Thu, Jul
51 New Articles

Czech Republic: Cybersecurity – Czech Businesses Are Getting Ready for NIS 2

Czech Republic: Cybersecurity – Czech Businesses Are Getting Ready for NIS 2

Issue 10.7
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Cybersecurity is trending in Czechia again not only because of recent large-scale cyber-attacks targeting important institutions such as hospitals, the Czech public radio, or the national highway directorate (resulting in some of its systems being unavailable for several months) but also due to legislative developments. Specifically, cybersecurity is also making headlines as it is time for many Czech businesses to get ready for the NIS 2 Directive (Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union).

The NIS 2 Directive significantly expands the number of entities that are regulated by the legislation’s predecessor – the NIS Directive. While recent cybersecurity legislation under the Czech Cybersecurity Act and its implementing decree mostly concerned public bodies with businesses only affected if they provided critical infrastructure or services, it is now expected that the new obligations under NIS 2 and the Czech implementing legislation will affect at least 6,000 subjects. At the same time, the regulated entities will have to comply with an extended scope of mandatory security measures.

The new legislation will affect any entity that fulfills the following two conditions: (1) it will provide a service that is listed in one of the annexes of the directive (such as water, energy, healthcare, transportation but also, for example, the food industry and the production of certain types of equipment, such as IT equipment or motor vehicles), and (2) (with some exceptions) it will have the character of a medium or large business (i.e., a business that employs 50 or more employees or has an annual turnover of at least EUR 10 million or CZK 250 million). NIS 2 then divides regulated entities into essential and important entities. Essential entities provide, among other things, services in the field of digital infrastructure, public electronic communications networks, and publicly available electronic communications services. Important entities are, for example, providers of certain digital services. Also, according to the proposed implementing decree, the National Cyber and Information Security Agency will be able, through a decision of the agency, to designate any other service as regulated if the disruption of such service can cause a serious impact on the lives of more than 125,000 people through threats to life, health, property value, internal order, or the environment.

Regulated businesses will have to take appropriate and proportionate technical, operational, and organizational measures to manage the security risks of their networks and information systems in order to minimize cybersecurity threats. NIS 2 leaves the choice of such measures to the regulated businesses, who should be in the best position to determine such measures, taking into account their internal organization, information systems, and possible risks. NIS 2 only sets out a short list of basic security measures that every regulated person would have to take. These are, in particular, risk analysis policies and information systems security policies, incident resolution, business continuity management and crisis management, supplier security, procurement security, development and maintenance of networks and information systems, policies and procedures to assess the effectiveness of cybersecurity risk management measures, basic cyber hygiene practices and cybersecurity training, policies and procedures regarding the use of cryptography, and, where appropriate, encryption, human resource security, access control procedures, and asset management. The National Cyber and Information Security Agency will be able to subject regulated businesses to inspections, audits, and other measures with the aim of ensuring compliance with the new rules and also impose sanctions for shortcomings (i.e., in most cases, fines). The maximum fine under the draft Cybersecurity Act amounts to CZK 250 million (approximately EUR 10 million) or up to 2% of the net worldwide annual turnover achieved by the infringer, whichever is higher.

EU member states are obliged to implement the NIS 2 Directive into their legal systems by October 17, 2024 at the latest. The National Cyber and Information Security Agency has already prepared a draft of the new Cybersecurity Act and the related implementing decree. The legislation was open to public consultations in early 2023, which resulted in 1,144 comments from the public. These comments were reflected in the updated version of the draft legislation, which has now made its way to the standard intragovernmental comments stage where various stakeholders within the government and other public bodies are able to comment. It is expected that the new legislation should be adopted by mid-2024.

By Michal Matejka, Partner, and Eva Fialova, Attorney at Law, PRK Partners

This article was originally published in Issue 10.7 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here

PRK Partners at a Glance

PRK Partners, one of the leading Central European law firms, has been helping clients achieve their business objectives almost 30 years. Our team of lawyers, based in our Prague, Ostrava, and Bratislava offices, has a unique knowledge of Czech and Slovak law and of the business environment. Our lawyers studied at top law schools in the United States, United Kingdom, Switzerland and elsewhere. They also have experience working for leading international and domestic law firms in a number of jurisdictions. We speak your language, too. Our legal team is fluent in more than 15 languages, including all the key languages of the region.

PRK Partners has one of the most experienced legal teams on the market. We are consistently rated as one of the leading law firms in the region. We have received many significant honours and awards for our work. We represent the interests of international clients operating in the Czech Republic in an efficient way, combining local knowledge with an understanding of their global requirements in a business-friendly approach. We are one of the largest law firms in the Czech Republic and Slovakia. Our specialised teams of lawyers and tax advisors advise major global corporations as well as local companies. We provide comprehensive legal advice drawing on our profound knowledge of local law and markets.

Our legal advice delivers tangible results – as proven by our strong track record. We are the only Czech member firm of Lex Mundi, the world's leading network of independent law firms. As one of the leading law firms in the region, we have received many national and international awards, in some cases several years in a row. Honours include the Chambers Europe Award for Excellence, The Lawyer and Czech and Slovak Law Firm of the Year. Thanks to our close cooperation with leading international law firms and strong local players, we can serve clients in multiple jurisdictions around the globe. Our strong network means that we can meet your needs, wherever you do business.

PRK Partners has been repeatedly voted among the most socially responsible firms in the category of small and mid-sized firms and was awarded the bronze certificate at the annual TOP Responsible Firm of the Year Awards.

Our work is not only “business”: we have participated on a longstanding basis in a wide variety of pro bono projects and supported our partners from the non-profit sector (Kaplicky Centre Endowment Fund, Tereza Maxová Foundation, Czech Donors Forum, etc.).

Firm's website: www.prkpartners.com