Sun, Jul
68 New Articles

New Cybersecurity Rules in Europe

New Cybersecurity Rules in Europe

Czech Republic
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Europe is awaiting the evolution of cybersecurity. On 3 May 2022, the Council and the European Parliament agreed on the so-called NIS 2 Directive (Directive on measures for a high common level of cybersecurity across the Union). NIS 2 repeals the currently effective NIS Directive.

What is going to change? NIS 2 expands the range of entities that will have to comply with cybersecurity rules. NIS 2 will apply on numerous if not most TNT companies. NIS 2 recognizes two types of sectors: essential and important. Most of the TNT companies will belong to the essential sector as the digital infrastructure sector entities. Those entities are internet exchange point providers, DNS service providers, cloud computing and data center services, content delivery network providers, trust service providers according to eIDAS and providers of public electronic communications networks and servicers. Besides digital infrastructure, other essential sectors are health, energy, transport, banking, public administration and space. In addition to the essential sector entities, there will be also TNT companies classified as important sector entities, i.e., postal services, or digital providers. Digital providers are providers of online marketplaces, search engines and social networking platforms. The difference between the sectors is, according to the Recital of the directive, the level of criticality or the type of service as well as the level of dependency of other sectors or services. 

Micro and small entities are excluded from the application of the directive unless they are explicitly mentioned by the directive. These SME companies usually play a key role for the economy and society, e.g., providers of public electronic communications networks and services. 

It is obvious that NIS 2 will significantly affect extended range of subjects. This extension was the crucial point in a discussion led in the process of adaption of the directive. The new obligations will bring an additional, first and foremost, financial burden to many subjects. However, the new entities should already be accustomed to some measures from GDPR, which makes no distinction between sectors and the size of entities.

The obligations of essential and important entities differ explicitly only in supervision. NIS 2 makes a distinction between ex ante and ex post supervision. The supervision of essential entities may take place in advance, while the supervision of important entities is carried out after a supervisory authority is provided with an evidence or indication that the entity does not comply with the rules. The essential entities will be subject to more stringent supervision and enforcement such as on-site inspections and off-site supervision, incl. random checks and regular audits.

Both essential and important entities have to take appropriate and proportionate technical and organizational measures to manage cybersecurity risks. The implemented measures have to take into account the risks to systems of the individual entity. NIS 2 is based on the assumption that every company is familiar with its own systems and their level of risk. NIS 2 requires an outcome consisting in ensuring of security level appropriate to the risks but leaves up, with a few exceptions, to the entities to assess which measures they implement to achieve the outcome. On the other hand, the measure should not impose disproportionate financial and administrative burden. NIS 2 emphasizes a risk-based approach. The entities have to adjust their cybersecurity risks management accordingly.

Contrary to the currently effective NIS Directive, NIS 2 determines which measures have to be at least taken by both types of entities. These measures are, i.e., risk analysis, information system security policies, incident handling, business continuity and crisis management, supply chain security, development and maintenance, including vulnerability handling and disclosure, policies and procedures to assess the effectiveness of cybersecurity risk management measures, and the use of cryptography and encryption.

The directive makes no difference between the essential and important entities in their obligation to implement appropriate measures: Nevertheless, the measures taken by the essential entity should, by their nature, take into account the importance that NIS 2 ascribes to this sector. The essential entities should certainly go beyond the obligatory measures set by NIS 2. In the future, the Commission may expand the list of obligatory measures taking into consideration new cyber threats, technological development or sector specialties.

By Eva Fialova, Attorney at Law, PRK Partners

Czech Republic Knowledge Partner

PRK Partners, one of the leading Central European law firms, has been helping clients achieve their business objectives almost 30 years. Our team of lawyers, based in our Prague, Ostrava, and Bratislava offices, has a unique knowledge of Czech and Slovak law and of the business environment. Our lawyers studied at top law schools in the United States, United Kingdom, Switzerland and elsewhere. They also have experience working for leading international and domestic law firms in a number of jurisdictions. We speak your language, too. Our legal team is fluent in more than 15 languages, including all the key languages of the region.

PRK Partners has one of the most experienced legal teams on the market. We are consistently rated as one of the leading law firms in the region. We have received many significant honours and awards for our work. We represent the interests of international clients operating in the Czech Republic in an efficient way, combining local knowledge with an understanding of their global requirements in a business-friendly approach. We are one of the largest law firms in the Czech Republic and Slovakia. Our specialised teams of lawyers and tax advisors advise major global corporations as well as local companies. We provide comprehensive legal advice drawing on our profound knowledge of local law and markets.

Our legal advice delivers tangible results – as proven by our strong track record. We are the only Czech member firm of Lex Mundi, the world's leading network of independent law firms. As one of the leading law firms in the region, we have received many national and international awards, in some cases several years in a row. Honours include the Chambers Europe Award for Excellence, The Lawyer and Czech and Slovak Law Firm of the Year. Thanks to our close cooperation with leading international law firms and strong local players, we can serve clients in multiple jurisdictions around the globe. Our strong network means that we can meet your needs, wherever you do business.

PRK Partners has been repeatedly voted among the most socially responsible firms in the category of small and mid-sized firms and was awarded the bronze certificate at the annual TOP Responsible Firm of the Year Awards.

Our work is not only “business”: we have participated on a longstanding basis in a wide variety of pro bono projects and supported our partners from the non-profit sector (Kaplicky Centre Endowment Fund, Tereza Maxová Foundation, Czech Donors Forum, etc.).

Firm's website: www.prkpartners.com

Our Latest Issue