MENU
EN

Cybersecurity affects everyone! And so does the new regulation!

14.2.2023

Cybersecurity is a topic for everyone. Or at least it should be. For purely practical and legal reasons.

After all, a cyber incident or "successful" attack can cause significant damage to a hospital, an e-shop, a school and an insurance company. It can restrict or completely disable customer service or normal operations. Compromise the security of client data with the risk of heavy fines under GDPR. Cause leakage of trade secrets (know-how, product specifications, customer database, contracts, pricing terms, etc.) and disadvantage against competitors.

And also jeopardise client trust, whether in the B2B or B2C segment.

With the new regulation, the NIS2 Directive and the new Cybersecurity Act, the range of businesses that will be required to manage cybersecurity directly by law will be significantly expanded. With a high level of detail and under the threat of large fines.

So let's protect our business and information well, efficiently and smartly. Against hackers and against fines.

Author of the article: ARROWS (Mgr. Jiří Halaburt, LL.M., Mgr. Petra Macková, office@arws.cz, +420 245 007 740)

This article was written in 2023. If you are looking for up-to-date information on this topic, please contact us at office@arws.cz or by phone on +420 245 007 740. We will be happy to advise you.

At the end of this article you will find our latest publication available for download and you can watch our latest webinar.

Where are we with the legislation?

The European NIS2 Directive (Directive 2022/2555) was adopted just before the end of 2022. New national legislation is already being worked on intensively. We can expect it to come into force by mid-2024.

Is that a lot of time? Seemingly.

It will take time and capacity to put in place a comprehensive system to ensure cybersecurity and information protection, especially where this has not been systematically addressed. It is therefore advisable to start now.

office@arws.cz 245 007 740

Who will be affected by NIS2?

The businesses covered by NIS2 will usually be determined by a combination of business (sector) and size.

Which sectors will be covered by NIS2? For example:

  • Energy
  • transport
  • Healthcare
  • drinking water
  • wastewater and waste management
  • Digital infrastructure and ICT service provision in the B2B segment
  • provision of digital services (online marketplaces, search engines, social networking platforms)
  • public administration
  • Food production, processing and distribution
  • manufacture of computers, electronic and optical equipment, certain transport or medical devices

If you are active in any of these areas and have more than 50 employees and an annual turnover or annual balance sheet total greater than the equivalent of €10 million, then NIS2 will apply to you. Immediately, directly and in full.

Do you have fewer employees or are you in a different sector? Don't worry, NIS2 may still affect you. Especially in these cases:

  • You provide electronic communications or trust-building services in the field of electronic signing,
  • you are or become a supplier or subcontractor of a NIS2 regulated entity. In this case, the regulated entity will require you to document and contractually confirm a number of obligations relating to cyber security.
  • You are a member of a group of companies, some of which will be NIS2 regulated entities with whom you share, albeit partially, the same ICT tools.

Cybersecurity under NIS2. What does this actually mean?

If you become, directly or indirectly, a NIS2 regulated entity, cybersecurity will need to be addressed comprehensively. piecemeal, isolated measures or the adoption of a few regulations are not enough. In particular, the cybersecurity system must include:

  • A clear and binding statement of the responsibility of the organisation's management for ensuring the various elements of cyber security, the adoption of a security policy and the approval of specific measures,
  • cybersecurity training and professional development,
  • a process for asset management,
  • a process for the regular identification of cyber security threats and risks, including their resolution through the implementation of appropriate security measures (organisational, technical and procedural),
  • procedures for the management of ICT services, i.e. development, operation, management and procurement,
  • process and procedures for the early detection and management of cyber incidents, including their reporting to supervisory authorities,
  • business continuity, i.e. ensuring uninterrupted performance of critical services during outages and incidents,
  • ensure the security of the supply chain, its suppliers and other subcontractors,
  • the use of cryptography and encryption,
  • setting rules for user authentication,
  • ensuring the security of human resources,
  • setting up and regularly implementing internal controls to ensure that the cybersecurity measures in place are working as intended.

office@arws.cz 245 007 740

Fines threatened to regulated organization and members of statutory bodies!

New cybersecurity regulation introduces relatively high fines. Under the new draft Cybersecurity Act, a breach or failure to set up any of the basic elements of a cybersecurity system will result in a fine of up to CZK 250 million or 2% of global annual turnover.

By comparison, the current Cybersecurity Act, which will be replaced by a new regulation due to NIS2, sets a maximum fine of CZK 5 million. The risk of a significant financial penalty increases significantly.

Setting up a cybersecurity process opens the door to more customers

Having a cybersecurity management system in place is in the interest of every business. To protect operations, trade secrets, clients.

From 2024 onwards, for more than 6,000 businesses it will also be necessary to comply with NIS2 and avoid sanctions.

However, requirements for protection, information, networks and data processing tools may also come from other legislation. In practice, this may affect businesses in a supplier capacity that offer services, especially in the ICT sector, to public administrations or financial institutions.

In the former case, this is in particular the provision of cloud computing to public authorities. If an organisation wants to offer these services to them, it must first of all be registered in the official catalogue of cloud providers. And many of the conditions for registration relate specifically to cybersecurity.

Similarly, cybersecurity must be addressed and contractually guaranteed by those who supply their services to financial service providers. And not just banks or insurance companies, but also payment institutions, fintech companies, etc.

Putting in place an adequate and reliable system to protect cyber security can thus open the door to other customers, precisely from these more regulated sectors.

What can we help you with?

  • An analysis of whether your organisation will be a regulated entity under NIS2,
  • assessing what NIS2 obligations apply to you,
  • assessing your current arrangements and carrying out a GAP analysis on the new legal requirements,
  • setting up internal processes and procedures to ensure compliance with NIS2 requirements,
  • internal set-up and clarification of the responsibilities of the members of the statutory body,
  • review of contracts with existing suppliers,
  • preparation of internal documentation, internal regulations and contracts,
  • monitoring the development of the legislative process and analysing the impact on your organisation,
  • training of members of statutory bodies, managers and other employees.
Protect your business and related information flows - entrust the implementation of a comprehensive cybersecurity system in the hands of our experts.

office@arws.cz 245 007 740