The amendment to the Czech Cyber Security Act, implementing the NIS2 directive, brings several changes, including new and tightened obligations and an expanded range of obliged subjects, to whom the new legal text will apply. Although the transposition of the directive in the Czech Republic is only at the beginning of the legislative process, the law is expected to come into force by the end of 2024, and it is therefore time to start preparing for it.
What is NIS2 and how does it relate to the Cybersecurity Act?
The Network and Information System Directive 2 (NIS2) is a European directive setting out rules and requirements for cyber security and ICT systems and networks, which is in force since the beginning of 2023 as a follow-up to the NIS directive. NIS2 is, alongside the DORA (Digital Operational Resilience Act) regulation and CER directive, another of the European Union's legislative instruments aimed at enhancing the digital operational resilience and cyber security of all relevant actors operating in the EU.
The final text of NIS2 was published in the Official Journal of the EU on 27 December 2022 in all official languages of the Union, and the Czech Republic was one of the first Member States to start the process of formulating national laws and rules that will have to be complied with.
The implementation of NIS2 in the Czech Republic is ensured by an amendment to the Act on Cyber Security from the National Cyber and Information Security Agency (NÚKIB), which published the very first version of the text at the beginning of 2023 and called for feedback from both the public and governmental bodies. Upon the collection of comments from the inter-ministerial comment procedure, the text was revised and in December 2023 presented to the government. However, it is still not a finalised version, and it is expected that further changes will follow as a result of the standard legislative process.
Who will be affected by NIS2 and the new Cybersecurity Act?
The new rules fomulated in the NIS2 directive will apply to any regulated service providers not only from the EU but also those operating in the EU and those meeting the European Commission's criteria for a medium or large company, i.e. more than 50 employees and a turnover of 10 million euros or more. Including organisations operating in both the public and private sectors and representing critical or important sectors, such as electricity providers and distributors, healthcare companies, and subjects providing electronic communications services. In total, there are more than 60 services, an overview of which is given below. In the Czech Republic alone, NIS2 will thus affect about 6 000 entities.
NIS2 Directive and its transposition in the Czech Republic
To ensure that the requirements of NIS2 can be effectively enforced once its content is reflected in the Czech legal system, the directive introduces a set of sanctions and controls, including fines, other administrative penalties, such as suspension of the validity of certifications and the performance of management functions.
How can we help?
At Deloitte, we offer legal and consulting services related to the new legislation.
LEGAL SERVICES
RISK ADVISORY SERVICES
What the adoption of NIS2 means for many businesses is mainly the need to align the new requirements with business processes, organisational structure, staffing and technology base. We provide our clients with a range of services related to the regulatory environment. We use our own proven tools in our analyses, which enable us to effectively identify gaps and prioritize individual steps leading to compliance. Examples include the Deloitte NIS2 Maturity Assessment Tool as well as the NIS2 and Czech Cybersecurity Act Maturity Assessment Tool (currently in preparation).
Once the implementation plan is in place, we typically assist with the implementation process and integration of on-premises and cloud technologies. We see cloud technologies as a significant accelerator of NIS2 adoption in business. We have hands-on experience with small and large-scale implementations of M365, Azure, AWS, GCP and many other cloud-based SaaS services in the cybersecurity space, as well as projects that place a strong emphasis on the synergy of security and IT with various business processes.
WE CAN ALSO HELP YOU WITH CYBER RISK MANAGEMENT