🇧🇪Digital Operational Resilience Act in Belgium
A comprehensive guide to Digital Operational Resilience Act compliance for organisations operating in Belgium. Understand local enforcement, the national data protection authority, key focus areas, and notable enforcement actions.
About Digital Operational Resilience Act
The EU regulation establishing a comprehensive framework for digital operational resilience in the financial sector, covering ICT risk management, incident reporting, testing, and third-party risk.
Digital Operational Resilience Act Enforcement in Belgium
Belgium's APD/GBA is a bilingual authority (French/Dutch) that has gained prominence through its scrutiny of the online advertising ecosystem. The APD issued a landmark decision against IAB Europe regarding the Transparency and Consent Framework (TCF) used by the programmatic advertising industry, finding it violated GDPR — a decision upheld by the Belgian Market Court and later referenced by the CJEU. Belgium supplemented the GDPR through the Law of 30 July 2018, which addresses processing of genetic, biometric, and health data, journalistic exemptions, and the processing of judicial data. The APD has also focused on political campaigns, airport biometric systems, and public sector compliance.
Data Protection Authority
Autorité de protection des données / Gegevensbeschermingsautoriteit (APD/GBA)
Key Enforcement Focus Areas in Belgium
- Online advertising and consent frameworks (IAB TCF)
- Programmatic advertising ecosystem compliance
- Biometric data at airports and public spaces
- Political campaign data processing
- Public sector and government data sharing
Notable Enforcement Actions in Belgium
IAB Europe
GDPR violations in Transparency and Consent Framework used by programmatic ad industry — upheld on appeal
Google Belgium
Failure to comply with right to erasure and right to be forgotten requests from Belgian citizens
Brussels Airport Company
Processing passenger biometric data through facial recognition boarding system without adequate legal basis
Proximus SA
Continuing direct marketing communications after customers exercised right to object
Check Your Compliance Status
Take our free assessment to evaluate your organisation's compliance posture. Get a personalised report with actionable recommendations in minutes — no sign-up required.
Start Free AssessmentDisclaimer: The information on this page is for educational purposes and does not constitute legal advice. For specific compliance guidance, consult a qualified legal professional in your jurisdiction.
Other Regulations Affecting Belgium
General Data Protection Regulation (GDPR)
The EU's landmark data protection law that governs how organisations collect, store, process, and transfer personal data of individuals in the European Economic Area.
Network and Information Security Directive (NIS2)
The updated EU cybersecurity directive that expands security requirements to a broader range of sectors and imposes stricter obligations on essential and important entities.
EU Artificial Intelligence Act (AI Act)
The world's first comprehensive AI regulation, establishing a risk-based framework for the development, deployment, and use of artificial intelligence systems within the EU.
ePrivacy Directive (2002/58/EC)
The EU directive governing privacy in electronic communications, covering cookies, direct marketing, traffic data, and the confidentiality of communications — often called the "Cookie Law".