NIS2 directive and the new Cybersecurity Act

The amendment to the Czech Cyber Security Act, implementing the NIS2 directive, brings several changes, including new and tightened obligations and an expanded range of obliged subjects, to whom the new legal text will apply. Although the transposition of the directive in the Czech Republic is only at the beginning of the legislative process, the law is expected to come into force by the end of 2024, and it is therefore time to start preparing for it.

What is NIS2 and how does it relate to the Cybersecurity Act?

The Network and Information System Directive 2 (NIS2) is a European directive setting out rules and requirements for cyber security and ICT systems and networks, which is in force since the beginning of 2023 as a follow-up to the NIS directive. NIS2 is, alongside the DORA (Digital Operational Resilience Act) regulation and CER directive, another of the European Union's legislative instruments aimed at enhancing the digital operational resilience and cyber security of all relevant actors operating in the EU. 

The final text of NIS2 was published in the Official Journal of the EU on 27 December 2022 in all official languages of the Union, and the Czech Republic was one of the first Member States to start the process of formulating national laws and rules that will have to be complied with.

The implementation of NIS2 in the Czech Republic is ensured by an amendment to the Act on Cyber Security from the National Cyber and Information Security Agency (NÚKIB), which published the very first version of the text at the beginning of 2023 and called for feedback from both the public and governmental bodies. Upon the collection of comments from the inter-ministerial comment procedure, the text was revised and in December 2023 presented to the government. However, it is still not a finalised version, and it is expected that further changes will follow as a result of the standard legislative process.

Who will be affected by NIS2 and the new Cybersecurity Act?

The new rules fomulated in the NIS2 directive will apply to any regulated service providers not only from the EU but also those operating in the EU and those meeting the European Commission's criteria for a medium or large company, i.e. more than 50 employees and a turnover of 10 million euros or more. Including organisations operating in both the public and private sectors and representing critical or important sectors, such as electricity providers and distributors, healthcare companies, and subjects providing electronic communications services. In total, there are more than 60 services, an overview of which is given below. In the Czech Republic alone, NIS2 will thus affect about 6 000 entities.

What will happen if the rules are not followed?

To ensure that the requirements of NIS2 can be effectively enforced once its content is reflected in the Czech legal system, the directive introduces a set of sanctions and controls, including fines, other administrative penalties, such as suspension of the validity of certifications and the performance of management functions.

How can we help?

At Deloitte, we offer legal and consulting services related to the new legislation.

LEGAL SERVICES

  • Legal Impact Analysis: We will assess whether NIS2 would affect your business in any way and advise you on specific steps you need to take to adapt to the new requirements.
  • Legal Advisory: We will provide you with legal advice related to the NIS2 directive, including the basic requirements that apply to you, and suggest how these requirements can be met.
  • Subsidy Advisory: We assess the possibilities of using available funds to support the implementation of relevant cybersecurity measures, both at the European and national levels. We provide other related legal services, including fund eligibility assessments and preparation as well as submission of applications for financial support.
  • Contractual Documentation: We will prepare the necessary contractual documentation required by NIS2 to protect you and your critical information infrastructure.
  • Training and Education: We provide training and education for your organisation's senior staff and statutory bodies so that they can understand the NIS2 directive and its impact and take appropriate measures.
  • Representation: We will represent you in front of public authorities, focusing on the protection of your rights and interests. We also provide other services related to the legislative process - legislative monitoring, impact analysis and strategic planning, and communication with public authorities to promote your organisation's interests.

RISK ADVISORY SERVICES

What the adoption of NIS2 means for many businesses is mainly the need to align the new requirements with business processes, organisational structure, staffing and technology base. We provide our clients with a range of services related to the regulatory environment. We use our own proven tools in our analyses, which enable us to effectively identify gaps and prioritize individual steps leading to compliance. Examples include the Deloitte NIS2 Maturity Assessment Tool as well as the NIS2 and Czech Cybersecurity Act Maturity Assessment Tool (currently in preparation).

  • Maturity Analysis: We will analyse existing processes, applications, and personnel security in the context of the NIS2 directive in your organisation.
  • Implementation Roadmap: We will design and implementation roadmap for NIS2 specifically for your needs, considering the technological and organisational readiness of your company. In terms of technology, we often recommend the use of cloud services and their optimal mix with traditional enterprise ICT (e.g., a combination of AWS, MS Azure, M365 with on-premises infrastructure).
  • Other Technologies: We will conduct an IT, business, and financial assessment of the options to consider. 
  • Proposal of Changes: We will propose specific changes at the level of the whole and individual domains and validate the proposals with you.
  • Implementation Plan: We will prepare a detailed implementation plan for your specific needs, reflecting the cultural and technological environment in your company.

Once the implementation plan is in place, we typically assist with the implementation process and integration of on-premises and cloud technologies. We see cloud technologies as a significant accelerator of NIS2 adoption in business. We have hands-on experience with small and large-scale implementations of M365, Azure, AWS, GCP and many other cloud-based SaaS services in the cybersecurity space, as well as projects that place a strong emphasis on the synergy of security and IT with various business processes.

WE CAN ALSO HELP YOU WITH CYBER RISK MANAGEMENT

  • How do we get involved? Together, we will plan the form and depth of our engagement based on your needs and expectations.
  • Your company context: We will map your organisation, the impact of NIS2 and related cybersecurity laws on your business, together with the staffing, financial, and technological context in your company.
  • Information Gathering: We will gather information about cybersecurity in your organization, specifically in relation to ICT assets, related threats, job roles and procedures, and other aspects.
  • Security Risks: We will identify cybersecurity risks relevant to your organisation.
  • GAP Analysis: We will perform a GAP analysis comparing the current state of cybersecurity with the desired target state (i.e., full compliance with NIS2 or the Cybersecurity Act).
  • Security Measures: Together, we will implement cyber security measures to mitigate prioritized risks.
  • Quality Check: We will adjust the measures and capture the lessons learned. We will make sure that the measures put in place are sustainable and will be reviewed regularly.