Legal requirements for websites in Belgium

Economic Code (EC), Book III & XII

• Complete business name and legal form (e.g., LLC, Plc)
• Full address of registered office
• Phone number and email address
• Business registration number (BCE/KBO): 10 digits
• VAT number: BE + 10 digits
• Name of responsible publisher (if applicable to content)
• Contact details of webmaster or administrator

Penalty: EUR 50 – 5,000 per missing element

VAT Code / EC Book III

• VAT number visible on every page (footer)
• Mandatory VAT registration when revenue exceeds EUR 25,000/year
• Apply correct VAT rates (21%, 6%, 0%)

Penalty: EUR 1,000 – 5,000 administrative fine

GDPR Art. 13-14 / Belgian Data Protection Law

• Identity of data controller + contact details
• Purposes and legal basis for each processing activity
• Categories of personal data collected
• Recipients or categories of recipients (processors)
• Retention periods per category
• Data subject rights: access, rectification, erasure, restriction, portability, objection
• Right to lodge a complaint with the DPA (with authority contact details)
• Information on automated decision-making / profiling

Penalty: EUR 10 – 20 million or 2-4% global turnover

GDPR Art. 28

• Written DPA with all processors (hosting, analytics, payment services)
• Document purpose, duration, and nature of processing
• Sub-processors: authorization + transparency
• Document security measures

Penalty: EUR 10 – 20 million or 2-4% global turnover

GDPR Art. 6-7

• Checkbox (not pre-checked) for consent
• Statement of purpose and retention period
• Link to privacy policy
• Document consent (retain evidence)

Penalty: EUR 10 – 20 million or 2-4% global turnover

GDPR Art. 33-34

• Notification to DPA within 72 hours of discovery
• Part 1: basic information (72h) / Part 2: full details (21 days)
• Notification to affected individuals in case of high risk
• Maintain data breach register
• Language: Dutch, French or German

Penalty: EUR 10 – 20 million or 2-4% global turnover

GDPR Chapter V / Schrems II (C-311/18)

• Standard Contractual Clauses (SCCs) required for transfers outside EU/EEA
• Supplementary technical measures (encryption, pseudonymization)
• Document Transfer Impact Assessment
• Relevant when using US services (Google, Cloudflare, AWS)

Penalty: EUR 10 – 20 million or 2-4% global turnover

GDPR Art. 37

• Required for: public authorities, large-scale monitoring, sensitive data
• Publish DPO contact details on website
• Register DPO with the DPA
• Not required for most SME websites

Penalty: EUR 10 – 20 million or 2-4% global turnover

Electronic Communications Law Art. 129 / ePrivacy Directive Art. 5(3)

• Explicit consent BEFORE placing non-essential cookies
• Buttons "Accept All" and "Refuse All" equally prominent
• Granular preferences per category (analytics, marketing, preferences)
• Easy withdrawal of consent (as easy as giving)
• No cookie wall (refusing consent cannot deny access)
• No pre-checked boxes (dark patterns forbidden)
• Retain proof of consent

Penalty: EUR 500 – 50,000 (ePrivacy) + GDPR fines

Google requirement (mandatory since March 2024 for Google services)

• Consent signaling for analytics_storage and ad_storage
• Default state = 'denied' until user chooses
• wait_for_update parameter for banner timing
• Granular signals: ad_storage, ad_user_data, ad_personalization, analytics_storage

Penalty: Loss of Google Ads/Analytics functionality

Electronic Communications Law Art. 129 + GDPR Art. 13

• Explanation per cookie category: name, purpose, retention period
• Distinguish essential vs. non-essential
• Explanation of functionality and security storage (exempt)
• Link to cookie preference management
• Reference to privacy policy

Penalty: EUR 500 – 50,000

EC Book VI, Art. VI.45-46 / Directive 2011/83/EU

• Complete product/service description
• Total price including VAT and all charges
• Delivery costs stated separately (or free)
• Available payment methods
• Delivery deadline (standard: max 30 days)
• Right of withdrawal: 14 calendar days
• Complaint procedure and ADR information
• Seller identity (name, address, KBO, VAT)

Penalty: EUR 100 – 1,000 per violation

EC Book VI, Art. VI.47-56 / Directive 2011/83/EU Art. 9-18

• 14 calendar days after receiving goods to cancel
• Consumer does not need to provide reason
• Must provide withdrawal form template
• Full refund (including shipping) within 14 days
• Exceptions: perishable goods, sealed products, custom-made items, digital content (after delivery with consent)

Penalty: EUR 500 – 5,000 per violation

EC Book VI / Directive 98/6/EC

• Price always displayed inclusive of VAT
• Unit price where applicable (per kg, liter, piece)
• Total final price clear before checkout
• No hidden costs or surcharges
• Prohibition on payment method surcharges (PSD2 Art. 62)

Penalty: EUR 100 – 1,000 per violation

EC Book VI, Art. VI.46

• Confirmation on durable medium (email suffices)
• Repeat all essential contract terms
• Attach withdrawal form
• Send before or upon delivery

Penalty: EUR 100 – 1,000 per violation

EC Book VI / Belgian Warranty Law

• Minimum 2-year warranty on all new products
• Consumer chooses: repair or replacement (free)
• Burden of proof on seller (both years)
• Used items: minimum 1 year (if agreed)
• Must be stated on product pages and in T&C

Penalty: EUR 500 – 5,000

EC Book VI, Art. VI.69-92

• Compatibility information (OS, storage space)
• Describe access method and activation
• State usage rights and limitations
• Right of withdrawal expires after delivery with explicit consent

Penalty: EUR 500 – 5,000

Directive 2005/29/EC (UCPD) / EC Book VI

• Forbidden: false information, fake reviews, misleading discounts
• Forbidden: false scarcity ('Only 2 left!') if incorrect
• Forbidden: aggressive sales techniques
• Forbidden: obstructing withdrawal/cancellation rights
• Essential information must not be omitted

Penalty: EUR 500 – 10,000 + injunction

Regulation (EU) 524/2013 / Directive 2013/11/EU

• ODR platform discontinued March 2025 — replaced by ADR guidance
• Information on available ADR mechanisms on website
• Belgian ADR bodies: Belmed, sectoral ombudsmen
• Email address for complaints clearly stated

Penalty: EUR 500 – 2,000

Directive 2023/988 / CE marking regulations

• All products must meet safety standards
• CE marking mandatory for relevant product categories
• Technical documentation and EU declaration of conformity
• Traceability: batch numbers, serial numbers

Penalty: Criminal: up to EUR 200,000 or 6% turnover

Directive 2015/2366 (PSD2)

• Minimum 2 authentication factors required at payment
• Factors: knowledge (password), possession (phone), inherence (biometry)
• Exemptions: transactions under EUR 30, subscriptions, trusted beneficiaries
• Payment service provider responsibility, but webshop must integrate

Penalty: Payments blocked if non-compliant

PSD2 Art. 62

• No extra charges per payment method
• No surcharge for credit card, PayPal, Bancontact, etc.
• Exception: only if actual cost demonstrably higher

Penalty: EUR 100 – 5,000 per violation

Law 02/02/2024 / EN 16931 / Peppol framework

• Mandatory since January 1, 2026 for all B2B transactions in Belgium
• Structured format: UBL 2.1 or CII 16B
• Via Peppol 4-corner network
• Transition period: Jan-Mar 2026 without penalties
• This concerns the accounting system, not the website itself

Penalty: EUR 1,500 (1st), EUR 3,000 (2nd), EUR 5,000+ (3rd violation)

Directive 2019/882 / EN 301 549 V3.2.1

• In effect since June 28, 2025
• Technical standard: WCAG 2.2 Level AA (WCAG 2.1 formally required)
• Existing sites: transition period until June 2030
• Keyboard navigation, color contrast (4.5:1), alt text, aria-labels
• Forms must be accessible to screen readers

Penalty: Up to EUR 200,000 per violation

EAA / Directive 2019/882

• Public page on website (e.g., /accessibility)
• State conformance level (fully / partially / non-compliant)
• Honestly document known limitations
• Contact mechanism for accessibility issues
• Date of preparation and next review

Penalty: Up to EUR 200,000 per violation

Regulation (EU) 2024/1689, Art. 50

• Chatbots: inform user that it is AI
• AI-generated content: clearly label
• Deepfakes / synthetic media: visibly mark
• Full compliance deadline: August 2026
• Belgian supervisor: BIPT

Penalty: EUR 10 – 50 million or 2-10% global turnover

Regulation (EU) 2022/2065

• Only for very large online platforms (300M+ monthly active EU users)
• Not applicable to standard SME websites or webshops
• If applicable: algorithm transparency, ad labeling, complaint procedure

Penalty: Up to 6% global turnover

EC Book XII / ePrivacy Directive Art. 13

• B2C: explicit opt-in required (soft opt-in for existing customers on similar products)
• B2B: opt-out allowed for professional addresses (not personal)
• Every email must contain an unsubscribe link
• Sender clearly identifiable
• Honor unsubscription within 10 days
• Document consent evidence

Penalty: EUR 100 – 1,000 per violation (per recipient in bulk)

Electronic Communications Law / ePrivacy Directive

• SMS to consumers: explicit opt-in required
• SMS to businesses: opt-out allowed
• Phone prospecting: consumer consent required
• Honor opt-out within 10 days

Penalty: EUR 100 – 1,000 per violation

Belgian public health legislation

• Beer/wine: minimum age 16 years
• Spirits: minimum age 18 years
• Age verification mandatory at checkout/delivery
• Online sales allowed (with verification)

Penalty: Criminal sanctions

Belgian tobacco law

• Online sale of tobacco and e-cigarettes is PROHIBITED since 2022
• No exceptions for webshops

Penalty: Criminal sanctions + product seizure

AFMPS regulation

• Prescription medicines: online sale prohibited
• OTC medicines: limited allowed with verification
• Regulated by AFMPS (Federal Agency for Medicines)

Penalty: Criminal sanctions

GDPR Art. 32 / PSD2 / Industry standard

• TLS 1.2 or higher mandatory
• Entire site (not just checkout)
• Valid SSL certificate from trusted CA
• HSTS header recommended

Penalty: GDPR fines if data breach occurs due to missing encryption

EC / Common law

• Service/product identification, prices, payment terms
• Limitation of liability
• Intellectual property rights
• Dispute resolution (competent court, applicable law)
• Modification procedure and termination
• E-commerce additions: withdrawal right, warranty, return procedure, delivery terms

Penalty: EUR 500 – 5,000 for unfair terms

Belgian language legislation

• No statutory requirement for website language for private companies
• Consumer contracts: essential information in consumer's language recommended
• Privacy policy and T&C: at least Dutch + French (best practice)
• Accessibility statement: in all relevant languages
• Contract may be unenforceable if in wrong language

Penalty: Contract may be unenforceable

Regulation (EU) 2018/302

• Forbidden: blocking or redirecting customers based on nationality or location
• Price differences by location: only allowed through VAT difference or costs
• Payment methods cannot be refused based on location
• Exception: license restrictions, security, age limitations

Penalty: EUR 500 – 5,000 + injunction