Unfortunately, cybersecurity is still an underestimated topic in many companies. In practice, we see cybersecurity being handled by IT managers or system administrators for whom cybersecurity is not a primary task. This may also be because, if cybersecurity is at a good level, incidents usually do not occur and work in this area is not visible at first sight. Attackers often look for more vulnerable targets after initial reconnaissance attempts. This can lead to a lack of motivation on the part of company management to improve it further and a general lack of understanding of the important role of cybersecurity in protecting corporate integrity.

Ambiguous KPIs in companies

Another problem is that cybersecurity is not a job that is easily measurable and visible. In many companies, key performance indicators (KPIs) are not set up to take cybersecurity into account as one of the relevant areas. We see well-set KPIs as one of the key factors enabling companies to comply with the new legislation that is fast approaching and likely to come into force within the next year.

Effective KPIs should be designed to be sufficiently specific to provide a basis for informed business decisions. In particular, it is important to focus on cybersecurity-related indicators from whose values the accountability of the company or its management as a whole is derived. We should avoid overly general metrics that do not provide a comprehensive view of the situation. For example, tracking the sheer number of identified attacks on a company’s infrastructure is not sufficient in itself, as it only assesses the ability of the system to detect threats, but does not address the issue of response to them or the effectiveness of preventive measures. For better risk management and possible exclusion of liability, it is more appropriate to set KPIs that capture the ratio between the total number of detected attacks and the success of their prevention or resolution through the company’s reactive measures. By taking this approach when setting up KPIs, a company can not only better respond to security threats but also make more informed decisions, prepare more effectively for upcoming regulatory changes, and identify gaps.

Increased accountability of corporate management

Getting cybersecurity key performance indicators (KPIs) right is doubly important for modern businesses. Primarily, it serves to improve the actual performance of security measures, on top of that it also plays a key role in protecting management and the entire company from potential legal liability. This role is becoming increasingly important in light of anticipated legislative changes that bring extended duties and increased liability for company (and other entity) executives and statutory bodies.

The new legislation, as currently proposed, imposes a number of specific obligations on company management. These include, for example, the need to undergo security awareness training, establish clear security policies, inform employees about the importance of information security and ensure that cyber incident response plans are regularly tested. These obligations are just a selection of the wider range of new requirements that will be placed on businesses.

Compliance with this new legislation will fall under the oversight of the National Cyber and Information Security Agency (in Czech NÚKIB) This authority will have the power not only to identify deficiencies in companies’ security measures but also to order corrective measures. In cases where a company does not comply with the NÚKIB’s reprimands and does not correct the identified deficiencies, serious sanctions may be imposed. One of these is the possibility of temporarily suspending of a member of the statutory body for a minimum period of six months.

Financial penalties for non-compliance with cybersecurity obligations can be very costly for companies. Maximum fines can reach up to CZK 250 million or 3 % of a company’s worldwide turnover, whichever is higher. This rule poses a particularly significant risk for large multinational corporations, where a 3% share of global turnover could lead to staggering sums.

In that context, it turns out that carefully set KPIs can serve not only as a tool for improving security processes but also as an important element in the risk management and compliance system.

Developments in cybersecurity trends in the EU

The current development of cybersecurity regulation is no accident. Just take a look at the recently released report of the European Union’s Agency for Cybersecurity (ENISA), which analyses security incidents in the EU. This timely document, covering the period from September 2023 to September 2024, provides an assessment of the threats in European cyberspace. Several key trends can be highlighted from the comprehensive report that justify the current regulatory developments.

For example, the report states that the most affected sectors (apart from public administrations) include transport, banking and finance, digital infrastructure and manufacturing. Attackers most commonly use DoS/DDoS attacks, which consist of overwhelming the target system with a huge number of requests using either a single source (DoS) or multiple sources (DDoS). This type of attack accounts for almost half of all incidents. Not surprisingly, they are relatively simple from the attacker’s perspective. Then there are ransomware attacks, in which attackers gain access to the victim’s system, encrypt the data, and demand financial compensation for its decryption. ENISA also notes the growing influence of artificial intelligence and large language models on the evolution of cybersecurity threats. These tools can make it much easier and more efficient for attackers to operate, including making attacks more creative and accessible to less experienced individuals.

NIS2 Directive and its implementation

Understandably, the sectors most affected by security incidents largely correspond to the categories of regulated entities under the NIS2 Directive. In this context, the expected Czech implementation in the form of the new Cybersecurity Act and related regulations can be seen as a necessary and long-awaited response to concrete and real threats.

However, the current legislative process suggests that we will have to wait some time for the final Czech regulation. It is unlikely that a new law on cybersecurity will be adopted this year. The draft law is currently undergoing observations phase, with the most controversy surrounding the extensive powers of the NÚKIB to examine supply chain security and the possibility of banning supplier performance. These concerns have been expressed by major business organisations such as the Association of Mobile Network Operators and the Chamber of Commerce. Critics also point out that the Bill goes beyond the obligations set out in the NIS2 Directive and shows signs of ‘gold-plating’, i.e. extending the powers set out in the Directive when implementing it into national law. They point out that countries (e.g. Belgium) that have already implemented the regulation in their legal systems have followed the draft much more faithfully than the Czech legislator.

The scope of NIS2 as a key issue

Although the final text of the new Cybersecurity Act is not yet available, companies can and should already be preparing for the new obligations. In our experience, the scope of the NIS2 Directive and the future Cybersecurity Act is not always as clear-cut as it might first appear. Clients often do not know whether the new regulation will apply to them or, on the contrary, sometimes assume its application even when it may not. Therefore, it is important to always check carefully at the start whether and how the regulation will affect a particular entity. This will help companies avoid unnecessary costs of implementing measures that are not relevant to them. Regulatory scoping is a crucial but often underestimated stage of preparation.

The issue of the application of obligations to subsidiaries within business groups deserves particular attention. Subsidiaries in which parent companies have a decisive influence usually meet the size criterion for the application of regulation, as this criterion is assessed from a group-wide perspective. However, the criterion of services provided is less clear. Subsidiaries often do not provide the services covered by the NIS2 Directive, whereas parent companies do. In this case, the subsidiary must not be subject to any new rules. Vice-versa, if only the subsidiary provides the regulated service, the parent company may not be affected by the new regulation at all. There is a special provision for these situations in the new draft Cybersecurity Act.

(In)sufficient level of cybersecurity of Czech companies

Another interesting finding is that many clients are not aware that their current level of cybersecurity already meets the requirements of the expected legislation. In such cases, we help consolidate existing measures and prepare them for future obligations arising from the new legislation. We constantly monitor the development of the draft law and related decrees and are able to react quickly to new requirements and assist companies with their implementation.

It is evident that cybersecurity is becoming a strategic priority for companies of all sizes and sectors. With new regulations looming, it is high time to rethink our approach to this area. Companies that take a proactive approach to cybersecurity and prepare for new regulatory requirements will have a significant competitive advantage at a time when digital security plays a key role in business success. Our goal is to help clients focus on their core business, knowing that they can handle one of the most extensive regulations in recent years without undue complications.