NIS2 implementation: Involve not only IT specialists, but also other experts

The transposition of the European NIS2 Directive into the Czech legislation should be completed by mid-2024. The directive will be reflected in the new Cybersecurity Act (CSA) and related decrees and will affect approximately 6,000 companies that have not had to deal with the legal requirements for cybersecurity in practice so far. These companies will have to implement a number of measures to comply with obligations arising from the new regulation. It will be essential to involve not only IT specialists but also other experts in the whole process.

Companies affected by NIS2 and CSA

The roughly 6,000 companies mentioned above include medium and large enterprises and some other companies regardless of their size in a total of 60 services divided into 18 sectors. The services include online marketplace providers, internet search engines, ICT service providers, cloud computing providers, as well as services from “traditional sectors”, such as energy, transport, healthcare, water supply, or food processing.

Measures companies will have to comply with

Companies affected by the regulation will have to comply with two sets of measures. The first set consists of security measures, which include providing a minimum level of cyber security, distributing security roles, establishing processes for handling cyber security incidents, maintaining documentation, or managing suppliers and access. The latter set consists of technical measures, which include using cryptographic algorithms or ensuring service availability. New rules on data localization are also defined. The scope of new obligations depends on whether the relevant entity falls under the lower or higher obligation regime.

Penalties for non-compliance with measures

Failure of a company to comply with the relevant obligations carries a heavy fine – up to CZK 250 million or 2% of the net worldwide annual turnover.

New and specific liability of statutory bodies

Statutory bodies (e.g. the executive director of a limited liability company, the administrative board, or the board of directors of a joint stock company) should pay particular attention to the implementation of requirements set out in the new regulation, as the proposed wording of the CSA imposes new liability on them.

Pursuant to the draft of the CSA, the National Cyber and Information Security Agency (NCISA) may carry out cyber security inspections in a company that is subject to the regulation. If the NCISA finds deficiencies in the course of an inspection, it may order remedies to the relevant company, and the company is obliged to implement them and comply with them.

However, if the company

  • is an entity falls under a higher obligation regime and
  • does not comply with or implement the remedy and
  • this failure is caused by a serious or repeated failure to perform an obligation while exercising a management position, e.g. by a member of the statutory body,

the court may, on the basis of a petition filed by the NCISA, prohibit that person from exercising the management position for a period of at least 6 months until the remedy is complied with. Therefore, if the company fails to comply with obligations in accordance with the regulation, persons in management positions will suffer direct consequences. In addition, a decision on the suspension of a management position will be published on the NCISA’ s website.

Pursuant to the NIS2 Directive and the draft decrees for the new law, the top management of the companies affected by the regulation must also attend regular training on cyber security. The statutory body has also a number of other powers, such as providing security policies, informing employees, participating in the preparation of analyses, and adopting security measures.

Therefore, requirements of the NIS2 Directive and CSA may not be shifted solely to the IT department. The regulation is extensive and requires a new technological, procedural, and legal environment.

To implement the requirements of the CSA, you must first determine whether the new regulation applies to your company. As the self-application rule applies, each potentially regulated entity must evaluate its status. Further, it is necessary to define specific obligations that apply to your company and risks that arise from them and implement the necessary measures – namely technological ones, related to documentation modification, process management, incident reporting, or training.

The most effective way to ensure proper implementation is to engage legal, IT, and compliance experts. Such a one-stop shop will ensure effective implementation of all aspects. A well-chosen implementation team can help you with supplier management, corporate governance, or risk analysis. Experts will also evaluate the impact on all other documentation, including contractual documentation and internal regulations, and amend them accordingly. Experts will also assess complementarity with other regulations that apply to your company and evaluate the current decision-making practice of the authorities or courts to avoid potential issues. IT experts will prepare a technological solution and assess the impact of this solution on all affected technologies.

Cybersecurity dReport newsletter

Upcoming events

Seminars, webcasts, business breakfasts and other events organized by Deloitte.

    Show morearrow-right