New cybersecurity rules: what are the most common self-identification mistakes?

Author of the article: Mgr. Petr Hanzel, LL.M., ARROWS law firm (office@arws.cz, +420 245 007 740)

Not sure if your company is covered by the new cybersecurity law? Still think your company isn't affected by cybersecurity? You're investing in your office security, but why not in protecting your IT infrastructure? In the event of a cyber attack, you could lose sensitive data, trade secrets, or even experience a shutdown of key operations - from your e-commerce store to your production line. For example, if your e-shop faces a cyber-attack during the Christmas season, the losses could reach millions per day. Properly executed self-identification is not only essential to protect against hefty fines, but also a fundamental obligation under the new legislation. Do it before the law comes into effect to allow enough time to secure experts, funding and other resources.

1. Self-identification obligations - ignorance is no excuse

The new Cybersecurity Act, which is likely to be in force from mid-2025, substantially expands the number of companies that are obliged to comply with specific security requirements. The self-identification obligation affects tens of thousands of companies in the Czech Republic. Failure to do so can lead to fines of up to CZK 250,000,000 or 2% of global annual turnover.

Businesses often do not realise that cyberregulation has long since ceased to apply only to big players in critical infrastructure. The new law targets a much wider range of businesses, from digital service providers to manufacturing companies, and even more so companies that are part of strategic supply chains.

Self-identification and registration of the regulated service is a fundamental obligation under the new legislation. The authority will not come to you, it will not send you a data message: "Hello, the new rules apply to you, you have to do exactly this (...)." The comprehensive identification of the impact of the completely new legislation must be done by companies themselves and done correctly.

2. Regulated services assessment

One of the most common mistakes in self-identification is the incorrect assessment of whether your company provides regulated services. The new Cybersecurity Act covers a wide range of activities in areas that are strategic or critical to the operation of the company.

In the self-identification process, companies often consider only their primary activity and overlook ancillary or support activities that may be distinct from the primary activity but are still subject to regulation. It is always necessary to assess each individual activity actively carried out to determine whether or not it is a regulated service within the meaning of the new legislation.

3. Correctly assessing the size of the undertaking: Think about the whole structure

The size of the company is another criterion that determines whether the new law applies to you. Many companies misinterpret the rules, for example, underestimating their number of employees or misjudging financial ratios.

The law also takes interconnected businesses into account - if you are part of a larger group, you may be affected by the regulations even if you don't meet the headcount or turnover requirements on the face of it. For example, a small subsidiary of a large corporation may be regulated based on its interconnectedness.

Properly assessing the size of your business is a key step in making it clear what obligations apply to you.

4. Key steps to ensure regulatory compliance

To make sure you meet all the requirements of the new Cybersecurity Act, focus on the following steps:

1. Verify your industry: determine if you fall into regulated sectors such as manufacturing, energy, or digital infrastructure.
2. Company Size Analysis: Evaluate all parameters of company size, including interconnections with parent companies.
3. Regime of action: after self-identification, determine whether you are exempt from the legislation or will be subject to a lower or higher regime obligation.
4. Gap analysis: Identify the difference between the existing measures and the measures you will be obliged to introduce.
5. Resourcing: Secure funding, experts and time for implementation in advance. These resources are likely to be scarce once the law comes into force. Work with experts to help you identify gaps and address them in a timely manner.
6. Keep track of developments: regularly monitor legislative changes and validate your preliminary conclusions.

The new cybersecurity law brings major changes that require careful preparation. by performing self-identification before the legislation takes effect, you will gain a competitive advantage in the marketplace, ensure you have sufficient resources and minimize risk.

If you need help with a preliminary self-identification or want to verify the accuracy of your conclusions, please do not hesitate to contact us.