Traditionally, the start of a new year also brings with it certain regulatory changes. Some of these have a direct or indirect impact on the corporate landscape within which you and we operate every day. We therefore list a few.
On 1 August 2024, the European Union’s long-awaited AI Act was published. A world first, this law marks the first comprehensive legislation regulating artificial intelligence. On the one hand, the AI Act focuses on addressing the risks of AI, particularly on safety, health and fundamental rights. On the other hand, the EU also seeks to stimulate innovation by supporting AI developers through, among other things, the so-called ‘sandbox initiative’.
Between 2025 and 2027, the AI Act gradually imposes obligations on companies that develop, market or deploy AI systems. The higher the risk of the system, the heavier the obligations. To do so, the AI Act distinguishes between four categories of AI systems: unacceptable risk, high risk, limited risk and minimal risk. The first group includes unacceptable applications that are banned entirely, such as the manipulation of users based on ‘social scoring’. Such practices will be prohibited from 2 February 2025.
For low-risk applications, such as AI-powered chatbots and deep-fake applications, a transparency obligation will apply from 2 August 2025. This means that users must always be clearly informed about their interaction with AI-generated information. A national authority will then also be designated to oversee the application and implementation of the AI Act.
From the summers of 2026 and 2027, obligations concerning high-risk AI systems will also have to be met. Such applications carry increased risk because they have a high potential impact on health, safety and human rights in society or because they are applied in sensitive areas such as law enforcement or education. The stringent requirements envisaged include the registration of such systems, human monitoring and reporting.
For AI systems with minimal risk, such as spam filters and video games, the AI Act does not impose any obligations. General legislation on product safety and privacy will of course continue to apply without exception.
It is essential to emphasise the broad scope of this regulation. AI applications are springing up like mushrooms and are now an integral part of the business world. Nevertheless, companies need to be very vigilant when integrating AI into their organisations.
After all, on one hand, this AI Act will lead to more and more innovative systems being put into operation. On the other hand, the Act will also lead to the exposure of some vulnerabilities.
Companies would therefore do well to consider which AI systems they and their partners are using. For each AI system, they will consider how it is qualified, and more specifically as a provider or user. Next, they will have to verify the risk category.
All this ensures that some AI systems will have to be registered and certified, and there will be a need to check whether existing systems are indeed compliant with the law. Additionally, companies will have to be careful to maintain the transparency and understandability of AI systems.
Cyber security is essential today for both businesses and individuals. With increasing digitalisation, it is crucial to take appropriate security measures. With the Network and Information Security (NIS) Directives, European legislators aim to address this looming issue. The Belgian NIS2 Act of 26 April 2024 is the transposition of one such directive, namely the European NIS2 Directive.
Because not every company faces the same cyber risk, the obligations are limited to certain sectors and companies. For now, the obligation only applies to medium-sized companies established in Belgium, providing a service that appears on the provided list (annexed to the directive). These include, for example, energy, transport, healthcare, management of ICT services…
Relevant entities must register on Safeonweb@Work by 18 March 2025 at the latest. They must also take appropriate technical, operational and organisational measures to ensure the security of their network and information systems, prevent incidents and limit the impact of incidents. These measures should be proportionate to the risk. If a significant incident does occur, it must be reported to the Centre for Cybersecurity Belgium (CCB).
It is up to the governing bodies to approve the security measures and monitor their implementation. If they fail to comply, they can be held liable. Board members must undergo mandatory training to acquire sufficient knowledge and skills for risk assessment and the management of cybersecurity risks.
Registration should therefore take place in the coming year. However, conformity assessment will not take place until 2026. Administrative fines may be imposed for non-compliance with the law.
The year 2025 offers one last chance to retain the charm of a traditional paper invoice. From 1 January 2026, electronic invoicing (e-invoicing) will be inevitable and mandatory for all B2B transactions between Belgian VAT-registered companies, with some exceptions (e.g. VAT-registered companies in bankruptcy).
Although it will remain possible to voluntarily provide customers with a paper version in addition to an electronic invoice, in a B2B context, only the electronic invoice will have legal value. This will be important, for instance, for companies or self-employed persons who want to deduct the VAT of a B2B transaction. In the foreseeable future, this will only be possible using an electronic invoice.
E-invoicing is currently already mandatory for invoicing between companies and public authorities. From 2026, it will also be mandatory between companies. For transactions between businesses and individuals, it is not (yet) mandatory and will not be in 2026. However, telectronic invoicing can be used by mutual agreement.
The mandatory electronic invoice must be in a structured format, in particular the Peppol-BIS format. The use of the Peppol e-invoicing platform is strongly recommended. This platform is currently already used by more than 1,438,208 companies. Alternative formats are allowed, but they will have to comply with the relevant European standards, and the parties involved must also both agree to them.
To integrate e-voicing into your business, timely preparation is essential. Tax incentives are available to cover the cost of these technical adaptations. Moreover, although an investment is required, e-invoicing also offers many benefits, such as reduced paper consumption, significant time savings, and a lower risk of invoice fraud.
By now, many have been introduced to the ‘My eBox Citizen’, an electronic mailbox where you can securely receive messages from a increasing number of government services1. However, there is also an electronic mailbox for businesses, namely the ‘e-Box Enterprise’2.
The introduction of this digital platform aims to enable efficient, fast and secure communication with government institutions. This concerns social security institutions as well as authorities at all Belgian levels. The list of municipal, regional and federal bodies sending messages and documents via e-Box continues to expand.
The regulations for use of the e-Box Enterprise state that messages and documents have the same legal consequences as exchanges on non-digital data carriers. Article 2 literally states, “With this type of exchange, any obligation to send by registered mail shall be deemed to have been met, whether with or without acknowledgement of receipt. If necessary, the transmission of the message via the e-Box shall be visibly marked as ‘registered mail’ or equivalent.”
Originally, the intention was to make the use of the e-box Enterprise mandatory for enterprise number holders from 2025. Since no further legislation has been published since the bill was passed in 2022, the exact date of this obligation remains uncertain—though its implementation is certain.
In 2019, the European Union introduced the European Accessibility Act (EAA), which requires companies in certain sectors to make their products and services more accessible. E-commerce companies fall under this regulation, which has now been transposed into Belgian legislation.
By 28 June 2025, Belgian companies (with more than 10 employees) will have to comply with specific accessibility standards. This may include ensuring good colour contrast on the websites, implementing a voice function, and allowing users to enlarge font size. No detailed technical requirements are imposed, leaving room for innovation and flexibility.
The aim is to ensure equal access to certain basic services for everyone, including people with disabilities. This fosters inclusion and can help businesses reach a wider audience. Moreover, a user-friendly website or application increases customer satisfaction. To enhance transparency, it is strongly recommended to publish a statement explaining the accessibility measures taken.
An oversight body has been established that can impose sanctions in case of non-compliance, either following an audit or in response to a customer complaint. Sanctions can range from warnings to fines.
The content of the Precontractual Information Document (PID) was recently amended in September 2024 (see https://philippelaw.eu/nl/belgie-voorloper-in-de-bescherming-van-de-franchisenemer/). Less than a year later, new changes are on the way. From 1 March 2025, franchisors must additionally include a number of new disclosure requirements in the PID.
Specifically, the franchisor will have to inform the prospective franchisee about any planned expansion within the trade area, such as opening a new branch. If licences for (partially) competing outlets in the trade area have been applied for, this should also be communicated to the franchisee. In addition, the PID will have to include details of customary investments and an estimate of associated costs. Finally, the franchisor will have to communicate an estimated operating account for at least three years so that the franchise, allowing callowing the franchisee to develop their own business plan.
The objective remains to provide the franchisee with the best possible information before signing an agreement, ensuring they can make an informed decision. Legislators hope to meet the demand for transparency by imposing stricter disclosure obligations on the franchisors. Failure to comply may result in penalties.
From 1 January 2025, there will be a ban on so-called ‘financial subcontracting’3. Financial subcontracting is also known as ‘reselling of work’. While a main contractor can still subcontract an entire contract to a subcontractor, the latter, in turn, may no longer transfer on the entire contract to one or more sub-subcontractor(s).
Concretely, the prohibition involves two aspects: (i) works entrusted to a particular (sub)contractor may not be fully subcontracted, and (ii) such works may also not be subcontracted to several sub-subcontractors where the actual subcontractor only serves a coordination task. Thus, it is required that the subcontractor at least partially performs the works itself (through its own employees).
The ban applies to three specific sectors: construction, meat and moving. The first category can be interpreted very broadly. All works that take place on, in, or around real estate are covered, e.g. work on the roof, installing a kitchen, etc.
This objective is to break the corporate chain, in order to keep an overview of the various collaborations. The aim is to combat social fraud, and better protect workers. The (sub)contractor remains partly involved and responsible for the execution of the work.
This is no minor change for companies that regularly carry out subcontracts. Indeed, heavy fines (or even prison sentences) can be imposed for violating this prohibition. In short, caution is advised.
Between 2025 and 2028, reporting obligations for certain companies will gradually expand under the Corporate Sustainability Reporting Directive (CSRD), a European directive framed within the European Green Deal.
Companies will be required to report on the impact they have on the environment and society. At the same time, they will have to report on the impact of the external environment on their own activities. Companies will thus have to track, collect, analyse and disclose a large amount of data, a significant investment in time and resources. Moreover, to ensure the reliability of the reports, an audit by an external auditor will also become mandatory.
Unlisted SMEs are not covered by the CSRD directive. Nevertheless, they too will need to maintain various data and information, especially if they are professionally related to companies that are subject to the directive. Companies that are required to report can request information from their supply chain partners, even if they do not have a reporting obligation. Through the VSME directive, a voluntary standard is being developed for unlisted SMEs. This standard is expected to be available in 2025, allowing these SMEs to share their information in a simple and efficient manner.
Detailed reporting will create more transparency about business operations and their impact on society and the environment, helping to prevent greenwashing. In addition, the reporting requirement ensures that companies take more responsibility for their social and environmental impact.
The year 2025 will be a crucial milestone in the transition to more responsible business practices. Companies not covered by the European directive can also voluntarily choose to comply with the reporting requirements. Onwards to a more sustainable future!
Do not consider this overview as conclusive or exhaustive. Our main intention is to highlight some important issues to help you prepare for them, avoid penalties, and seek more detailed advice if necessary.