It builds on its predecessors and at the same time expands the number of obliged entities as well as the scope of obligations. The new Directive (EU) 2022/2555 of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) entered into force on 16 January 2023.
The entry into force of the Directive created an obligation for Member States to transpose the NIS 2 Directives into their legal order. Member States must comply with this obligation by 17 October 2024 at the latest.
Draft of a completely new Cyber Security Act
The changes introduced by the NIS 2 Directive are so fundamental that the Czech Office for Cyber Security (NÚKIB) approached this task by preparing a completely new Cyber Security Act and its decrees, which it submitted to the public for comments and discussion.
This is the first proposal by NÚKIB prepared shortly after the official publication of the NIS 2 Directive. It can be expected that draft regulations will be amended, both on the basis of public comments and in the standard legislative process.
Major changes in regulation
Expansion of the number of obliged entities
Estimates speak of at least 6,000 private and state organisations, either by expanding regulated sectors (e.g. waste management), by expanding existing regulated sectors with new regulated services (e.g. existing digital infrastructure sectors with new regulated cloud computing services), or by changing the way obliged entities are identified (where the size of the organisation will be the primary criterion for inclusion in regulation).
Mandatory training of senior management and greater management responsibility for ensuring cyber security
Cyber security measures will be approved primarily by statutory bodies. They will also be obliged to supervise their application and will be liable for non-compliance with the obligations of the obliged entity concerned. In order to acquire sufficient knowledge and skills in the field of cybersecurity, members of the management body are to regularly undergo training.
Regulated entity ('Regulated Service Provider')
The primary way of determining whether a private or public entity falls under the regulation of the NIS2 Directive or the new Cyber Security Act is (with exemption for Data Centre etc) the simultaneous fulfilment of two criteria:
The organisation provides at least one of the services listed in the Annexes to the Directive, and at the same time, it is a medium-sized or large enterprise, i.e. it employs 50 or more employees, or has an annual turnover or annual balance sheet total of at least EUR 10 million (approximately CZK 250 million).
The main objective of cybersecurity regulation
The main objective of the adoption of NIS 2 is to ensure that important actors take preventive steps to strengthen their cybersecurity. This requirement is represented by the obligation to implement so-called security measures (for example through implementation or update of ISMS or SOC).
The NIS 2 Directive works with two regimes of obliged entities - "important" and "essential", which corresponds to two regimes of obligations under the draft of the new Cyber Security Act, namely the regime of lower obligations falling on persons in the "important" regime and the regime of higher obligations falling on persons in the "essential" regime. These two regimes then result in a range of organisational, legal and technical security measures that obliged entities will have to implement and comply with.
Comments