Are you affected by the new NIS2 Directive?

Nowadays, data is one of the most valuable assets for companies and a key element for a successful business. However, with the development of digitalisation, the risk of cyber threats that can disrupt business continuity is growing exponentially.

These include ransomware that encrypts your data or DDoS attacks that cause overload and subsequent outages of online services. Cyber attacks are not limited to private companies. They are also significantly affecting the public and state sectors as well as critical infrastructure.

In the Czech Republic, we have recently witnessed a number of large-scale attacks. Several banking houses were affected, including CNB (summer 2023). This clearly illustrates the urgent need to strengthen cyber security and prevention against these increasingly sophisticated threats.

A more advanced framework for protecting EU cyberspace

The original cybersecurity directive, referred to as the 2016 NIS (Network and Information Security) Directive, is now outdated due to the rapid evolution of technology, in particular the lack of response to the new cyber threats mentioned above.

Let’s get some key numbers on this. The US company Cybersecurity Ventures reports that the global cybercrime bill will be over $8 trillion (over 181 trillion CZK) in 2023. ENISA (the European Cyber Security Agency) then adds that the volume of data stolen in cyber attacks in 2021 exceeded 260 terabytes, with the average cost per case estimated by IBM to be nearly $4.5 million (over CZK 100 million).

These trends, which have been gaining momentum in recent years, were also the impetus for the European Union to present an updated version of the NIS2 in December 2020. This new and expanded directive aims to strengthen the security of European cyberspace, and EU Member States are obliged to incorporate it into their legal systems. The Czech Republic is currently in transposition mode, with the new legislation expected to come into force in 2024. A year later, self-identification will be mandatory. Many companies are therefore facing a large number of new obligations and additional costs. In terms of its scope and severity we go far beyond e.g. GDPR. Significant fines for non-compliance are also in play.

Higher and lower duty regime

Beyond the NIS2 Directive, the new draft Cybersecurity Law (which transposes the NIS2 Directive) envisages a “two-tier” division of providers into those with higher and lower level obligations.

The specific conditions for determining the level of obligations are contained in the decrees, drafts of which have already been published together with the draft law itself. The criteria for determining the level of obligations are usually the size of the undertaking, the scope of the service provided or whether it is a statutorily regulated service.

In general terms, the conditions for service providers under the higher obligations regime are more detailed and some obligations apply exclusively to these providers. For example, a specific condition for providers in the higher obligations regime is a supplier management system, under which they will be required to manage and control their supply chain and pass on security standards to their major suppliers through contractual arrangements. Providers in the higher obligation regime will also be subject to higher penalties.

Oliver Matoušek, Geetoo Legal Counsel

Thus, it will not only be important for companies to determine which level of obligations they themselves fall under, but also to whom they supply their services, as Providers with higher levels of obligations may contractually bind them to certain obligations under the higher regime.

So what obligations does the new law on cyber security impose?

  • Develop a robust information security management system including related documentation (analyze the relevance of security policy, disaster recovery plans, business continuity plans, etc.)
  • involve senior management in the information security system
  • report security incidents to the NUCIB
  • conduct regular audits
  • Ensure information access management (access records, MFA, regular audit of access)
  • ensure supply chain security
  • ensure security in the acquisition, development and maintenance of networks and information systems, including the detection of vulnerabilities
  • Evaluate the effectiveness of cyber security risk management measures
  • provide regular training in cyber security

Who will be affected by the new law?

The new regulation significantly expands the range of obliged entities. It is estimated that there will be around 6,000 of them in the Czech Republic. With regard to the obligation to manage the supply chain, the new regulation will ultimately affect entire regulated industries where compliance with safety standards will become a de facto necessity.

The range of obliged entities is specified in decrees and is divided into 22 sectors (e.g. public administration, energy, chemical industry, digital infrastructure, financial markets, military industry). For us at Geetoo, nothing major changes, as we have been operating in this “stricter” regime for some time. We will therefore be happy to advise you on the implementation of the new measures.