- Kateřina Hůtová
- David Polách
On Thursday, 4 April 2024, the Legislative Council of the Government commented on the New Draft Law on Cyber Security and recommended its revision. According to available sources, the criticism was mainly directed at the embedding of obligations for regulated service providers in implementing legislation (decrees) rather than in the law and the previously criticised regulation of supply chain screening. A social media storm has erupted with information about the "end of the new cybersecurity law". Is this really the case?
Let's maybe look at it from a different perspective.
- Every new legislation that significantly affects the operation of private/public entities is accompanied by passion and opinion twists and turns. And the New Act on Cybersecurity is no different in this, but that doesn't change the fact that obligations must be accepted, so let's take it on with grace and find a win-win situation for all (i.e. for both the entity and compliance).
- If we look at the statistics on how many bills are routinely returned from the Legislative Council, the New Act on Cybersecurity is no exception. On the contrary, certain procedural changes are always anticipated. On the other hand, we would probably be mildly surprised if a draft of the act sailed through without any ripples. Does that mean a big "bye bye to new obligations?" - although we understand that some of you would like it not to. The Act still envisages being effective in late 2024/5 or early 2025.
- "Why is the state even telling me what to do?" It's my business, if I go down, it's my problem. - Yes, maybe when the world was set up so that every house would be dozens of miles apart. Now we're all living in a block of flats, the moment the flat in the middle catches fire, somehow the other flats will be affected.
So what's next?
The verbal expression of the obligations may change to some extent, but their content will remain similar. In this respect, virtually only supply chain verification has been criticised by the Legislative Council. The NIS2 regulation (the legal basis for the new Cybersecurity Act) is based on the international standard ISO 27001, which sets out good and best practice.
The practical difference in whether the obligation to use the tool for recording events on end stations and servers is established by decree or by law is minimal for those who use it.
- User authentication,
- creating backups,
- knowledge of the importance of own information systems and their interconnection with HW,
- defined times when the contractor will help you set up the systems and how much it will cost you...
these are all topics that organisations should address regardless of what the law says.
If it is important to the operation of the company, it does not need a law to deal with cyber security, but management that recognizes its importance.
Cybersecurity should not just be a bureaucratic hurdle
Cybersecurity management can be set up in such a way that the costs, processes and procedures make economic sense for the company. And that's exactly our goal at Cybrela.
At Cybrela, we don't treat cybersecurity as a bureaucratic hurdle, as many critics of the upcoming law do. Nor is it to be seen as an obstacle to business that must be "unblocked" because of legal requirements and possible sanctions.
On the contrary. The goal of cybersecurity is to make society run as efficiently as possible. Developments in information technology have meant that today virtually all organisations, across a wide range of industries, depend on information systems or computing technologies. These are not only services where everyone expects the use of these technologies, such as energy, banking, and the provision of communication services, but also, for example, the delivery of supplies, the production of goods, the handling of customer orders, and the processing of invoices.
Considering cybersecurity within the process of a company's operation is particularly recognizing the importance of the various activities that occur in a company's day-to-day operations and evaluating how, to what extent, and on what these activities depend.
As a result, the activities are prioritised, the dependencies between the activity and the computing technologies on which it operates are evaluated, and action is taken where risks appear to be too high. Cybersecurity includes a description of these processes.
In effect, information security prepares an organization for issues related to their information assets that would affect their ability to operate and make money. Establishing security measures then serves to some extent as prevention to prevent or mitigate cyber threats and incidents. These, should they occur, could cause many times more financial and other damage (e.g. reputational risk) to the company than the investment in cyber security itself.
What to do about it? Can I delete cybersecurity from my to-do list?
- Look at what you have and don't have set up (you can consider the draft law and decrees or at least some basic best practices, either way you won't make a mistake).
- From the results, make a roadmap - depending on whether you will fall under the new law, and in what mode. Even if you wouldn't fall and there are a few loopholes that could hurt you based on (1), don't underestimate it - hard on the training ground, easy on the battlefield.
- Do you need help with this or can you do it yourself? Both are perfectly fine, no consultants will do the "cyber" for you, no matter what they claim, you will always be part of the collaboration.
- Budget. Because if you need help - it will cost you something. If you need some technical measure - it will cost you something. We won't lie, introducing obligations is not free, but think "reasonable-reasonable" - both with salt in the tale and with technical and organizational measures. Make it work for you and make it work, that's all that matters.
A few thoughts in conclusion:
The introduction of legal obligations to comply with cyber security may contribute to an overall higher level of cyber security. But it is important that organisations get their cybersecurity house in order. In today's world, where virtually everything is connected to IT, it is essential to have a similar overview of cyber security as, say, finance. Knowing the context, what values mean and how to work with them in the future to make the organization work better.
The fact that the New Cybersecurity Act is being delayed is thus an opportunity especially for organisations. They can better plan, stagger and not delay. Using the extra time to delay investment in cybersecurity from a position of "not needed" is then more of an opportunity for attackers to exploit unpreparedness for longer.
You want to wait? We understand and that's fine, just think about what you want to do and how you want to do it. Overall, there is a shortage of professionals to help you with cybersecurity and/or perform legally required roles for you. There is a shortage of over 350,000 of these in Europe according to recent research, so don't fall for the salvageable solutions wrapped in a bow that you will pay unnecessarily extra for.
