It is estimated that NIS 2, the EU’s new and stricter version of the cybersecurity directive, will affect at least 6000 private and state-owned companies in the Czech Republic, bringing about a plethora of new obligations along with sanctions of up to tens of millions of crowns for those who fail to comply. NIS 2 requirements will be implemented into Czech legislation in 2024, but the time to start preparations is now.
What is NIS 2 and who will be affected?
NIS 2 is an updated version of the EU’s Network and Information Security (NIS) directive on cyber security from 2016. Every EU member state must implement its requirements into its national legislation. As for the Czech Republic, the Act on Cyber Security will adopt the new directive’s requirements and obligations in the second half of 2024, most likely.
The original directive was focused on the security of a very narrow group of institutions that have a large impact on society. Now, its goal is to ensure the security of everyone who provides services that are important for society’s ability to function. Which services are those? An attachment to the decree on the regulated services will provide more details. However, simply being a provider of one of such services is not enough.
"The primary way to determine whether a private or public institution falls under the new directive is to see whether it meets both of the following conditions:
- The institution provides at least one of the services listed in the directive’s attachment AND
- It is a medium or large institution, meaning it employs 50+ employees, OR its annual turnover or annual balance sheet total reach at least 10 million EUR (roughly 250 million CZK)”, says the new website about NIS 2 changes created by the National Cyber and Information Security Agency (NÚKIB).
What new obligations are expected under the updated Act on Cyber Security?
Stricter rules for cyber security management
- Identification of all primary assets across the institution (including their records)
- Identification of primary assets related to the provision of the regulated service and identification of their supporting assets
- Controlling access to assets
- Determining the scope of the security management system
- Creating/updating security policies and security documentation
- More comprehensive approach to risk management, the obligation to identify risks, to take and evaluate action aimed at risk mitigation, to assess the implementation of the risk management plan
- Ensuring acquisition, development, and maintenance of networks and information systems
- Emphasis on security of human resources, regular trainings, and proper cyber hygiene
- Enforcing policies and procedures on the use of cryptography or encryption
- Use of multi-factor authentication
- Conducting cybersecurity audits
- Reporting of registration, contact, and other details to NÚKIB
- Reporting of cyber security incidents (first report must be submitted within 24 hours)
- Providing information to users of the regulated service (in case of a cyber incident)
- Mutual sharing of important information on cyber security, including information on cyber threats, vulnerabilities, breach indicators, tactics, techniques and methods, configuration tools, and warnings in case of immediate threats to cyber security
Ensuring the security of providers
- Inspecting and ensuring the security of the entire supply chain
- Considering vulnerabilities and quality of procedures of every direct supplier and service provider in terms of cyber security
- Obligation to provide notices and warnings and to implement reactionary measures
- Submitting a subsequent report to NÚKIB on the implementation of measures and the results
More emphasis on incident management
- Emphasis on solving incidents (preventing and uncovering cyber security incidents and responding to them), determining necessary security measures
- Investigating cyber security incidents and determining causes of such incidents
- Keeping records of cyber security incidents and how they were handled
- Making sure obligations are fulfilled and ensuring compliance with implementing legislation in the field of cyber security
- Obligation to implement imposed corrective measures
- Compliance with warnings, binding instructions, or orders issued to entities to remedy identified deficiencies or breaches
- Impact analysis
- Regular back-ups
- Regular testing of continuity and recovery plans
Let us help you reach compliance with the new Act on Cyber Security and related regulations
Stage 1 – analysis
In the first stage, we’ll analyze how you manage your cyber security, including internal rules, plans, and procedures. We will assess your current cyber security level and how the legislation will affect your operations, determining further steps and implementation timelines.
Stage 2 – draft
Stage 2 is about proposing a comprehensive concept of cyber security management system compliant with the new Act on Cyber Security, complete with appropriate processes, controlling mechanisms, plans, metrics, and technologies. We will propose strategic initiatives aimed at making you compliant with the legislation, define priorities and necessary resources, and supporting technology.
Stage 3 – solution
In the last stage, we help you implement a new, functional cyber security management system. We will guide you through changes that will have to be introduced to documentation, processes, and reporting. We’ll update your risk analysis, business impact analysis, and your risk management plan, providing necessary training to your employees. We can also help you implement a Security Operations Centre or fill security-related roles.
Offences related to failure to comply with the new Act on Cyber Security can cause data leaks, lead to fines of tens of millions of crowns, and much more. Underestimating preparation can be costly. The time to start is now – and we are happy to assist you.
„I expect NIS 2 to make entities more resilient to cyber threats and, therefore, less vulnerable. It will also be beneficial to straighten all cybersecurity conditions and reduce differences in cybersecurity maturity levels across EU member states.“
Director, Management Consulting KPMG