The NIS 2 Directive is a focus for many large companies, but it is important to recognise two key facts. Firstly, the new obligations will not just affect large corporations; they are expected to affect up to 7,000 entities. Secondly, no new obligations can arise for your companies under NIS 2 as it is a directive and its content needs to be incorporated into national legislation. In the case of the Czech Republic, this will be done by a completely new law on cyber security.
So what are the basic obligations that need to be addressed? Can you take any preparatory steps today, since the legislation has not yet been adopted? When do you need to start in order to get everything done? These are just some of the basic questions I will answer in this article.
It can already be said that the expected deadline for the implementation of the Directive, 18 October 2024, will not be met, which may cause difficulties for the Czech Republic, but on the other hand it gives obliged entities additional time to prepare. The draft Cybersecurity Act provides for a one-year deadline for the actual implementation of security measures. I assume that, given the current state of the legislative process, we can expect the law to be adopted at the end of 2024 at the earliest. This means that you will still have the entire year 2025 to bring your company into compliance with all security obligations.
The first thing you can do now is to assess whether or not the new obligations will apply to you. If the answer is yes, you are required to self-report to the NCIS within 90 days of meeting the criteria below (or the new cybersecurity law taking effect). Theoretically, it may still be the case that you will not ultimately be subject to the new obligations, simply because the law and decrees are not yet final and the definitions of obligated entities may be refined.
How can you self-identify? First of all, you need to determine whether you fall (with exceptions) into the category of medium or large enterprises (you can read the article by my colleague Mgr. Antonín Hajdušek available here). In the case of a more complex ownership structure of the company, a problem may already arise here. The same rules are used to determine the size as for example for subsidies, if you still do not know what to do, we are of course ready to help you with this as well. Next, you need to assess the content and scope of the activities provided, or whether yours is a regulated service. A regulated service is defined as a service whose disruption could have a significant impact on the security of important social or economic activities, the list and description of which are regulated in the decrees to the Cybersecurity Act.
The most important conclusion for you in the self-identification process will be whether you are classified in the higher or lower obligation regime, with approximately 1,000 obliged entities having to comply with the higher obligation regime and at least 6,000 obliged entities having to comply with the lower obligation regime. These two regimes then affect the range of obligations or measures that will apply to you. If you comply with the higher regime obligations in one regulated service, you will have to comply with them in all your regulated services.
Procuring sufficient staffing in the area of cybersecurity, both in-house and from outsourcing, will also be key. So, whether you align yourself with a regime of lower or higher responsibilities, you need to clearly identify those responsible.
You will need to be careful in the case of a higher duty regime, where you will need to provide much more staffing, especially from the ranks of experts. For example, you will need a cybersecurity manager, a cybersecurity architect or an asset guarantor or cybersecurity auditor. In addition, there are requirements for these persons in terms of experience in the field of cyber security, etc., and it may therefore be very challenging to find such an expert, given the possible wide demand following the discussion of the new draft law.
There are fines of up to €250 million for breaches of higher obligations. CZK or 2% of net worldwide annual turnover. For breaches of lower obligations, the penalty is up to 175 million or 1.4% of net worldwide annual turnover.
But these are not the only penalties, there are also other sanctions such as suspension of certification, suspension from management, administrative or coercive fines.
The first recommendation is to start implementing or at least preparing for these changes well in advance.
Experts believe that the obligations arising from the lower regime are the minimum that all companies should comply with. The addressees of cyber-attacks are no longer just the most important companies, but can be anyone. So try to think about how much money you lose if you don't have a functioning e-shop or your production line stops.