03
Tue, Dec
29 New Articles

Czech NIS2 Implementation: Engage a Diverse Group of Professionals, Not Just IT Guys

Czech NIS2 Implementation: Engage a Diverse Group of Professionals, Not Just IT Guys

Czech Republic
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Anticipated completion of the European NIS2 Directive's integration into Czech law is set for late 2024, facilitated by the new Czech Cybersecurity Act (CSA) and associated decrees. This legislative shift will impact an estimated 6,000 to 10,000 Czech companies, formerly exempt from cybersecurity regulations, necessitating the adoption of measures for compliance. Since the CSA is a complex legal regulation, it is advisable to engage a spectrum of experts, extending beyond IT to include legal and compliance professionals, in this transformative process.

The spectrum of potentially affected companies generally encompasses medium to large enterprises across 60 services and almost 20 sectors. These services span from ICT and digital services providers to traditional sectors such as energy, transport, healthcare, water supply, automotive and food processing.

Compliance Measures

Companies falling under the regulation are mandated to adhere to several sets of measures. The first set encompasses organizational and operational measures, ensuring a baseline of cybersecurity, defining security roles, establishing incident-handling processes, maintaining documentation, and managing suppliers and access. The second set involves technical measures, such as using cryptographic algorithms and ensuring service availability. The extent of obligations depends on whether the entity falls under a lower or higher obligations regime, as defined by the law.

Penalties 

Companies failing to comply with the stipulated obligations may face substantial penalties, including fines of up to EUR 10 million or 2% of the net worldwide annual turnover.

Moreover, managers, including executive directors or Board of Directors members, bear the direct accountability of closely overseeing the implementation, given the CSA's proposal of personal liability. The National Cyber and Information Security Agency (NÚKIB) may conduct cybersecurity inspections, potentially resulting in the prohibition of individuals from exercising management positions. According to the CSA and NIS2 Directive, top management must regularly undergo cybersecurity training.

Implementation and Expert Engagement

Implementing the CSA necessitates a meticulous evaluation of regulatory applicability, definition of specific obligations, and execution of required measures. A recommended approach is to involve a team of legal and IT experts for effective implementation, covering aspects like supplier management, corporate governance, risk analysis, documentation modification, process management, incident reporting, and training.

By Jaroslav Tajbr, Partner, Eversheds Sutherland

Eversheds Sutherland at a Glance

Eversheds Sutherland with offices in Bratislava and Prague and as part of an international network, provides comprehensive legal advice also in foreign jurisdictions.

Our team consists of a total of more than 40 lawyers in the Czech Republic and Slovakia, most of whom have previously worked at major international and local law firms and have extensive experience in particular in the areas of corporate law, including mergers and acquisitions, capital markets, real estate, employment law, competition law, litigation and arbitration, energy, infrastructure, as well as environmental and ESG law.

Our advisory services are offered in Slovak, German, Czech and English language. Members of our team include attorneys registered with the Austrian Bar Association. On this basis, and because we are part of Eversheds Sutherland, we are also able to offer extensive legal support on various foreign legal issues.

We listen to our clients, we understand their business and we also understand what they need. So we can always find the best solution for the particular situation. We work quickly, efficiently and take responsibility for our work.

Firm's website.