Anticipated completion of the European NIS2 Directive's integration into Czech law is set for late 2024, facilitated by the new Czech Cybersecurity Act (CSA) and associated decrees. This legislative shift will impact an estimated 6,000 to 10,000 Czech companies, formerly exempt from cybersecurity regulations, necessitating the adoption of measures for compliance. Since the CSA is a complex legal regulation, it is advisable to engage a spectrum of experts, extending beyond IT to include legal and compliance professionals, in this transformative process.
The spectrum of potentially affected companies generally encompasses medium to large enterprises across 60 services and almost 20 sectors. These services span from ICT and digital services providers to traditional sectors such as energy, transport, healthcare, water supply, automotive and food processing.
Compliance Measures
Companies falling under the regulation are mandated to adhere to several sets of measures. The first set encompasses organizational and operational measures, ensuring a baseline of cybersecurity, defining security roles, establishing incident-handling processes, maintaining documentation, and managing suppliers and access. The second set involves technical measures, such as using cryptographic algorithms and ensuring service availability. The extent of obligations depends on whether the entity falls under a lower or higher obligations regime, as defined by the law.
Penalties
Companies failing to comply with the stipulated obligations may face substantial penalties, including fines of up to EUR 10 million or 2% of the net worldwide annual turnover.
Moreover, managers, including executive directors or Board of Directors members, bear the direct accountability of closely overseeing the implementation, given the CSA's proposal of personal liability. The National Cyber and Information Security Agency (NÚKIB) may conduct cybersecurity inspections, potentially resulting in the prohibition of individuals from exercising management positions. According to the CSA and NIS2 Directive, top management must regularly undergo cybersecurity training.
Implementation and Expert Engagement
Implementing the CSA necessitates a meticulous evaluation of regulatory applicability, definition of specific obligations, and execution of required measures. A recommended approach is to involve a team of legal and IT experts for effective implementation, covering aspects like supplier management, corporate governance, risk analysis, documentation modification, process management, incident reporting, and training.
By Jaroslav Tajbr, Partner, Eversheds Sutherland