On 15 February 2023, Belgium saw the entering into force of a new ‘whistleblower’ law, which legalised ‘ethical hacking’ even for cases where the hacked entity did not consent to it. In order to benefit from such decriminalisation, the law poses a number of conditions for ethical hacking, that have to be fulfilled in order for the hacker to be excused from any criminal liability. In this blogpost, we give an overview of the new Belgian whistleblower law from its definition of ethical hacking to the conditions for decriminalisation and conclude on the potential consequences of the law for the state of cybersecurity in Belgium and beyond.
When is hacking ‘ethical’?
A hacker is commonly understood in an IT context as somebody who gains unauthorised access to a computer system or network. Such unauthorised access can be motivated by criminal intentions, for example the extortion of money from those hacked by blocking them from accessing their system until they pay a ransom fee (so-called ‘ransomware attack’). Such hackers are typically referred to as ‘black hat hackers’. Yet, there are also hackers motivated by other considerations, for example when hackers hack a computer system or network in order to demonstrate a vulnerability that could be exploited by a black hat hacker. These ‘ethical’ hackers are also called ‘white hat hackers’. The work of ethical hackers can be of great advantage for organisations managing computer or network systems, as they will be able to address any cybersecurity vulnerabilities before they are exploited and thus prevent cybersecurity incidents from occurring. Such ethical hacking can therefore be a means to improve the cybersecurity of IT systems from both companies and public authorities.
When is ‘ethical’ hacking legal under the new Belgian law?
Before the new Belgian whistleblower law, all forms of hacking, including ethical hacking, were punishable under Belgian criminal law, unless the entity being hacked had consented to it. The latter exception already enabled a variety of Belgian organisations to make use of ethical hackers to increase their level of cybersecurity, for example by putting in place (financial) rewards, so-called ‘bug bounties’, for ethical hackers that helped them discover a vulnerability. Cooperations between ethical hackers and organisations typically took place in the context of a ‘coordinated vulnerable disclosure policy’ (CVDP). A CVDP is a set of rules created by the organisation managing an IT system, which offers a legal framework for collaborations between that organisation and ethical hackers. It has to be published online, for exa
