- Kateřina Kubíková
Top management plays a crucial role in ensuring that a company adopts and implements appropriate measures to protect its information systems in the realm of cybersecurity. In our previous article (here), we focused on the obligations of top management under the new cybersecurity legislation implementing the NIS2 Directive. Now, let’s see why leadership should not take their new responsibilities lightly. What are the most severe penalties that may be imposed in cybersecurity?
Ban on holding office as a member of the statutory body
The most discussed and potentially most unpleasant sanction for top management in the higher regime is a temporary ban on holding office as a member of the statutory body. This penalty stems from the NIS2 Directive and is further detailed in the new cybersecurity law. Specifically, the NIS2 Directive states that countries must introduce measures to "impose a temporary ban on any natural person responsible for performing managerial functions at the level of CEO or legal representative in a high-risk entity from holding such managerial functions".
- When can this ban be imposed?
he National Cyber and Information Security Agency (NÚKIB) can ban a member of the statutory body, from holding office if this person repeatedly or repeatedly or seriously breaches their duties while fulfilling NÚKIB's decisions. These decisions require the company to address identified deficiencies. If the actions of a member of the statutory body prevent the proper fulfillment of the decision, a ban on holding office may be imposed until the deficiencies are corrected, but for no less than six months.
- Why these sanctions?
The primary goal of introducing this sanction is to create a deterrent effect. NÚKIB expects that it will enhance the responsibility of top management for cybersecurity. The sanction also ensures that, during the remediation process, the person who hindered progress is not in a leadership position. This penalty is not just a punishment for failing to meet obligations but also a means to compel companies to comply with their responsibilities. NÚKIB has described this as an extreme punitive measure.
- Who is exempt?
This sanction cannot be imposed on top management in companies inthe lower regime. It also does not apply to public officials whose roles are limited by time or function and are filled through direct or indirect elections or appointments under special legal provisions. This includes ministers, regional governors, heads of professional chambers, or rectors and deans of public or state universities.
Fines for the company
The draft of the new cybersecurity law also defines offenses directly for regulated service providers, applying to companies in both the higher and lower regimes. Non-compliance with management obligations will typically result in the company also failing to meet its obligations, which can lead to fines.
Fines for other individuals in cybersecurity (including management)
The new legislation also addresses other individuals who fail to meet their obligations under the law, allowing fines to be imposed for offenses (e.g., when an individual fails to cooperate with NÚKIB). Such offenses can be committed by anyone who is not a regulated service provider (i.e., a company providing a regulated service). This may include, for example, a company executive who continues to hold office in violation of a ban.
In addition to the ban on holding office, top management may also face financial penalties. These sanctions can be imposed not only on top management in the higher regime but also in the lower regime. Depending on the offense, these fines can range from CZK 50,000 to CZK 250,000,000 or up to 2% of the net worldwide annual turnover of the company to which the accused belongs. The maximum amounts are intended to serve as a deterrent.
When imposing penalties, the principle must be followed by that they should be effective, dissuasive, but also proportionate. The fines should not be crippled.
Does top management really need to address cybersecurity?
In short – yes. Regardless of the potential financial penalties or the ban on holding office mentioned in the new cybersecurity legislation proposal, top management should address cybersecurity for a variety of business reasons:
Improved management efficiency
Trained management can make faster and more effective decisions in the event of a cybersecurity incident, which is key to ensuring and maintaining the security of the company.
Financial losses
Not only sanctions but cyberattacks themselves can lead to significant financial losses. Security measures are designed to help companies prevent and quickly respond to minimizing these losses.
Reputation protection
Preventing or mitigating the consequences of cyberattacks also reduces the risk of damage to a company’s reputation and the trust of customers or partners in the business.
Business continuity
Cyberattacks can cause significant disruptions. Being prepared for them and ensuring recovery minimizes both the impact of incidents and business losses.
Competitive advantage
Customers are increasingly concerned about how their sensitive information is protected and whether it might be compromised. Even in the B2B sector, partners will prefer to work with companies that prioritize cybersecurity, to avoid being exposed to risks through their partners.
