Cybersecurity Act: statement by the Legislative Council of the Czech Government

Vyjádření legislativní rady vlády k návrhu zákona o kybernetické bezpečnosti (dle NIS2)

On Thursday, 4 April 2024, the Legislative Council of the Government commented on the New Draft Law on Cyber Security and recommended its revision. According to available sources, the criticism was mainly directed at the embedding of obligations for regulated service providers in implementing legislation (decrees) rather than in the law and the previously criticised regulation of supply chain screening. A social media storm has erupted with information about the "end of the new cybersecurity law". Is this really the case?

Let's maybe look at it from a different perspective.

So what's next?

The verbal expression of the obligations may change to some extent, but their content will remain similar. In this respect, virtually only supply chain verification has been criticised by the Legislative Council. The NIS2 regulation (the legal basis for the new Cybersecurity Act) is based on the international standard ISO 27001, which sets out good and best practice.

The practical difference in whether the obligation to use the tool for recording events on end stations and servers is established by decree or by law is minimal for those who use it.

these are all topics that organisations should address regardless of what the law says.

If it is important to the operation of the company, it does not need a law to deal with cyber security, but management that recognizes its importance.

Cybersecurity should not just be a bureaucratic hurdle

Cybersecurity management can be set up in such a way that the costs, processes and procedures make economic sense for the company. And that's exactly our goal at Cybrela.

At Cybrela, we don't treat cybersecurity as a bureaucratic hurdle, as many critics of the upcoming law do. Nor is it to be seen as an obstacle to business that must be "unblocked" because of legal requirements and possible sanctions.

On the contrary. The goal of cybersecurity is to make society run as efficiently as possible. Developments in information technology have meant that today virtually all organisations, across a wide range of industries, depend on information systems or computing technologies. These are not only services where everyone expects the use of these technologies, such as energy, banking, and the provision of communication services, but also, for example, the delivery of supplies, the production of goods, the handling of customer orders, and the processing of invoices.

Considering cybersecurity within the process of a company's operation is particularly recognizing the importance of the various activities that occur in a company's day-to-day operations and evaluating how, to what extent, and on what these activities depend.

As a result, the activities are prioritised, the dependencies between the activity and the computing technologies on which it operates are evaluated, and action is taken where risks appear to be too high. Cybersecurity includes a description of these processes.

In effect, information security prepares an organization for issues related to their information assets that would affect their ability to operate and make money. Establishing security measures then serves to some extent as prevention to prevent or mitigate cyber threats and incidents. These, should they occur, could cause many times more financial and other damage (e.g. reputational risk) to the company than the investment in cyber security itself.

What to do about it? Can I delete cybersecurity from my to-do list? 

A few thoughts in conclusion:

The introduction of legal obligations to comply with cyber security may contribute to an overall higher level of cyber security. But it is important that organisations get their cybersecurity house in order. In today's world, where virtually everything is connected to IT, it is essential to have a similar overview of cyber security as, say, finance. Knowing the context, what values mean and how to work with them in the future to make the organization work better.

The fact that the New Cybersecurity Act is being delayed is thus an opportunity especially for organisations. They can better plan, stagger and not delay. Using the extra time to delay investment in cybersecurity from a position of "not needed" is then more of an opportunity for attackers to exploit unpreparedness for longer.

You want to wait? We understand and that's fine, just think about what you want to do and how you want to do it. Overall, there is a shortage of professionals to help you with cybersecurity and/or perform legally required roles for you. There is a shortage of over 350,000 of these in Europe according to recent research, so don't fall for the salvageable solutions wrapped in a bow that you will pay unnecessarily extra for.

Get ready

We can help you with practical preparation of your company for the new cybersecurity legislation.

More articles

Plans such as BCP, DRP, or risk management plans ensure cybersecurity and help maintain business continuity. What should they include?
Listen to the podcast with Katka Hůtová, who will guide you through the upcoming changes according to the new cybersecurity law.
Crisis communication during a cyber-attack should be swift, transparent and consistent to minimize damage and maintain the trust of all stakeholders. How to do it?

Newsletter

Do you want to be sure that your company is protected from cyber threats and at the same time comply with the applicable legislation? Sign up for the newsletter and get practical advice from our legal consultants.

By clicking submit, you consent to the processing of your personal data for marketing purposes.