NIS2 is coming
What is the NIS2 Directive?
This is a new European Union directive that will develop and complement the current rules for ensuring cyber security.
The text of the NIS2 Directive has already been politically agreed upon and should be officially promulgated by the end of 2022. EU Member States, including the Czech Republic, are obliged to transpose the new provisions into their laws by mid-2024 at the latest.
Impact of NIS2 in the Czech Republic
The Czech law on cybersecurity will be amended quite significantly. So will its implementing decrees. And the National Cyber and Information Security Agency (NUKIB) will begin to designate new obliged persons who will be obliged to comprehensively manage security risks.
There are going to be a lot of them. Security risks, and new obligated persons.
Three main changes to NIS2
The main changes introduced by the NIS Directive compared to the current law on cybersecurity can be divided into three groups:
- The range of private and public sector entities that will need to address cybersecurity systematically will increase significantly
- The security that mandatory entities will have to put in place will be expanded and specified
- Fines for breaches of the Cybersecurity Act will be increased
From 400 to 6,000!
In the Czech Republic today, there are approximately 400 mandatory entities and organizations that must comprehensively manage cybersecurity according to the law and the decree on cybersecurity.
NIS2 will increase this number significantly! The NUKIB estimates that from 400 we will get somewhere near 6,000 obliged entities from both the public and private spheres.
What is the cause of this? A combination of two factors, the expansion of the sectors that will be affected by the cybersecurity obligations and the expansion of the scope of businesses in each sector that will be covered by the new regulation.
Today's Cybersecurity Act applies to the following sectors:
- Energy
- Transport
- Banking
- Financial markets infrastructure
- Healthcare
- Water management
- Digital infrastructure
- Chemical industry
None of these sectors are disappearing from NIS2. On the contrary, these new areas of activity are being added, for example, where cybersecurity will also need to be systematically addressed:
- Food production, processing, and distribution
- Postal and courier services
- Waste management
- Public administration - central authorities, regions, and larger municipalities
- Manufacture of certain products, e.g. medical devices, computers, electrical equipment, motor vehicles, etc.
- Digital service providers of online marketplaces, internet search engines, and social networks
In addition to the expansion of sectors, the threshold at which an organization will have to deal with cyber security will also be lowered. According to NIS2, this should be any business that has more than 50 employees or has an annual turnover of more than €10 million.
In other words, an organization that is involved in food distribution, providing healthcare services, manufacturing vehicles, or providing courier services and has more than 50 employees will need to implement a fairly comprehensive cybersecurity management system. And the corresponding organizational and technical measures.
NIS2: technical and security measures
The current NIS Cybersecurity Directive describes mandatory security measures. It only states that these should be appropriate and proportionate technical and organizational measures to manage security risks.
NIS2 is much more specific. It sets out the headings and types of measures that obliged persons will have to implement. These include, for example, conducting a cyber risk analysis, adopting a cyber security policy, managing cyber incidents, ensuring supply chain security, rules for the operation and development of information systems, etc.
In addition, the European Commission will be able to issue implementing legal acts to specify, develop or adapt the content of individual measures in the light of technological developments and current threats.
Czech law, in particular the decree on cyber security, already describes the necessary security measures in greater detail, including, for example, requirements for personnel security. However, after the official publication of the NIS2 directive, these parts of our regulation will certainly be revised and adjusted to make them more relevant to the NIS2 requirements and the current security situation.
Fines for violation of NIS2?
And what if an obligated person fails to implement the cybersecurity management requirements? Or implements them only partially, incompletely, or only on sight? Just like today, it will face fines for doing so. But even these fines will increase significantly.
Violations of today's Cybersecurity Act are punishable by a fine of up to CZK 5 million. However, after the introduction of the NIS2, the upper limit of the penalty for the most serious violation will be set at 10 million euros (roughly 250 million crowns) or 2% of the global turnover of the company in question.
This is a roughly 50-fold increase.
Cybersecurity and Human Resources
The most common reason for cyber incidents is human failure. Negligence, ignorance, or even malicious intent of an employee. Therefore, no cybersecurity system can be complete without sufficient personnel security measures.
Are you covered by the Cybersecurity Act?
Will you be affected by the new NIS2 Directive?
Do you want to secure your assets, sensitive information, and information and communication systems and tools?
Then you should also address the credibility of your employees and job applicants.
Next time, we'll look at how to vet job applicants in a smart, systematic, and effective way. Who is responsible for selecting the right or problematic employee in an organization, and what the legal limits are for verifying job applicants?
