NIS2: Obligations under the new cyber law

NIS2 v Česku, zlom v kyberbezpečnosti dorazí letos
The NIS2 Directive created two categories of regulated service entities. These are essential subject and important subject. These in turn differ in the requirements that organisations must meet.
In the Czech legal system, NIS2 will be transposed into the new Cyber Security Act and its implementing decrees. Draft of the Cybersecurity Act takes a slightly different approach and introduces a single entity - a regulated service provider with two regimes. There is a regime of higher obligations, which corresponds to the essential subject according to the NIS2, and a regime of lower obligations, which reflects the category of important subject.
If the organisation is a regulated service provider, the obligations it will have to fulfil depend on the regime it is classified under. You can read more about the Czech legislation based on NIS2 here.
Security measures in the regime of higher obligations

The Draft of the Act divides security measures into two groups. Organizational measures (14) and technical measures (11). The Decree on Regulated Services under then specifies the specific content of these obligations.

Organisational measures

Technical measures

Newly, organisations in the senior regime will need to have individuals in security roles: a cybersecurity manager, a cybersecurity architect, an asset sponsor and a cybersecurity auditor.

To get an idea of the content of the measures, let's take a closer look at the security role measures, for example. Newly, organisations in the regime of higher obligations will need to have individuals holding the roles of cybersecurity manager, cybersecurity architect, asset sponsor and cybersecurity auditor. The senior management of the organisation is required to designate these individuals. Each of these security roles should meet the requirements set out in the Decree on Regulated Services and it is recommended that the Annex to the Decree, which further elaborates on the roles, is also followed.

Security measures in the regime of lower obligations

For providers of regulated services under the regime of lower obligations, the law does not list organisational and technical measures separately, but they are listed together. Thus, there are a total of 13 security measures listed in the new draft of Cybersecurity Act, whereas in the current version of the draft decree in the subordinate obligations regime only 11 are listed. It is likely that we will only know what all the obligations for the regime of lower obligations (or even the regime of higher obligations) will be once the new legislation has been approved by the Czech Parliament.

Security measures in the regime of lower obligations:

Unlike the security roles discussed above in the regime of higher obligations, they are not found in the lower one in this way. However, under the security measure of ensuring cyber security, there is an obligation to designate a person responsible for cyber security. This person will be responsible for managing and developing cybersecurity and communicating with senior management for organisations in the lower regime.

This role may be assigned to a person who has received the professional training specified in the Decree on Regulated Services or has demonstrated professional competence for this activity. This role may already be performed by an existing member of staff, for example the person responsible for IT operations. This example nicely illustrates that the lower regime is indeed more lenient than the regime of higher obligations.

Are you under the new legislation?

Vyvinuli jsme aplikaci, kde si po zadání odpovědí na jednoduché otázky můžete zdarma ověřit, zda pod novou regulaci pravděpodobně spadnete či nikoliv. Dozvíte se i co budete muset případně plnit a jaké by měly být další kroky, které v tomto směru musíte podniknout.
Specific obligations in the digital infrastructure and services sector

The Cybersecurity Act, as presented to the Legislative Council of the Government in April 2024, comes with a special provision for regulated service providers in the digital infrastructure and services sector. This refers to a regulated service provider that is a provider of a regulated service:

Organisations providing any of these services will need to establish and implement security measures in relation to these services that include, as a minimum: risk management, security policy and documentation management, cyber security incident management, business continuity management, vendor management, secure acquisition, development and maintenance, application security, human resource security, cryptographic algorithms, access control, and identity management and authentication.

The details are yet to be determined by the European Commission and these requirements will take precedence over the obligations set out in Czech law. This is a tightening of security measures for all providers of any of the above regulated services and the degree of tightening will depend on the wording of the European Commission's implementing regulation. It may be slightly encouraging that this tightening is to apply to regulated service providers only to specific regulated services. Other regulated services that may be provided by that organisation and not covered by the Commission's implementing regulation will be governed by the regulated service provider regime, and thus by the Cybersecurity Act and its decrees.

Get ready

We can help you with practical preparation of your company for the new cybersecurity legislation.

More articles

Even when working from home, you're not out of reach of cyber threats. How to protect yourself in the home office? Here are tips to help keep your company data safe.
Certification can also help companies strengthen their security. How can certification according to the EU Cybersecurity Act contribute to compliance?
The holiday season brings great discounts but also an increased risk of scams. How can you protect yourself? Here are 8 tips for safe online shopping.

Newsletter

Do you want to be sure that your company is protected from cyber threats and at the same time comply with the applicable legislation? Sign up for the newsletter and get practical advice from our legal consultants.

By clicking submit, you consent to the processing of your personal data for marketing purposes.