Směrnice NIS2 navazuje na existující regulaci, která v případě ČR momentálně dopadá na asi 600 společností. Nová legislativa rozšíří povinnosti v oblasti kybernetické bezpečnosti na nesrovnatelně větší okruh subjektů. Za cíl si klade razantní posílení ochrany podnikatelů i státních organizací ve virtuálním prostředí. Jak náročná bude implementace vyhlášky? Jak vysoké náklady s sebou potřebná technická, provozní a organizační opatření ponesou? Odpoví Jan Zajíček, partner Grant Thornton.

The NIS2 Directive builds on existing regulation, which in the case of the Czech Republic currently affects about 600 companies. The new legislation will extend cybersecurity obligations to an incomparably larger range of entities. It aims to significantly strengthen the protection of entrepreneurs and state organisations in the virtual environment. How challenging will the implementation of the decree be? How much will the necessary technical, operational and organisational measures cost? Answered by Jan Zajíček, Partner at Grant Thornton. 

“The impact of the directive will be huge. Let us remember that we are talking about thousands of entities. In the case of the largest ones, the investment costs can amount to hundreds of millions of crowns and the operating costs to tens. Compared to NIS2, even the GDPR is small in terms of implementation costs. In addition, the new rules will also apply to segments that practically have not addressed cybersecurity until now. Although the implementation of the new mechanisms can be very challenging for companies in these areas (e.g. food or waste management), I am convinced that the unification of the rules that NIS2 brings in the area of cybersecurity was necessary. It is not only the conflict in Ukraine that has shown that addressing cyber threats is essential to improving the security of all citizens in the Czech Republic.

In view of the fact that there is already a shortage of specialists on the market who are able to provide the necessary solutions, we appeal to the companies concerned not to delay implementation. For easier orientation in this complex issue, we have prepared FIVE BASIC QUESTIONS AND ANSWERS TO NIS2 with Michal Moroz, Executive Director of the Association of Critical Infrastructure of the Czech Republic,” Jan Zajíček concludes. 

1.    Why is NIS2 being discussed so much? 

Because it is the second European legal standard after GDPR that will affect almost all medium and large businesses on an EU-wide scale. In doing so, it will entail significant costs associated with the implementation of technical, operational and organisational measures, which should result in a significant strengthening of cyber protection for businesses and state organisations in the EU. 

2. Who will the new rules apply to? 

This is only partially clear at the moment. The minimum range of obliged entities is set by the NIS2 Directive itself, however, this range can be further expanded at national level and the National office for Cyber and Information Security (NCIB) has clearly declared that it will make use of this option. What is certain is that the new rules will apply to all Critical Infrastructure Operators (identified under another new European CER Directive), all operators providing certain enumerated services (regardless of their size) and most medium and large enterprises in 18 key sectors (with more than 50 employees and/or a turnover of more than EUR 10 million per year). However, the final circle of obliged persons will undoubtedly be expanded to include smaller organisations operating in some of the critical sectors.

3. Does NIS2 represent an evolution or a revolution? 

That depends on for whom. For critical infrastructure entities that are subject to obligations under the current law and are already accustomed to managing cyber risks in accordance with the law, this will be more of an evolution. For the newly designated businesses, however, these will be revolutionary changes. The law will introduce two regimes of obligations – higher and lower. The differences will be mainly due to different levels of risk, different levels of government requirements and the way, in which compliance is monitored. 
 
While the specific criteria for inclusion in the higher category are set out in the Decree, for simplicity it can be said that current obligors will fall into the higher obligation regime. A key responsibility will be to determine the scope of cybersecurity governance. If a regulated service provider fails to take this step, the entire organization will be considered to be within the scope of cybersecurity management. Subsequently, the organisation shall adopt the security measures detailed in the decrees for each individual scheme. 
 
The security measures laid down for the higher obligations regime will be based on the existing legislation. The basic principle will be to map the environment, identify the assets necessary to ensure the operation of the regulated services, conduct a comprehensive risk assessment and implement appropriate measures to reduce the risks to an acceptable level. For the lower obligation regime, the Decree provides for rules that are simpler, less demanding and do not require more than the necessary level of analysis.

4. What can we prepare for?

Within 90 days of the Act coming into force, each organisation will self-assess if it meets the criteria of a regulated service provider and, if so, will be required to register on the NCIB portal. The portal will also be used to report incidents. Compliance checks will be different in the two regimes. The NCIB will continue to carry out inspections under the enhanced duties regime. Under the regime of lower obligations, organisations will be obliged to arrange regular inspections at their own expense by authorised inspectors, whose activities will be supervised by NCIB. 
 
In case of identified deficiencies, NCIB will be entitled to impose corrective measures to eliminate the identified deficiencies, in more serious cases it will be entitled to issue a warning or impose a sanction. In the case of offences, the NCIB will be entitled to impose fines, the upper limit of which is based on the requirements of the NIS2 Directive. In the regime of higher obligations, the forthcoming legislation also envisages other penalties, including suspension of the validity of certification and suspension of a natural person’s management function, which will be decided by a court on the basis of a proposal by the NCIB.  

5. When to start preparing?

Right away, in the ideal case. This is despite the fact that the new Cybersecurity Act is currently still awaiting the entire legislative process. However, the NCIB has been communicating very transparently about its preparation and in January 2023 published the paragraph text including draft implementing decrees. The proposals will undoubtedly undergo partial changes, but the essential parameters are defined by the European Directive, so they are already clear today. 
 
The main reason for not postponing the solution is the lack of cyber and information security experts. The introduction of new rules on a pan-European scale will exacerbate this problem, as it will lead to a significant increase in the demand for these experts and their price will rise as the supply decreases. So whether you decide to build your own in-house team or rely on the help of external specialists, do not hesitate and select them before someone else acquires them.