RRegReady
SAAS·BE GBA/APD
DOC·SAAS-BE SaaS · Belgium · GBA/APD

SaaS compliance in Belgium.

GDPRAI_ACTEAADSA
01 · OVERVIEW

UPDATED 2026-05-10

SaaS Compliance Landscape in Belgium

Belgium's digital regulation framework has consolidated significantly since 2018. SaaS businesses operating here must navigate four interconnected regimes: GDPR (data protection), the AI Act (algorithmic accountability), the Ecommerce Act (platform liability), and the Digital Services Act (content moderation and transparency). The Belgian Data Protection Authority (Autoriteit Bescherming Gegevens / Autorité de la Protection des Données, commonly GBA/APD) enforces GDPR and coordinates with national authorities on AI and digital services compliance.

Unlike larger EU member states, Belgium has relatively few sector-specific carveouts. This means standard GDPR rules apply directly to SaaS vendors processing Belgian residents' data, regardless of whether you're selling B2B or B2C. The regulatory burden intensifies for SaaS targeting regulated sectors—financial services, healthcare, education—where additional sector laws layer on top. Belgium's small but economically dense market (11.5 million people, strong financial sector) makes it a common first EU entry point for startups, but this also means early visibility with regulators. The GBA/APD actively investigates SaaS vendors; unlike some EU capitals, complaints are processed relatively quickly.

GDPR: Data Protection Fundamentals

Status: Fully in force since May 25, 2018. No sunset provisions or renewal deadlines.

GDPR applies to any SaaS that processes personal data of EU residents, including Belgian users. The regulation does not distinguish between SaaS and other business models; your product size or sector does not exempt you. Core obligations include:

  • Lawful basis documentation. You must identify and document the legal ground for each processing activity (consent, contract, legal obligation, vital interest, public task, or legitimate interest). This must be recorded before processing begins, per Article 6.
  • Data Processing Agreements (DPAs). If you process data on behalf of customers, you need a DPA compliant with Article 28. Many SaaS vendors mistakenly assume their Terms of Service cover this; they do not.
  • Privacy by design. Article 25 requires technical and organizational measures built into your product from inception—not bolted on later. This includes encryption, pseudonymization, and access controls.
  • Breach notification. You must notify the GBA/APD within 72 hours of discovering a personal data breach that poses risk to individuals (Article 33).
  • Data subject rights. Users can request access, correction, deletion, portability, and objection. You must respond within 30 days.

The GBA/APD has issued guidance on SaaS-specific topics including cookie consent (many SaaS analytics tools require explicit opt-in), subprocessors (you must notify customers when adding third-party vendors), and international transfers (if you process data outside the EU, adequacy decisions or Standard Contractual Clauses are required). The European Data Protection Board (EDPB) regularly publishes guidelines on novel topics; check their site monthly if your product uses emerging technologies.

Deadlines for SaaS: No single "deadline"—compliance is ongoing. However, if you are not currently compliant, begin immediately. If the GBA/APD initiates investigation (which they do for newly-reported breaches or complaints), you will have limited time to demonstrate retroactive compliance.

AI Act: Algorithmic Accountability

Status: Regulation (EU) 2024/1689 entered into force June 10, 2024. Compliance phases are staggered through 2026.

The AI Act applies to SaaS vendors providing "AI systems" to users in the EU. "AI system" is broadly defined: any software using machine learning, statistical methods, or logic that produces outputs affecting individuals' rights. This captures:

  • Recommendation engines (even simple collaborative filtering).
  • Automated decision systems (e.g., credit scoring, content moderation).
  • Generative AI features (if your SaaS includes LLM-based text or image generation).
  • Predictive analytics and anomaly detection.

The Act uses a risk pyramid. "High-risk" AI systems (those impacting employment, education, credit, law enforcement) face strict requirements: technical documentation, bias testing, human oversight, and logging. "Limited-risk" systems (chatbots, deepfakes) require transparency disclosures. Most SaaS falls into these tiers even if your AI feels rudimentary.

Phased compliance deadlines (Article 99):

  • June 10, 2025: Prohibited AI practices must cease (e.g., subliminal manipulation, social-credit scoring without safeguards). Enforcement begins immediately.
  • June 10, 2026: Transparency and limited-risk AI rules apply.
  • June 10, 2027: High-risk AI system requirements fully enforced.

Belgium does not yet have a dedicated AI competent authority; enforcement is coordinated through the GBA/APD (for data-related AI issues) and sector regulators. However, non-compliance carries fines up to 6% of global revenue—equal to GDPR penalties. If your SaaS includes any algorithmic decision-making, you should audit against the Act's Annex III (high-risk system list) now. EDPB guidance on AI and data protection is essential reading.

Digital Services Act (DSA): Platform Obligations

Status: Regulation (EU) 2022/2065 in force since August 2023 (Articles 19–24) and November 2024 (Articles 1–18). All requirements apply.

The DSA is often misunderstood as applying only to social networks. It actually applies to any SaaS that facilitates user-to-user interaction—marketplaces, collaboration tools, community platforms, and even some B2B systems. If users can post content or interact via your platform, the DSA likely covers you.

Core obligations include:

  • Illegal content removal. You must have a system to detect, remove, and report illegal content (within 24 hours of notice, typically).
  • Moderation transparency. Users must understand why content was removed or accounts suspended. You need a complaint procedure and written explanation (Article 24).
  • Algorithm transparency. You must disclose how content ranking and recommendation algorithms work (Article 24). This applies even to non-social platforms.
  • Data access for researchers. Larger platforms (over 45 million EU users) must provide researchers data access to study systemic risks (Article 40).
  • Due diligence on systemic risks. You must assess and mitigate risks including child safety, mental health, and election integrity (Article 26).

The DSA is enforced by Belgium's telecommunications regulator (BIPT/IBPT) in coordination with the European Commission. Penalties start at 6% of annual turnover for first violations. Notably, the DSA does not require removal of legal-but-harmful content; it requires only transparency and fair process. Many SaaS vendors comply by documenting moderation policies, publishing them publicly, and logging enforcement actions.

Deadline: Already in force. Begin auditing your platform against Articles 19–24 immediately.

Ecommerce Directive (EAD): Platform Liability

Status: Directive (EU) 2000/31 as amended by the Digital Services Act (incorporated into national law). Ongoing compliance required.

The Ecommerce Act establishes "safe harbors"—conditions under which SaaS platforms are not liable for user-generated content or third-party conduct. Many SaaS vendors misunderstand this as blanket immunity. It is not.

Safe harbors apply only if you:

  • Do not have actual knowledge that content is illegal.
  • Act expeditiously upon receiving notice of illegal content.
  • Implement a notice-and-takedown procedure accessible to users and authorities.
  • Do not provide recommendations or search that amplify illegal content.

If you actively moderate content, algorithmically promote posts, or have editorial involvement, you may lose safe-harbor protection for that content type. The DSA amendments have narrowed safe harbors significantly; the old "passive conduit" interpretation no longer applies to platforms with algorithms.

Belgium implements the Ecommerce Act via Article 12–14 exemptions in national law, overseen by BIPT/IBPT and aligned with EDPB guidance. If a user's third-party transaction or content triggers a complaint to authorities, you will be expected to show that you had a compliant notice-and-takedown process in place.

Deadline: Existing requirement; no renewal. Ensure your terms and takedown procedures are documented now.

Three Common SaaS Compliance Pitfalls in Belgium

1. Underestimating Data Processing Scope (GDPR)

A Belgian HR-tech SaaS vendor was fined €15,000 in 2023 (GBA/APD investigation) because it collected employee salary data as part of payroll integration but failed to disclose this processing in its privacy policy. The vendor claimed it only "passed through" data to the customer's accounting system. However, GDPR analysis showed the vendor was a joint controller during the payroll import phase—it accessed, transformed, and stored the data temporarily. No DPA existed between the vendor and customer for this processing. The key lesson: any data your SaaS touches, even transiently, is processed by you and requires lawful basis and documentation. Many vendors assume processing is only what is stored long-term; this is incorrect.

2. Inadequate Subprocessor Management (GDPR Article 28)

A Belgian project-management SaaS used an undisclosed AI vendor to auto-generate task summaries. When a customer's data subject complained to the GBA/APD that summaries contained inaccurate personal information, the regulator discovered that the SaaS had not informed customers of the AI vendor's involvement and had no data processing contract with the vendor itself. The SaaS's excuse—"we assumed the AI vendor was our third party, not a subprocessor"—did not hold. Under Article 28(4), you must inform customers of subprocessors *before* processing begins and must have written contracts in place. This applies to cloud providers, analytics vendors, AI services, and any vendor that accesses or processes customer data. A simple Slack integration for notifications counts.

3. Confusing Transparency with Consent (AI Act & DSA)

A Belgian fintech SaaS added a machine-learning fraud-detection algorithm without asking users for consent, assuming transparency (disclosing how the algorithm works) was sufficient. When customers complained about false-positive blocks, the regulator (aligned with EDPB guidance) indicated that transparency alone does not comply with the AI Act for high-risk systems. The fintech did not have the required human-in-the-loop override for users wrongly flagged as fraudulent. Additionally, under GDPR Article 6, automated decision-making affecting individuals' rights requires either a lawful basis (usually explicit consent) or a contract-related exemption with safeguards. The SaaS was processing under "legitimate interest" but had not documented this. The lesson: transparency is a floor, not a ceiling. High-risk AI and automated decisions need explicit lawful basis, documented assessment, and user recourse.

Immediate Compliance Steps for SaaS

Given the overlapping nature of these regulations, prioritize in this order:

  1. GDPR audit (2 weeks): Map all data flows. Identify lawful basis for each processing activity. Create or update Data Processing Agreements with customers. List all subprocessors.
  2. Privacy policy and transparency (1 week): Publish a clear, customer-facing privacy policy. Update product UI to disclose data uses (e.g., analytics, subprocessors, automated decision-making).
  3. AI Act self-assessment (2 weeks): If your SaaS uses any algorithmic decision-making, machine learning, or generative AI, categorize each feature by risk level (Annex III). Document technical specs and bias testing.
  4. DSA compliance (if applicable, 2 weeks): If your platform has user-to-user interaction, publish moderation policies and implement a notice-and-takedown procedure.
  5. Breach and incident response (1 week): Document how you will detect, investigate, and report data breaches to the GBA/APD within 72 hours.

Do not wait for enforcement. The GBA/APD proactively investigates complaints and conducts sector sweeps. Demonstrating good-faith effort to comply—even if imperfect—significantly reduces penalty severity.

Next Steps: Build Your Compliance Calendar

SaaS compliance in Belgium is not a one-time checkbox. Regulations evolve, your product changes, and regulators issue new guidance. The most effective approach is maintaining a rolling calendar of compliance tasks tied to your product roadmap and regulatory deadlines.

Use RegReady's calendar tool to set compliance reminders for your Belgian SaaS operations. You can flag GDPR subprocessor reviews, AI Act high-risk system audits, DSA moderation policy updates, and GBA/APD guidance releases. The calendar integrates regulatory deadlines with your product release schedule so compliance runs in parallel with development, not as afterthought.

Generate my SaaS calendar