New stricter EU directive on cyber security and its impact on companies operating in the Czech Republic
The European Union has introduced a new cybersecurity directive, known as NIS2, which will have a significant impact on more than 6,000 entities in the Czech Republic – from private to state organisations. The new legislation imposes extensive obligations and potential fines for non-compliance amount to tens of millions of crowns. It is expected that the NIS2 requirements will be reflected in the Czech Cybersecurity Act during 2024, so there is “no time to waste” on preparations. What is in store for us with NIS2? And what will it mean for companies in practice?
What is NIS2?
NIS2 is an updated version of the 2016 Network and Information Security (NIS) Directive, which expands the scope and provides new measures to strengthen European cyberspace. EU Member States are obliged to incorporate the Directive into their legal systems. In the Czech Republic, the National Authority for Cyber and Information Security (NACIS) has responded by proposing a new Cyber Security Act (ZoKB) to replace the current law. In this case, therefore, the NUCIB has proposed not to take the route of amending the current law, but to create an entirely new legal framework. Nevertheless, some aspects will remain similar.
Who should be affected by the new legislation?
The new Directive will affect entities operating in key sectors, including:
- Public administration.
- Energy.
- Transport.
- Healthcare.
- Drinking water and wastewater.
- Digital infrastructure.
- Managed ICT service providers and space industry.
However, NIS2 will also affect other sectors such as postal and courier services, waste management, chemicals, food processing, manufacturing and research.
According to the NCIB, the main criterion for determining whether a private or public organisation is subject to regulation by the Directive is the simultaneous fulfilment of the following two rules:
- The organisation provides at least one service listed in the annexes of the Directive.
- It is also a medium or large enterprise, i.e. it employs 50 or more employees, or has an annual turnover or balance sheet total of at least EUR 10 million (approximately CZK 250 million).
Will the new legislation affect your business?
An important aspect of the new Directive is the so-called self-reporting obligation, within 3 months of its entry into force. In order not to be caught by surprise by the upcoming law, we have appointed a group of experts who can check and determine whether you meet the legislative conditions. Contact us.
How will the directive be reflected in Czech legislation and what will the new Cybersecurity Act (ZoKB) look like?
Individual Member States have until 17 October 2024 to incorporate NIS2 into their national law. In the Czech Republic, the new Cybersecurity Act (ZoKB) should provide for two regimes – a higher and a lower one, adapting to the needs of different sized organisations. The proposal is currently in the drafting phase.
The draft of the new Cybersecurity Act is, like the current version, based on the internationally recognised ISO 27000 family of standards. This means that it does not (except for specific innovations) introduce entirely new concepts and measures that the vast majority of companies would not naturally already apply.
The following changes can be expected within the new national regulation:
- Establishing and clearly defining the obligations that will be imposed on regulated entities, with respect to higher or lower obligation regimes.
- Establishing requirements to ensure the availability of services that are of strategic importance.
- Determining the scope of cyber security management in line with the new regulations.
- Setting requirements for the implementation of security measures according to the specific regime in which the service is operated and regulated.
- Delegation of supply chain security screening responsibilities to entities providing strategically important services.
Implementation
The new law is expected to pave the way for significant changes in the cybersecurity landscape for businesses, including identifying primary activities, scoping the security management system, developing security policies, implementing a more comprehensive approach to risk management, and strengthening the focus on human resource security. At the same time, entities will be required to share information, report cybersecurity incidents, and ensure the security of contractors, as already mentioned.
The NCIB will have the power to conduct inspections and may impose corrective measures on entities in the event of deficiencies or breaches.
Although the first draft of the NIS2 directive was submitted in 2020, the final version was not published until December 2022. Businesses should be ready to adapt to the new rules within one year of the publication of the amended Cybersecurity Law (ZoKB), which is expected to be published this autumn. However, the implementation of NIS2 without prior experience with the implementation of other standards tends to be a rather challenging process that can take several months. It is therefore necessary not to wait for the adoption of the law, but to start preparing as soon as possible.
Look out for an article coming soon that will go into more detail about the practical impact on your company.