Concept

The metaverse is a term describing a hypothetical, future, enhanced, digital environment where users will be able to move smoothly between several spheres (social, work, leisure, shopping, etc) in one single digital environment. The metaverse could also be seen as the integration of the digital and physical worlds.

In practical terms, the metaverse is an advanced version of the internet that can be accessed through VR headsets, augmented reality appliances and more common devices such as mobile phones and personal computers or laptops. So far, the metaverse is mainly a commercial venture and competition is increasing between major technology companies, all of which are developing their own metaverse offerings.

Laws and Regulations

No specific laws for the metaverse have been introduced. Accordingly, all general laws and principles that apply to the “real world” by default also apply to the metaverse.

For example, general contract law will apply to the transactions concerning non-fungible tokens (NFTs), intellectual property protects works can be generated and enforced in the metaverse, and companies active in the metaverse will have to comply with data protection and consumer laws. Furthermore, all criminal law provisions will also apply to offences committed in the metaverse.

According to established case law relating to online disputes, Belgian law will apply to websites which envisage a public in the Belgian territory.

In many situations the legal framework can be applied seamlessly to the digital situation, but there may be situations where the existing laws are not always adapted to the reality of the metaverse.

Key Legal Challenges

A select number of key legal challenges are outlined below.

Intellectual property rights

The enforcement of intellectual property rights in the metaverse may lead to practical difficulties and challenges, just as it has been in the past for Web 1.0 and Web 2.0 disputes. Therefore, it will be important for businesses to actively monitor the metaverse for possible infringements.

One of the questions that will arise is which jurisdiction will be competent to examine infringement claims that might take place in the metaverse, as the metaverse does not belong to a concrete jurisdiction and as it may be difficult to identify the real identity of the infringer.

Data protection and cybersecurity

Lots of personal data will be processed in the metaverse. This will range from traditional types of personal data to the tracking of movements and activities in the metaverse. Given the cross-border character of the metaverse, many different data protection laws may need to be taken into account when processing personal data.

Book XII of the Belgian Code on Economic Law is dedicated to regulating the digital economy. This includes the Belgian implementation of the Directive on electronic commerce.

New Belgian laws are to be expected, given the recent entry into force of the EU Digital Markets Act (DMA) and the EU Digital Services Act (DSA), respectively on 1 November and 16 November 2022.

The DMA targets online platforms which qualify as “gatekeepers” and therefore create a bottleneck in the digital economy. Regulating these platforms will enhance competition and create a fairer business environment for businesses who depend on gatekeepers.

The DSA will introduce a new standard for the accountability of online platforms regarding illegal and harmful content.

Laws and Regulations

As there are no contracting laws specifically tailored to cloud and edge computing contracts in Belgium, general contract law applies to such contracts (consumer laws, specific laws for certain kinds of contracts, etc). Contractual arrangements thus need to be heavily relied on in order to cover issues not dealt with under traditional contract law, or dealt with in a way that is not readily applicable to cloud and edge computing. In addition to contract law, a number of other laws and regulations also apply to specific issues or aspects of cloud solutions.

The Directive on Security of Network and Information Systems (the “NIS Directive”) mainly aims to strengthen critical infrastructure in the EU, but also contains provisions regarding cloud computing. Providers of critical infrastructure have to comply with the (national implementation of the) security requirements of the NIS Directive – ie, the requirement to adopt appropriate security measures.

The NIS Directive was transposed into Belgian law through the Belgian NIS Act of 7 April 2019 (the “NIS Act”), and its executing Royal Decree of 12 July 2019. On 16 December 2020, the European legislator presented a new cybersecurity strategy and published two new proposals: a Directive on measures for high common level of cybersecurity across the Union (NIS 2), and a new Directive on the resilience of critical entities. Both texts have recently been adopted, which illustrates the increased attention paid by the European Union to cybersecurity. Thus, the implementation under Belgian law of both Directives will, in principle, start soon.

Regulations in Specific Industries

To date, there are few sector-specific rules in Belgium in relation to cloud services, as several sectors have rules in relation to outsourcing in general (eg, in the banking and insurance sector).

In 2019, for instance, the National Bank of Belgium (NBB) issued a new circular on outsourcing arrangements (the “Circular”) that applies to a wide number of financial institutions. With the Circular, the NBB has fully integrated the European Bank Authority Guidelines on outsourcing arrangements of 25 February 2019 (the “EBA Guidelines”) into its supervisory practices.

In order to be compliant, financial institutions wishing to outsource part of their activities must, among other things, ensure that the outsourcing contract provides for a range of obligations and must submit a file to the regulator in certain circumstances. Similar but more strict obligations exist for (re)insurance companies.

On 28 November 2022, the European Council adopted the regulation  on digital operational resilience for the financial sector (DORA) which aims to ensure that all EU financial entities are subject to a common set of standards to mitigate ICT risks for their operations.

Processing of Personal Data

The General Data Protection Regulation (GDPR) is applicable to all processing of personal data. To the extent that the data uploaded by an organisation includes personal data, the GDPR will also be applicable to cloud solutions and will have to be taken into account by both cloud providers and users. Certain obligations and restrictions under the GDPR can be especially problematic with regard to cloud solutions (eg, data transfers to third countries). 

For instance, the GDPR prohibits data transfers to third countries without either being able to rely on an adequacy finding issued for the third country by the European Commission (eg, Japan, Switzerland, New Zealand) or having provided appropriate safeguards (eg, binding corporate rules, standard contractual clauses, an approved code of conduct or certification mechanism). If a cloud provider has data centres in such third countries, this requirement should therefore be taken into account.

In July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield in the Schrems II decision, which has created significant uncertainty for many companies. Among other things, it follows from the judgment that one can only rely on appropriate safeguards (eg, standard contractual clauses) for a transfer to a non-adequate third country where an appropriate risk assessment has been carried out to evaluate whether the law of the third country of destination ensures adequate protection of the transferred personal data and, where necessary, additional safeguards have been implemented. If a cloud provider has data centres in such third countries, or where access from those third countries to personal data in the European Economic Area (EEA) is possible, this requirement should therefore be taken into account.

The European Data Protection Board (EDPB) has issued recommendations on the measures that can be used to supplement transfer tools (No 1/2020), on the European Essential Guarantees for surveillance measures (No 2/2020) and, more recently, also guidelines on the interplay between the GDPR’s territorial scope and the data transfer rules (No 5/2021). The latter guidelines define, for the first time at EU level, the concept of “transfers”.

The European Commission has also issued modernised standard contractual clauses to remedy some of the deficiencies identified by the CJEU in the Schrems II decision. Until recently, controllers and processors could continue to use the old standard contractual clauses adopted under the previous Directive 95/46 for contracts concluded before 27 September 2021, as long as the processing operations subject to the contract remain unaltered. Since 27 December 2022, this is no longer the case.

Moreover, the obligation to notify data breaches to both data subjects and data protection authorities will typically require more extensive involvement of the cloud service provider than in the case of local IT solutions, given the typically greater reliance on the cloud service provider.

In cloud computing contracts, other aspects have to be carefully planned, such as the question of return or destruction of personal data, the question of liability of the provider, etc. In this respect, the working group on Switching Cloud Providers and Porting Data (SWIPO) presented two data portability codes of conduct to the European Council and European Commission, which were published in May and July 2020.

Laws and Regulations

Artificial intelligence and big data will be governed under an array of laws and regulations.

Legal challenges

Liability

As one of the characteristics of AI is that it can take decisions with a degree of autonomy, the question of liability (“who is responsible when an AI system causes damage or breaches the law?”) quickly emerged. In this respect, the European Parliament adopted a resolution with recommendations to the Commission on a civil liability regime for artificial intelligence on 20 October 2020 in which it stated that there is no need for a complete revision of liability regimes, but that the capacity of self-learning and the potential autonomy of Al-systems requires specific and co-ordinated adjustments to the liability regimes. The European Parliament also emphasised that the new common rules for Al-systems should take the form of a regulation.

On 21 April 2021, the European Commission published a proposal for a regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (the “Artificial Intelligence Act”) and amending certain union legislative acts. The proposed Artificial Intelligence Act contains a tiering of regulatory requirements depending on the inherent risk associated with the Al system that is being used – namely (i) prohibited Al practices, (ii) high-risk Al systems and (iii) low-risk Al systems. High-risk Al systems are permitted provided the strict controls set out in the regulation to mitigate the risks are in place. Key regulatory controls on high-risk Al systems include the obligation to maintain complete and up-to-date technical documentation and to ensure a high level of accuracy, robustness and security. This Regulation is expected to enter into force in 2023 with a transitional period. As of the second half of 2024, it can be expected that the regulation will be applicable to operators.

Additionally, the Commission has adopted a proposal for an Artificial Intelligence Liability Directive (AILD) on 28 September 2022. The Directive aims at improving the functioning of the internal market by laying down rules for certain non-contractual civil liability for damage caused with the involvement of AI.

For now, liability questions regarding Al are still governed by the general liability framework. Regarding non-contractual liability, Belgian law sets out three conditions that need to be fulfilled for liability to be attributable to a party: fault, damage and a causal link between the two. The burden of proof lies with the claimant. Where an AI system causes harm, however, it may be difficult to determine with precision which action or inaction led to the breach or damage and whether it was a “fault”.

It remains to be seen whether non-compliance with (some of) the obligations set out in the Artificial Intelligence Act will contribute/lead to the determination that the supplier/user has made a “fault”. The AILD would introduce a rebuttable presumption of causality in the case of fault – ie, the lack of compliance with a duty of care under the AI Act, or any other EU or national law.

Given the current legal uncertainty, organisations working on projects involving AI systems must carefully regulate liability in their contractual arrangements, including matters that have an indirect impact on liability (eg, applicable law and choice of jurisdiction).

Data protection

AI systems process vast quantities of data, including personal data in most cases. In accordance with the requirements of the GDPR, key requirements such as data minimisation and privacy by design have to be taken into account when creating or working with AI systems in Belgium.

Intellectual property

Most relevant in this respect is copyright. The conditions of copyright – namely a “work” that is “original” – have been interpreted by the CJEU and are, to a certain extent, similarly applied throughout the EU. This means that the same issues will be faced by all the countries in the EU – for example, “who will be the author when an AI system makes a work of art?”

The first component of originality, also known as the “objective component”, holds that the work must be the result of an intellectual creation. The second component, known as the “personality requirement” or “subjective component of originality”, holds that a personal touch must be given to the work in order to reach the threshold of originality. From these criteria it can be deduced that human input is a prerequisite for copyright.

As AI systems are not likely to be able to claim copyright protection in the near future, the creator of the AI system (the legal or natural person) should document the process of creation and arrange internal assignment of all IP rights, including copyright, to themselves, following the principle of Belgian property law that “the fruits of a good belong to the owner of the good”.

There is no strict definition of the internet of things (IoT), so for the purpose of this article the collection of devices that have the ability to sense, amass and analyse data, and to communicate through networks will be considered as the IoT. 

Data Protection

The first important legal framework that needs to be taken into account is data protection law. Because of the nature and goal of IoT devices (ie, smart mobile applications, smart home units, wearables, home assistants, etc), large amounts of data are being collected and processed, some of which will be considered personal data under the GDPR.

The applicability of this framework has a number of consequences as to how IoT devices should be designed (in particular the overarching principle of “privacy by design”). 

Consent

Not all IoT devices and services are organised along the lines of traditional graphical user interfaces, so asking for consent cannot always be worked directly into the functionality. As a result, IoT manufacturers and resellers must think of alternative ways to collect consent, in such a way that it meets the requirements of the GDPR: consent must be freely given, specific, informed and unambiguous.

Data minimisation

The GDPR requires that the personal data used is relevant and limited to what is necessary in relation to the purpose for which it is processed. This is a direct challenge to the data maximalism that is typical of IoT devices and services. One suggested way to keep this balance is “edge computing”, which allows the devices themselves to select the data necessary for processing further down the line.

Data protection impact assessments

In addition to the scenarios provided in the GDPR, the Belgian Data Protection Authority has set out a number of scenarios in which a data protection impact assessment (DPIA) is mandatory, and one of them specifically concerns the deployment of certain kinds of IoT devices – ie, large-scale processing of data generated by devices with sensors sending data over the internet or any another means for the purpose of analysing or predicting individuals’ economic situation, health, preferences or personal interests, reliability or behaviour, localisation or movements).

Cybersecurity

Cybersecurity is also a major point of attention. Various authorities internationally have expressed concern regarding the security of a lot of IoT devices, as these devices have the potential to enable the misuse of information, unauthorised access or attacks on other systems.

In Belgium, there are no specific minimum-security requirements, but specific sectors have requirements in relation to data breach notifications (eg, telecommunications, critical infrastructure, finance in specific cases) and data protection rules also provide for notification obligations in relation to personal data breaches.

ePrivacy Directive (M2M)

Under the ePrivacy Directive 2002/58/EC (ePD), a key question is whether machine-to-machine communications (M2M) – eg, the communications between an IoT device and the server of the vendor/service provider – are protected by the ePD’s rule of confidentiality of communications.

This question was not settled based on the wording of the ePD (which refers to “parties” to a communication), or in Belgium based on the wording of the Belgian implementation.

The draft ePrivacy Regulation aims to resolve this by clearly covering IoT services and devices. Current drafts would provide for confidentiality of communications, M2M included, which could impact the way in which certain organisations use IoT devices today. On 10 February 2021, the member states agreed on a mandate for negotiations with the European Parliament and trialogues began on 20 May 2021. It is estimated that, after a transitional period, the Regulation will be applicable in 2025.

Interoperability

Today, most companies creating IoT services or devices do so with their own separate infrastructure. As IoT devices and services become more prevalent, the question of interoperability of devices, networks and platforms will inevitably arise.

Within the ongoing efforts to create a European Digital Single Market, the EU has dedicated publications to interoperability architecture for IoT.

While this is not currently a legal requirement, it is highly recommended to consider the question of interoperability with existing services, whether through adopting an open architecture, integrating a third-party architecture – eg, by way of an application programming interface (API) – or making available a software development kit (SDK) for others to use for interoperability.

There are no particular requirements under Belgian law in this respect.

Legal Landscape

European level

In November 2018, the European Parliament adopted Directive 2018/1808 concerning audiovisual media services (the “AVMS Directive”) and the Directive 2019/790 on copyright and related rights in the Digital Single Market (the “DSM Directive”) in April 2019.

National level

The AVMS Directive has been implemented by the Belgian legislature at four different levels, in four different ways. In Belgium, community-level governments (Flemish, French and German-speaking) are in charge of the regulation of audio-visual media services in their respective territories, based on the place of establishment of the provider. By way of an exception, the federal government has the power to regulate audio-visual media services established in the capital region, Brussels, unless they need to be considered as belonging to the Flemish or French community because of their activities.

In conclusion, the Belgian legal framework is composed of a Federal act, a Flemish decree, a French decree and a German decree. These acts are not always consistent and therefore it is necessary to check, in practice, which requirements apply depending on the establishment of the service provider.

Main Requirements for Providing Audio-Visual Media Services

Requirements common to linear and non-linear providers

The following requirements are to be considered common to linear and non-linear providers:

• Prior Declaration and Registration to the Belgian Institute for Postal Services and Telecommunications (BIPT/IBPT). This notification is subject to the payment of a fixed fee. In addition, an annual fee is charged by BIPT. More information on the amount of the fees can be found in the Royal Decree of 7 March 2007 or the BIPT website.
• For transparency reasons, some information identifying the media provider (the name, the address, the telephone number, etc) should be made available.
• Audio-visual media services shall be continuously and gradually made increasingly accessible to persons with a visual or hearing disability.
• There are requirements for audio-visual commercial communications, sponsoring and product placement
• There is a prohibition against making available services which incite violence, hatred or terrorism.
• There is a prohibition against making available services likely to seriously impair the physical, mental or moral development of minors.

Linear providers (eg, TV, broadcasters)

Under Flemish radio and TV broadcasting rules, national, regional, network and local radio broadcasting is subject to prior authorisation (by the Flemish government). For other forms of broadcasting, no authorisation is required, but a notification process applies.

Under the French community decree, radio and regional TV broadcasting is also subject to prior authorisation. Other audio-visual media services in the French community must notify the regulator (Conseil Superieur de l’Audiovisuel, CSA) before they start their activity.

Non-linear providers (eg, on demand providers)

Promotion of EU works

At least 30% of the catalogues of on-demand audio-visual media service providers must be European works and such works must be given prominence. In addition to this, there are small nuances according to the decrees. In the French decree a gradual increase to reach 40% is encouraged. The Flemish decree also provides a precision in that, of the 30% of European works, a “significant proportion” must be Dutch-speaking. Finally, providers shall, on an annual basis, provide a report on the achievement of the objectives.

Netflix tax

There is a financial contribution obligation (known as the Netflix tax) according to which the media service provider must contribute financially to the production of European works. The French and Dutch Decree provide for a similar mechanism providing for an option between (i) co-producing or pre-purchasing French/Dutch works or (ii) payment to a Dutch/French local fund. However, the federal act does not contain such an obligation. Nor does the German-speaking community, at least for audio-visual media services providers established in the same community or the same member state. External providers, on the other hand, may be subject to this financial contribution obligation.

Video-Sharing Platforms

Specifically in relation to online video channels, on the French-speaking side, in March 2012, the CSA published a recommendation on the scope of regulation of audio-visual media services, which seems to suggest that merely putting a few videos online will not fulfil the relevant decree, unless there is a systematic structure to organise videos so as to make them into an audio-visual “programme”.

Since 2018, the scope of the audio-visual media services directive has been extended to include video sharing platforms. The video sharing platform is defined as an economic service whose main purpose, severable section or essential functionality must be to provide programmes, user-generated videos or both, to the general public. The relevant rules are to be found in Article 28b of the AVMS Directive and transposed into the federal act and the respective decrees of the communities.

It should be noted that due to the lack of editorial responsibility of these platforms, it is said that a light regime applies to video sharing platforms. Therefore, they are not subject to all the rules in the same way as “true” audio-visual media services.

They must however take appropriate measures:

• to protect minors from harmful content which may impair physical, mental or moral development – eg, through age verification systems, reporting and flagging functionalities and parental control systems;
• to protect the general public from content inciting violence or hatred against a group or member of a group based on the grounds of Article 29 of the Charter;
• to protect the general public from content that constitutes a public provocation to commit terrorist offences, child pornography, racism or xenophobia – eg, through adopting appropriate  terms and conditions and reporting and flagging functionalities; and
• to comply with the commercial communication rules (identification principle, sponsorship, product placement, etc).

The Belgian telecommunication rules are heavily influenced by EU rules. This has become even more the case since the adoption of the Electronic Communications Code Directive, and will be even more so once the EU adopts the long-awaited e-Privacy Regulation. Regarding the latter, however, it does not seem that the current deadlock concerning this piece of reform will be resolved soon, so its future remains uncertain.

With the adoption of the European Electronic Communications Code (EECC), a first step towards a uniform EU-wide telecoms framework had already been taken. This has been reinforced by the adoption in December 2019 of an Implementing Regulation by the European Commission, establishing a template for the contract summary that electronic communications services operators need to provide to consumers within the EU before the conclusion of a contract. This summary must include the main conditions of the contract (eg, price, services and internet speed).

Although the EECC imposed a transposition deadline of 21 December 2020, the Belgian legislature only implemented the EECC into the Belgian legislative framework on 16 December 2021. The Belgian legislator has stayed as close to the text of the EECC as possible.

The EECC applies to electronic communications services (ECS) and electronic communication networks (ECN). An electronic communications service is defined as a service, normally provided for remuneration, via electronic communications networks, which encompasses – with the exception of services providing, or exercising editorial control over, content transmitted using electronic communications networks and services – the following types of services:

• “internet access service” as defined in point (2) of the second paragraph of Article 2 of Regulation (EU) 2015/2120;
• interpersonal communications service; and
• services consisting wholly or mainly in the conveyance of signals such as transmission services used for the provision of machine-to-machine services and for broadcasting.

An “interpersonal communication service” is defined as “a service normally provided for remuneration that enables direct interpersonal and interactive exchange of information via electronic communications networks between a finite number of persons, whereby the persons initiating or participating in the communication determine its recipient(s) and does not include services which enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service”. As a result of this definition, online services which are functionally equivalent to traditional voice telephony, text messages (SMS) and electronic conveyance services such as voice-over IP, messaging services and web-based email services may also fall under the scope of the EECC. The Belgian draft law transposing the EECC contains identical definitions.

Providers of ECN and ECS are, generally, allowed to carry out their activities in Belgium. Depending on the ECN/ECS that they offer they will have to comply with certain obligations. An example is the notification to the Belgian regulator before starting to provide any public ECN/publicly available ECS on the Belgian territory.

Qualification of Contract

Technology agreement is a broad term that can encompass (and combine) several kinds of technology services, such as licensing, maintenance, outsourcing, cloud computing services or even developing of software. When concluding or reviewing a technology agreement, it is important to qualify it appropriately to specify the applicable legal framework. In particular, it is important to check whether the agreement fits within the framework of one (or several) of the legally defined contracts under Belgian law.

The Belgian Civil Code (BCC) names several kinds of agreements, such as construction agreements or commercial agency agreements, and provides both mandatory rules (ie, those from which one cannot deviate by contract) and implied rules (ie, rules that apply when the agreement does not cover that specific issue) that may apply to these kinds of agreements. If an agreement does not fit into the framework of any of the legally regulated contracts, parties enjoy a broad contractual freedom, but must ensure that they regulate all the important aspects in detail to avoid any legal gaps.

SLAs

An important part of any technology agreement is the set of service levels applicable to the contract, namely the commitment in practice by the supplier or service provider – eg, to a certain percentage of delivery, accuracy, availability, etc, or to responding within a specific number of days or hours to a request or issues. Service level agreements (SLAs) typically apply to the contractual annexes on service levels.

Nature of obligations

The description of these service levels is crucial for their legal classification under Belgian law, which makes a distinction between obligations to attain a specific result (obligation de résultat/resultaatsverbintenis) and “obligations of means” (obligation de moyens/middelenverbintenis), the latter often translated into English as a “(commercially) reasonable effort” obligation.

In the case of a result obligation, the simple failure to reach the result will be viewed as a “fault” (ie, non-performance) that can trigger liability; for obligations of means, however, a higher threshold applies and the party claiming liability must be able to demonstrate that the defaulting party did not do all that was (commercially) reasonable.

SLAs: not just an IT matter

In many companies in Belgium and abroad, SLAs are often drawn up by IT teams without properly taking the actual terms and conditions of the agreement into account. One must ensure that an SLA has been checked or drawn up in consultation with the legal department to avoid legal misunderstandings.

Service levels are presumed to be result obligations, unless stated otherwise in the agreement, but service providers prefer to transform them into obligations of means – for example, by including expressions such as “to the best of its ability” or “strive” in the SLA. In that case, the service provider can only be held liable when non-compliance and fault can be proven by the customer. The customer, on the other hand, will aim for more certainty by using terms such as “ensures” or “result” in the SLA; in which case, the service provider can be held liable if the results and milestones set out in the SLA have not been achieved (except where this is attributable to the customer or to force majeure).

Liability

Contracting parties may limit or exclude their liability in an IT services agreement. This can be done by the incorporation of a liability clause or through the wording of the obligations, the inclusion of assumptions and a broad definition of force majeure.

Under Belgian law, it is allowed and generally accepted to exclude a party’s liability for specific losses, on the condition that such exclusions:

• do not (fully) relieve a party from its liability for fraud, its wilful default (“opzet”/”dol”), its gross negligence or that of its employees or, except in cases of force majeure, for the non-execution of the essential obligations that are the subject of the agreement;
• do not apply to a party’s liability for death or personal injury caused by negligence;
• do not lead to a “manifest imbalance” between the rights and obligations of the parties; and/or
• do not unduly exclude or limit the legal rights of one party in the event of a non-performance or improper performance by the other party of any of its contractual obligations.

As a result, liability clauses typically include caveats in this respect. Should there be none, the entire agreement, or at least the liability clause, could be held void, according to the principle that if any of the terms of a contract prove to be inapplicable or contrary to a mandatory provision of the law, the validity of the entire contract must be examined. The risk of such a discussion can be mitigated by including a “severability” clause, stipulating that if any (part of a) provision is or becomes illegal, invalid or unenforceable, this shall not affect or impair the legality of any other (part of a) provision of the IT services agreement.

Intellectual Property

Intellectual property (IP) plays an important role in IT services agreements. IT services often go hand in hand with the use of pre-existing IP of the supplier, pre-existing IP of the customer and third-party IP. Sometimes an IT services agreement involves the creation of something new which might also be protected by IP.

Contrary to what is often believed, there are various options to divide the IP on a new creation between the parties, ranging from full ownership for the supplier to full ownership for the customer. In an IT outsourcing agreement, the pre-existing IP typically remains with each party, with a form of cross-licensing (each party grants a licence to the other for the use of its own pre-existing IP).

In the case of a software as a service (SaaS) agreement, all IP rights on the SaaS solution are reserved for the SaaS provider, but this party typically grants the customer a non-exclusive, non-transferable, worldwide, limited right to use and access the SaaS solution for internal business purposes.

Step-In Right

A step-in right is a discretionary right for a customer to partially or fully take over services or appoint a third party to deliver services instead of the supplier. The foundations for step-in are in the Civil Code, which case law is interpreted as permitting step-in without prior court intervention, subject to certain cumulative requirements (ie, urgency, a prior determination that there is a contractual breach, a prior notice to remedy the breach, immediate involvement of the third party after expiry of the notice period, and good faith).

The step-in principle is not mandatory law and parties may contractually exclude step-in or alter its conditions by adding scenarios in which step-in is possible (for instance, if the supplier causes material interruption or disruption of services or exceeds service credit levels during a certain period.

B2B Relationships

As from December 2020, a new Belgian Act regulates several aspects of B2B relationships. In essence, it prohibits:

• the abuse of economic dependence;
• misleading and aggressive market practices between companies; and
• unfair terms (including abusive clauses) in B2B relationships.

In the context of IT services agreements, the most relevant part pertains to unfair terms. The Act foresees a black list (presumed to be unlawful without possibility of rebuttal) and a grey list (presumed to be unlawful until proven otherwise).

The black list targets terms which:

• provide for an irrevocable commitment on the part of the other party, while the execution of the contract is subject to a condition, the realisation of which is entirely dependent on the will of the other contracting party;
• give the company the unilateral right to interpret any term of the contract;
• in the event of a dispute, have the other party waive any right of recourse against the undertaking; or
• irrefutably establish the knowledge or acceptance of the other party by means of stipulations of which it had no actual knowledge prior to the conclusion of the contract.

The grey list targets, among others, terms which:

• give the company the right to unilaterally modify the price, characteristics or terms of the contract without a valid reason;
• unduly exclude or limit the legal rights of one party in the event of total or shared non-performance or improper performance by the other company of any of its contractual obligations;
• relieve the company from its liability for wilful intent, its gross negligence or that of its employees or, except in cases of force majeure, for the non-execution of the essential obligations that are the subject of the agreement; or
• in the event of non-performance or delay in performance of the other party’s obligations, determine an amount of compensation which is clearly disproportionate to the prejudice which may be suffered.

New Civil Code

From 1 January 2023, the new Belgian Civil Code applies, introducing a number of modifications that will impact the conclusion of technology agreements. Amongst other things, the new Civil Code foresees:

• updated rules on pre-contractual liability;
• a codification of the battle of form doctrine;
• a hardship provision;
• the introduction of a right to unilaterally terminate a contract out of court;
• the introduction of the concept of anticipatory breach; and
• the introduction of the price reduction as a sanction.

Types of Electronic Signature

Under Belgian law, the electronic execution of contracts can be done using three types of electronic signature, which follows from the eIDAS Regulation (Regulation 910/2014/EU), as incorporated in Book 12 of the Belgian Code of Economic Law.

Normal electronic signatures

A (normal) electronic signature is defined broadly as data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign. Examples include a name below an email, a PIN, a password, a scanned signature, symmetric and public key cryptography authentication methods and biometric authentication methods.

A (normal) electronic signature may not be denied legal effectiveness and admissibility as evidence in legal proceedings solely on the grounds that it is in electronic form and not based upon a qualified certificate. This type of electronic signature, however, does not (automatically) receive the same legal effect as a handwritten signature.

Advanced electronic signatures

An advanced electronic signature is defined as an electronic signature which meets the following requirements: (i) it is uniquely linked to the signatory; (ii) it is capable of identifying the signatory; (iii) it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under their sole control; and (iv) it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.

In practice, mainly asymmetric public key cryptography (PKI) systems meet the requirements of this definition. It must, however, be emphasised that the legislation does not confer specific legal effectiveness to this type of electronic signature that would be different from (normal) electronic signatures. The main difference between a (normal) electronic signature and an advanced electronic signature is that the latter generally is considered to be more trustworthy, and that consequently more evidential weight is attached to it.

Qualified electronic signatures

A qualified electronic signature is an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures. A certificate is an attestation linking electronic signature validation data to a natural person and confirming at least the name or pseudonym of that person. The certificate must contain certain mandatory statements and must have been issued by a qualified certification service provider.

A typical example of a qualified electronic signature is the one placed with a Belgian eID card. A qualified electronic signature is automatically assimilated to and legally presumed to be equivalent to a handwritten signature.

Functional Equivalence and Proving the Existence of an Agreement

In Belgium, the principle of consensualism applies to the validity of contracts. Mutual consensus, even verbally, of both parties is thus sufficient to conclude a valid agreement. In deviation from this principle, the Belgian legislature at times imposes certain formal requirements (such as a signature) for the valid conclusion of a contract. In this regard, the principle of “functional equivalence for formal requirements” applies. This means that any legal or regulatory formal requirement for the valid conclusion of contracts by electronic means is fulfilled if the functional qualities of this requirement are safeguarded (Article XII.15 of the Belgian Code of Economic Law). Thus, if some “writing” or a “signature” would be required for the valid conclusion of a contract or an electronic contract, an electronic signature (regardless of which type) will suffice.

In certain circumstances, Belgian law, however, deviates from this principle of “functional equivalence for formal requirements”. For example, within employment law, only a handwritten signature or the equivalent qualified electronic signature can be used. The same applies for a tender in the context of public procurement law.

Furthermore, it is relevant to emphasise that there is a difference between concluding a valid agreement (as described above) and being able to enforce that agreement by proving its existence and contents, which is subject to specific requirements.

For example in a B2B environment, the Belgian law of evidence (incorporated in Book 8 of the new Civil Code), specifies that evidence between and against businesses relies on a free system of evidence. Consequently, the evidence of the existence of a contract in a B2B context may be given by electronically signed contracts. In this regard, courts will grant legal effect to electronically signed contracts as soon as two conditions incorporated in Article 8.1 of Book 8 of the new Civil Code are met. Firstly, as to the document itself, the writing must consist of “a set of alphabetical characters or of any other comprehensible signs affixed to a medium which allows access to it for a period of time appropriate to the purpose for which the information may be used and protects its integrity, whatever the medium and the means of transmission.” Secondly, the signature must consist of “a sign or a sequence of signs by which a person identifies himself and which indicates his intention.”