NIS 2: Who will be affected and what new obligations are coming?

It is estimated that NIS 2, the EU’s new and stricter version of the cybersecurity directive, will affect at least 6000 private and state-owned companies in the Czech Republic, bringing about a plethora of new obligations along with sanctions of up to tens of millions of crowns for those who fail to comply. NIS 2 requirements will be implemented into Czech legislation in 2024, but the time to start preparations is now.

NIS 2 is an updated version of the EU’s Network and Information Security (NIS) directive on cyber security from 2016. Every EU member state must implement its requirements into its national legislation. As for the Czech Republic, the Act on Cyber Security will adopt the new directive’s requirements and obligations in the second half of 2024, most likely.

The original directive was focused on the security of a very narrow group of institutions that have a large impact on society. Now, its goal is to ensure the security of everyone who provides services that are important for society’s ability to function. Which services are those? An attachment to the decree on the regulated services will provide more details. However, simply being a provider of one of such services is not enough.

"The primary way to determine whether a private or public institution falls under the new directive is to see whether it meets both of the following conditions:

• The institution provides at least one of the services listed in the directive’s attachment AND
• It is a medium or large institution, meaning it employs 50+ employees, OR its annual turnover or annual balance sheet total reach at least 10 million EUR (roughly 250 million CZK)”, says the new website about NIS 2 changes created by the National Cyber and Information Security Agency (NÚKIB).

Stricter rules for cyber security management

• Identification of all primary assets across the institution (including their records)
• Identification of primary assets related to the provision of the regulated service and identification of their supporting assets
• Controlling access to assets
• Determining the scope of the security management system
• Creating/updating security policies and security documentation
• More comprehensive approach to risk management, the obligation to identify risks, to take and evaluate action aimed at risk mitigation, to assess the implementation of the risk management plan
• Ensuring acquisition, development, and maintenance of networks and information systems
• Emphasis on security of human resources, regular trainings, and proper cyber hygiene
• Enforcing policies and procedures on the use of cryptography or encryption
• Use of multi-factor authentication
• Conducting cybersecurity audits

Information sharing

• Reporting of registration, contact, and other details to NÚKIB
• Reporting of cyber security incidents (first report must be submitted within 24 hours)
• Providing information to users of the regulated service (in case of a cyber incident)
• Mutual sharing of important information on cyber security, including information on cyber threats, vulnerabilities, breach indicators, tactics, techniques and methods, configuration tools, and warnings in case of immediate threats to cyber security

Ensuring the security of providers

• Inspecting and ensuring the security of the entire supply chain
• Considering vulnerabilities and quality of procedures of every direct supplier and service provider in terms of cyber security

Implementing countermeasures

• Obligation to provide notices and warnings and to implement reactionary measures
• Submitting a subsequent report to NÚKIB on the implementation of measures and the results

More emphasis on incident management

• Emphasis on solving incidents (preventing and uncovering cyber security incidents and responding to them), determining necessary security measures
• Investigating cyber security incidents and determining causes of such incidents
• Keeping records of cyber security incidents and how they were handled

NÚKIB oversight

• Making sure obligations are fulfilled and ensuring compliance with implementing legislation in the field of cyber security
• Obligation to implement imposed corrective measures
• Compliance with warnings, binding instructions, or orders issued to entities to remedy identified deficiencies or breaches

Continuity management

• Impact analysis
• Regular back-ups
• Regular testing of continuity and recovery plans

Stage 1 – analysis

In the first stage, we’ll analyze how you manage your cyber security, including internal rules, plans, and procedures. We will assess your current cyber security level and how the legislation will affect your operations, determining further steps and implementation timelines.

Stage 2 – draft

Stage 2 is about proposing a comprehensive concept of cyber security management system compliant with the new Act on Cyber Security, complete with appropriate processes, controlling mechanisms, plans, metrics, and technologies. We will propose strategic initiatives aimed at making you compliant with the legislation, define priorities and necessary resources, and supporting technology.

Stage 3 – solution

In the last stage, we help you implement a new, functional cyber security management system. We will guide you through changes that will have to be introduced to documentation, processes, and reporting. We’ll update your risk analysis, business impact analysis, and your risk management plan, providing necessary training to your employees. We can also help you implement a Security Operations Centre or fill security-related roles.

Offences related to failure to comply with the new Act on Cyber Security can cause data leaks, lead to fines of tens of millions of crowns, and much more. Underestimating preparation can be costly. The time to start is now – and we are happy to assist you.