NIS2 Transposition Will Be Delayed. What Should You Prepare For?

The NIS2 directive brings significant changes in the field of cybersecurity, affecting a wide range of companies in the Czech Republic – estimates speak of 6,000 entities. What should you know about it? 

Transposition status

The new legislation was supposed to come into effect in the Czech Republic on October 17, 2024. This deadline was set by the European Commission for all member states. Failure to meet this deadline could result in fines and, in extreme cases, the suspension of European funding. So far, only Hungary and Croatia have reported completion. It is already clear that the Czech Republic will not meet the transposition deadline. 

The National Cyber and Information Security Agency (NÚKIB), responsible for drafting the law, has not been very successful with its proposal at the Government Legislative Council (LRV). Therefore, NÚKIB will have to revise it and resubmit it to the LRV (this happened on 28th May, 2024, see the citation below). According to available information, these are not just cosmetic changes. The transposition deadline will most certainly not be met, and the law could come into effect only in 2025. 

According to NÚKIB, the comments raised by the Government Legislative Council mainly concerned technical aspects of the new law (certain definitions, the relationship between the new law and other legal regulations, and authorizations for issuing secondary legislation). Unofficial sources indicated that the LRV had many more comments and that they significantly impacted the content of the law. 

Nevertheless, NÚKIB has already revised its original proposal and sent the new wording to the Government Legislative Council at the end of May 2024, which will now reconsider it. We will see whether NÚKIB succeeds with the changes and whether the LRV issues a favorable opinion so that the law can proceed to Parliament. In any case, it already seems clear that the transposition deadline for implementing the NIS2 directive will not be met. 

Oliver Matoušek, Geetoo Legal Counsel

GDPR on steroids

The upcoming European shield against cyber threats has earned the nickname “GDPR on steroids.” Both legislative acts share many similarities, such as a performative approach to regulation (regulated entities set their own rules) and high fines for non-compliance. Let’s take a brief look at the most significant changes. 

Main changes

  • Increased Number of Regulated Entities: The number of obligated entities will be around 6,000, although some estimates speak of up to double that number.
  • Supply Chain Security: The proposed law requires companies to manage cybersecurity within their supplier selection process. A new aspect is the inclusion of NÚKIB’s evaluation in the process of selecting significant suppliers for organizations under higher obligations. 
  • Data Sovereignty: Organizations under higher obligations must have their data located in the Czech Republic (or the European Union).
  • Incident Reporting: Companies will have to report cyber incidents within 24 hours of their detection. This quick reporting is crucial for timely responses and minimizing damage.
  • Management Responsibility: Company management will be personally responsible for implementing and adhering to cybersecurity standards.
  • Fines for Non-Compliance: The maximum fines are 10 million EUR or 2% of the net turnover.

How is NIS2 perceived by the market?

Companies in the Czech Republic have certain reservations about the directive and NÚKIB’s approach. They are particularly concerned about the fact that in its current form, NÚKIB has the exclusive right to ban any supplier. Critics argue that this approach will not lead to greater cybersecurity but rather to potential monopolization of the entire supply chain. This is a significant threat in itself. Other concerns include: 

  1. Strictness and Scope of Regulation: Companies criticize that NÚKIB often imposes stricter rules than those required by Europe. This approach leads to higher costs and more complex compliance requirements. 
  2. Bureaucracy and Administrative Burden: Many smaller businesses complain about the increased administrative burden that accompanies the directive.
  3. Lack of Communication and Consultation: The business community often points out the lack of communication and consultation from NÚKIB. Companies feel that their feedback is not adequately considered, leading to frustration and distrust of the regulator. 
  4. Capacity Limitations for Audits: Although NÚKIB plans to conduct regular audits, companies point out that the regulator does not have sufficient capacity to carry out these audits to the extent required.

Maintaining business continuity

According to surveys, some IT managers and professionals are still unaware that NIS2 applies to them. What should we take from this? Cybersecurity strategies should be “common sense” for businesses today, not just a reaction to comply with an EU directive. 

Security measures should primarily be driven by the company’s needs and the recognition of the necessity to protect itself, rather than merely complying with laws. Each year, Czech companies encounter thousands of cyber threats, potentially resulting in millions of crowns in damages. Robust cybersecurity is not just about regulatory compliance; it is crucial for maintaining business continuity and protecting customer trust. Enhancing your cybersecurity is an investment in the future of your company. 

Oliver Matoušek, Geetoo Legal Counsel

If you are uncertain about NIS2 and cybersecurity, do not hesitate to contact us.

31. 05. 2024