Cybersecurity is trending in Czechia again not only because of recent large-scale cyber-attacks targeting important institutions such as hospitals, the Czech public radio, or the national highway directorate (resulting in some of its systems being unavailable for several months) but also due to legislative developments. Specifically, cybersecurity is also making headlines as it is time for many Czech businesses to get ready for the NIS 2 Directive (Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union).
The NIS 2 Directive significantly expands the number of entities that are regulated by the legislation’s predecessor – the NIS Directive. While recent cybersecurity legislation under the Czech Cybersecurity Act and its implementing decree mostly concerned public bodies with businesses only affected if they provided critical infrastructure or services, it is now expected that the new obligations under NIS 2 and the Czech implementing legislation will affect at least 6,000 subjects. At the same time, the regulated entities will have to comply with an extended scope of mandatory security measures.
The new legislation will affect any entity that fulfills the following two conditions: (1) it will provide a service that is listed in one of the annexes of the directive (such as water, energy, healthcare, transportation but also, for example, the food industry and the production of certain types of equipment, such as IT equipment or motor vehicles), and (2) (with some exceptions) it will have the character of a medium or large business (i.e., a business that employs 50 or more employees or has an annual turnover of at least EUR 10 million or CZK 250 million). NIS 2 then divides regulated entities into essential and important entities. Essential entities provide, among other things, services in the field of digital infrastructure, public electronic communications networks, and publicly available electronic communications services. Important entities are, for example, providers of certain digital services. Also, according to the proposed implementing decree, the National Cyber and Information Security Agency will be able, through a decision of the agency, to designate any other service as regulated if the disruption of such service can cause a serious impact on the lives of more than 125,000 people through threats to life, health, property value, internal order, or the environment.
Regulated businesses will have to take appropriate and proportionate technical, operational, and organizational measures to manage the security risks of their networks and information systems in order to minimize cybersecurity threats. NIS 2 leaves the choice of such measures to the regulated businesses, who should be in the best position to determine such measures, taking into account their internal organization, information systems, and possible risks. NIS 2 only sets out a short list of basic security measures that every regulated person would have to take. These are, in particular, risk analysis policies and information systems security policies, incident resolution, business continuity management and crisis management, supplier security, procurement security, development and maintenance of networks and information systems, policies and procedures to assess the effectiveness of cybersecurity risk management measures, basic cyber hygiene practices and cybersecurity training, policies and procedures regarding the use of cryptography, and, where appropriate, encryption, human resource security, access control procedures, and asset management. The National Cyber and Information Security Agency will be able to subject regulated businesses to inspections, audits, and other measures with the aim of ensuring compliance with the new rules and also impose sanctions for shortcomings (i.e., in most cases, fines). The maximum fine under the draft Cybersecurity Act amounts to CZK 250 million (approximately EUR 10 million) or up to 2% of the net worldwide annual turnover achieved by the infringer, whichever is higher.
EU member states are obliged to implement the NIS 2 Directive into their legal systems by October 17, 2024 at the latest. The National Cyber and Information Security Agency has already prepared a draft of the new Cybersecurity Act and the related implementing decree. The legislation was open to public consultations in early 2023, which resulted in 1,144 comments from the public. These comments were reflected in the updated version of the draft legislation, which has now made its way to the standard intragovernmental comments stage where various stakeholders within the government and other public bodies are able to comment. It is expected that the new legislation should be adopted by mid-2024.
By Michal Matejka, Partner, and Eva Fialova, Attorney at Law, PRK Partners
This article was originally published in Issue 10.7 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.