22
Fri, Nov
44 New Articles

NIS2 Directive and the new Bill on Cybersecurity

NIS2 Directive and the new Bill on Cybersecurity

Czech Republic
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

What is the NIS2 Directive and from when does it apply?

The NIS2 Directive is an EU directive that imposes strict new requirements on certain companies and Member States in the area of cyber security. This is the EU's response to the massive increase in the damage caused to European companies by cyber-attacks.

NIS2 must be transposed into national law by EU Member States by 18 October 2024. The requirements apply from that date.

A transpositional bill is being prepared in the Czech Republic and is expected to come into force in October 2024.

When does your company fall under NIS2?

Condition 1: Minimum size

EUR 10 million annual turnover or
49 employees

Please note:
For conglomerates: the data are aggregated together for the group as a whole. For particularly critical companies, sub-threshold applicability is possible!

Condition 2: Activities in the EEA
The company must be active in the EEA.

Please note:
Establishment in the EEA is not a requirement; activity in the EEA is sufficient!

Condition 3: Regulated services
The company provides regulated services.

Attention: Even "regulated" minor services provided by a company are (usually) sufficient for regulation!

In particular, the following are considered critical sectors:

  • Electricity
    Production, supply, storage, and sale of electricity, oil, gas, hydrogen, etc., including electronic refuelling stations.
  • Mechanical engineering, electrical equipment, automotive

manufacture, and assembly of machinery, apparatus, vehicles, including spare parts.

  • Healthcare
    Medical services, laboratories, production of medicines, medical devices, pharmaceuticals.
  • Digital infrastructure
    Including trust services, data centres, cloud computing, communications networks, and services (SaaS, IaaS, etc.).
  • Banks and financial markets
    Please note: Special regulation (DORA) applies here!
  • Chemical industry
    Production and trade of fuels, mixtures, and chemical products.
  • Food industry
    Wholesale, industrial production, and processing.
  • Waste management
  • Public administration
  • Online platforms
  • Postal and courier services
  • Research facilities
  • Transport
    Air, rail, ship, road, and space transport.
  • B2B IT services
    Including intra-group services.
  • Drinking and wastewater
  • Other definitions

in national transposition legislation. 

Warning: definitions are complex and often very broad!

Indirect applicability:

The contractors of the companies concerned may be indirectly affected by NIS2 as part of the supply chain - the companies concerned must contractually impose cybersecurity obligations on them under NIS2. 

What requirements must the companies fulfil?

Companies subject to NIS2 must comply with the following obligations, among others:

Registration required:
The companies concerned must register with the National Office for Cyber and Information Security (NÚKIB) - in the Czech Republic this should happen by the end of 2024 at the latest.

Please note:
Requirements may apply in other countries, e.g., earlier registration requirements (Hungary).

Notification duty in the event of a cyber incident:
A significant cyber-attack or other cyber incident must be reported to the relevant authority within 24 hours of discovery.

Subsequent reports must be made within 72 hours, one month after the incident is resolved, and at any time upon request.

Preventive risk management measures:
Companies must take measures to mitigate and manage cyber risk to their own systems.

Measures must be proportionate to the company and the risks. As a reference, the state of the art, relevant standards (e.g., ISO), and cost reasonableness must be used.

Compliance with the relevant risk measures must be demonstrated to the authorities upon request. Some companies are expected to be subject to regular security audits.

Attention: ISO alone is not enough!

Examples of measures:

  • Role and responsibilities of statutory bodies
  • Cyber hygiene and security in human resources
  • Asset management
  • Cryptography and encryption
  • Risk analysis, risk management, and system security processes
  • Regular training and awareness raising on cyber security for employees and governing bodies
  • Security in the acquisition, development, operation, and maintenance of IT systems
  • Business continuity and crisis management, including backup and recovery concepts
  • Access control, access authorization, password management, and multi-factor authentication
  • Cybersecurity in the supply chain, including reviewing and adjusting contracts with suppliers and service providers
  • Guidelines and procedures for dealing with cyber security incidents
  • Environmental and physical security of systems

Note: Additional requirements may be specified for specific sectors.

What are the responsibilities of the company management?

The regulation explicitly states that cybersecurity is the responsibility of the company's management. The following duties are therefore expressly addressed to the management bodies of the companies concerned (the board of directors, the managing directors, the supervisory board, etc.):

Monitoring implementation:
The managing authorities must approve the above risk management measures and monitor their implementation. This task cannot be delegated.

The managing authorities will be personally liable for any damage caused by a breach of this obligation.

Mandatory training:
Management bodies must regularly receive training in cyber security management.

The content of the training must also include measures for cyber risk management specific to the company. 

Consequences of non-compliance

The new regulation provides for strict consequences in case of non-compliance:

Administrative fines:
The fines can be up to €10 million or 2% of the group's worldwide revenues (whichever is higher).

Supervisory measures:
The competent authority for cybersecurity may carry out control measures or have them carried out by external auditors at any time.

The NÚKIB may order the infringement to be remedied by an official notice.

In the event of an imminent threat, the activities of some organizations may be temporarily banned or their leadership removed.

Management Responsibility:
The managing authorities will be held personally liable for any breach of their obligations. This responsibility cannot be delegated.

By Jaroslav Tajbr, Partner, Eversheds Sutherland