16
Tue, Jul
72 New Articles

NIS2 Directive and the new Bill on Cybersecurity

NIS2 Directive and the new Bill on Cybersecurity

Czech Republic
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

What is the NIS2 Directive and from when does it apply?

The NIS2 Directive is an EU directive that imposes strict new requirements on certain companies and Member States in the area of cyber security. This is the EU's response to the massive increase in the damage caused to European companies by cyber-attacks.

NIS2 must be transposed into national law by EU Member States by 18 October 2024. The requirements apply from that date.

A transpositional bill is being prepared in the Czech Republic and is expected to come into force in October 2024.

When does your company fall under NIS2?

Condition 1: Minimum size

EUR 10 million annual turnover or
49 employees

Please note:
For conglomerates: the data are aggregated together for the group as a whole. For particularly critical companies, sub-threshold applicability is possible!

Condition 2: Activities in the EEA
The company must be active in the EEA.

Please note:
Establishment in the EEA is not a requirement; activity in the EEA is sufficient!

Condition 3: Regulated services
The company provides regulated services.

Attention: Even "regulated" minor services provided by a company are (usually) sufficient for regulation!

In particular, the following are considered critical sectors:

  • Electricity
    Production, supply, storage, and sale of electricity, oil, gas, hydrogen, etc., including electronic refuelling stations.
  • Mechanical engineering, electrical equipment, automotive

manufacture, and assembly of machinery, apparatus, vehicles, including spare parts.

  • Healthcare
    Medical services, laboratories, production of medicines, medical devices, pharmaceuticals.
  • Digital infrastructure
    Including trust services, data centres, cloud computing, communications networks, and services (SaaS, IaaS, etc.).
  • Banks and financial markets
    Please note: Special regulation (DORA) applies here!
  • Chemical industry
    Production and trade of fuels, mixtures, and chemical products.
  • Food industry
    Wholesale, industrial production, and processing.
  • Waste management
  • Public administration
  • Online platforms
  • Postal and courier services
  • Research facilities
  • Transport
    Air, rail, ship, road, and space transport.
  • B2B IT services
    Including intra-group services.
  • Drinking and wastewater
  • Other definitions

in national transposition legislation. 

Warning: definitions are complex and often very broad!

Indirect applicability:

The contractors of the companies concerned may be indirectly affected by NIS2 as part of the supply chain - the companies concerned must contractually impose cybersecurity obligations on them under NIS2. 

What requirements must the companies fulfil?

Companies subject to NIS2 must comply with the following obligations, among others:

Registration required:
The companies concerned must register with the National Office for Cyber and Information Security (NÚKIB) - in the Czech Republic this should happen by the end of 2024 at the latest.

Please note:
Requirements may apply in other countries, e.g., earlier registration requirements (Hungary).

Notification duty in the event of a cyber incident:
A significant cyber-attack or other cyber incident must be reported to the relevant authority within 24 hours of discovery.

Subsequent reports must be made within 72 hours, one month after the incident is resolved, and at any time upon request.

Preventive risk management measures:
Companies must take measures to mitigate and manage cyber risk to their own systems.

Measures must be proportionate to the company and the risks. As a reference, the state of the art, relevant standards (e.g., ISO), and cost reasonableness must be used.

Compliance with the relevant risk measures must be demonstrated to the authorities upon request. Some companies are expected to be subject to regular security audits.

Attention: ISO alone is not enough!

Examples of measures:

  • Role and responsibilities of statutory bodies
  • Cyber hygiene and security in human resources
  • Asset management
  • Cryptography and encryption
  • Risk analysis, risk management, and system security processes
  • Regular training and awareness raising on cyber security for employees and governing bodies
  • Security in the acquisition, development, operation, and maintenance of IT systems
  • Business continuity and crisis management, including backup and recovery concepts
  • Access control, access authorization, password management, and multi-factor authentication
  • Cybersecurity in the supply chain, including reviewing and adjusting contracts with suppliers and service providers
  • Guidelines and procedures for dealing with cyber security incidents
  • Environmental and physical security of systems

Note: Additional requirements may be specified for specific sectors.

What are the responsibilities of the company management?

The regulation explicitly states that cybersecurity is the responsibility of the company's management. The following duties are therefore expressly addressed to the management bodies of the companies concerned (the board of directors, the managing directors, the supervisory board, etc.):

Monitoring implementation:
The managing authorities must approve the above risk management measures and monitor their implementation. This task cannot be delegated.

The managing authorities will be personally liable for any damage caused by a breach of this obligation.

Mandatory training:
Management bodies must regularly receive training in cyber security management.

The content of the training must also include measures for cyber risk management specific to the company. 

Consequences of non-compliance

The new regulation provides for strict consequences in case of non-compliance:

Administrative fines:
The fines can be up to €10 million or 2% of the group's worldwide revenues (whichever is higher).

Supervisory measures:
The competent authority for cybersecurity may carry out control measures or have them carried out by external auditors at any time.

The NÚKIB may order the infringement to be remedied by an official notice.

In the event of an imminent threat, the activities of some organizations may be temporarily banned or their leadership removed.

Management Responsibility:
The managing authorities will be held personally liable for any breach of their obligations. This responsibility cannot be delegated.

By Jaroslav Tajbr, Partner, Eversheds Sutherland

Czech Republic Knowledge Partner

PRK Partners, one of the leading Central European law firms, has been helping clients achieve their business objectives almost 30 years. Our team of lawyers, based in our Prague, Ostrava, and Bratislava offices, has a unique knowledge of Czech and Slovak law and of the business environment. Our lawyers studied at top law schools in the United States, United Kingdom, Switzerland and elsewhere. They also have experience working for leading international and domestic law firms in a number of jurisdictions. We speak your language, too. Our legal team is fluent in more than 15 languages, including all the key languages of the region.

PRK Partners has one of the most experienced legal teams on the market. We are consistently rated as one of the leading law firms in the region. We have received many significant honours and awards for our work. We represent the interests of international clients operating in the Czech Republic in an efficient way, combining local knowledge with an understanding of their global requirements in a business-friendly approach. We are one of the largest law firms in the Czech Republic and Slovakia. Our specialised teams of lawyers and tax advisors advise major global corporations as well as local companies. We provide comprehensive legal advice drawing on our profound knowledge of local law and markets.

Our legal advice delivers tangible results – as proven by our strong track record. We are the only Czech member firm of Lex Mundi, the world's leading network of independent law firms. As one of the leading law firms in the region, we have received many national and international awards, in some cases several years in a row. Honours include the Chambers Europe Award for Excellence, The Lawyer and Czech and Slovak Law Firm of the Year. Thanks to our close cooperation with leading international law firms and strong local players, we can serve clients in multiple jurisdictions around the globe. Our strong network means that we can meet your needs, wherever you do business.

PRK Partners has been repeatedly voted among the most socially responsible firms in the category of small and mid-sized firms and was awarded the bronze certificate at the annual TOP Responsible Firm of the Year Awards.

Our work is not only “business”: we have participated on a longstanding basis in a wide variety of pro bono projects and supported our partners from the non-profit sector (Kaplicky Centre Endowment Fund, Tereza Maxová Foundation, Czech Donors Forum, etc.).

Firm's website: www.prkpartners.com

Our Latest Issue