manufacturers of connected products will not apply until September 12, 2026, and amendments to pre-existing long-term contracts have a deadline of September 12, 2027.^[42]

CER Directive Transposition (December 2025)

On December 18, 2025, Belgium enacted legislation transposing the Critical Entities Resilience (CER) Directive (Directive (EU) 2022/2557) by modifying the existing critical infrastructure security and protection law. The draft law was submitted by the Federal Government on September 27, 2025 and adopted by the relevant parliamentary committee on December 2, 2025. The CER Directive establishes a framework for enhancing the resilience of critical entities against natural, accidental, malicious, and systemic threats, and requires each Member State to adopt a national resilience strategy by January 17, 2026. Entities identified as “critical” under the CER framework will generally also qualify as “essential entities” under NIS2, creating overlapping cybersecurity and physical resilience obligations. The CCB and the National Crisis Centre (NCCN) jointly coordinate crisis management for critical entities.^[43]

VSSE Intelligence Report 2025

The VSSE published its annual intelligence assessment for 2025, highlighting growing threats from state-sponsored cyber espionage, foreign interference in Belgian democratic institutions, and the evolving terrorism landscape. The report reflects an intelligence service that has fully embraced the technical capabilities granted by the BIM Law, while emphasizing the importance of the oversight framework provided by Standing Committee I.^[17]

Enforcement Trends

The APD/GBA’s enforcement trajectory in 2024 and early 2025 shows a continued focus on data subject rights compliance, biometric data processing, and the practices of data brokers. The authority’s willingness to impose six-figure fines, particularly the EUR 174,640 data broker fine and the EUR 172,431 direct marketing fine, reflects increased enforcement activity. With the IAB Europe precedent now established, the APD/GBA has been involved in EU-wide adtech enforcement through several significant decisions.^[9]

Data Retention Uncertainty

The CJEU referral from the September 2024 Constitutional Court ruling remains pending, leaving Belgium’s telecommunications providers in a state of legal uncertainty regarding their data retention obligations. The outcome could have implications far beyond Belgium, as other EU Member States are closely watching whether the geographic risk zone model will be validated as a lawful approach to targeted data retention.^[25]

Sources