The past year has brought a number of changes in the field of cybersecurity regulation, both at the EU and national level. In January, the European Regulation on Digital Operational Resilience of the Financial Sector (DORA) became binding, followed by the EU Data Act in September, and in November, the domestic Cybersecurity Act, replacing the original 2014 regulation, came into force.
This Act and its implementing decrees implement the 2023 amendment to the European Network and Information Security Directive (NIS2) into the Czech legal system, which responds to the growing sophistication of cyber threats and the need for a uniform approach across the EU.
While the original legislation concerned only a few hundred strategic organizations, the new law affects thousands of companies and institutions. The application criterion is not only the industry, but also the size. The obligations apply to medium-sized and large enterprises with 50 or more employees or an annual turnover of more than €10 million, operating in key sectors ranging from energy and transport to health care to digital services, food and waste management. According to estimates by the National Cyber and Information Security Authority (NÚKIB), which is responsible for the law, the number of regulated entities will increase to more than 6,000.
The Cybersecurity Act introduces a dual regime of obligations, namely higher and lower, depending on the size and importance of the entity concerned. Both regimes require the implementation of organisational and technical measures, such as the implementation of risk management measures, business continuity assurance, security incident reporting, or identity and access management measures. Top management of organizations must be actively involved in the field of cybersecurity management, including mandatory training. Details are provided in the Cybersecurity Act and its implementing decrees, which set out in detail what measures need to be introduced.
The new law also introduces stricter sanctions. In the event of non-compliance with the obligations, there is a fine of up to CZK 250 million or 2% of the global annual turnover, whichever is higher.
The implementation of the Cybersecurity Act requirements is not a matter of days. It takes time and investment to put the right processes in place. Deloitte can help you assess your current state of readiness and identify potential gaps. The recommended procedure is to perform a gap analysis, draw up an action plan and then implement the measures in practice.
Seminars, webcasts, business breakfasts and other events organized by Deloitte.
