- Kateřina Hůtová
- Kateřina Kubíková
The article was published on KomoraPlus. You can read the full version below.
The NIS2 Directive and its implementation into Czech legislation is fast approaching. It is expected that the new law on cybersecurity will be in force by mid-2025. Compared to the original plan, this is a slight delay, but not a staggering one. The first and crucial obligation under the new law is to self-identify or find out if your company will be a regulated entity under the new Cybersecurity Act. Already at this point, many businesses are floundering, so let's look at the most common mistakes and how to ideally avoid them.
Although the National Cyber and Information Security Agency does a very high level of awareness raising in this area, there are still many companies that have not reached this planned innovation in their duties. No wonder. The amount of all the regulations for companies is already huge, but as the well-known legal principle states: ignorance of the law is no excuse. While no one can know them all, it is important to be interested in the regulations that affect us.
Mistake #1: I don't know that I must do any self-identification at all
The NIS2 directive expanded the number of regulated entities from about 360 to an estimated 12-15,000 in the Czech Republic and 10,000 in Slovakia. So, the expected increase is dramatic and the chances of the new law affecting you are quite high.
Why is self-identification such a crucial obligation in the first place? If you were a regulated entity and did not report to the NUCIB, you would be committing an offence. And because the NCIB views this behavior as you wanting to avoid your obligations, it can impose the highest fines. Specifically, this is up to CZK 250,000,000 or up to 2% of the company's annual worldwide net turnover, whichever is greater.
However, in addition to worrying about a hefty fine, it's a good idea to address cyber security to protect your business, as the number of cyber-attacks continues to rise. And yet, they are not always targeted. Sometimes attackers are simply trying to see who they can catch. Even lesser-known or smaller companies can suffer as a result.
Mistake #2: Misunderstanding of regulated services
In short, the proposed new legislation will affect those companies that provide a service in a regulated sector and meet other criteria (typically of a certain size). Regulated services are those that are important for the provision of important social or economic activities or for security in the Czech Republic and are from 15 different sectors.
These sectors are:
Digital infrastructure and services
Transport
Energy
Financial market
Chemical industry
Defense industry
Waste management
Postal and courier services
Food industry
Science, research and education
Space industry
Public administration and public authority
Water management
Healthcare
Manufacturing
It sounds relatively straightforward and so if I don't do any of these industries, do I not have to deal with the new cyber legislation at all? The first mistake already occurs here. Even if you do not carry on any activity in any of these sectors, you may fall within one of the exemptions listed in the Act. The advantage is that you would not have to report to the National Cyber and Information Security Agency yourself and, if you were caught, the Bureau would register you and not impose a fine. Even so, it is a good idea to look at the exemptions, because if you do get caught, it is advisable to start preparing for the obligations early.
Another and much more common mistake that companies make is to confuse their core business with regulated service industries. However, the new law is not just concerned with activities that are your core business, but everything you do.
We can use the example of a company that produces toys for pets. It has been verified that the manufacturing industry does not cover this production and so has concluded that it will not be subject to regulation. But then that would not be a good example if that were the end of the story. In fact, this company has a subsidiary that sews dog clothes, and this subsidiary is managed by our assessor company for all their IT, and subsequently invoiced for these services. This already classifies it in the digital infrastructure and services sector, specifically it could provide a regulated managed service provision (MSP) or managed security service provision (MSSP). That is, depending on what it specifically does. It does not matter that the provision of IT services is not its core activity.
For example, a company that has installed photovoltaicsfor which it has been granted an ERU license may be in a similar situation. It is possible that, because of the photovoltaics, such a company becomes a provider of a regulated electricity generation service in the energy sector without considering this as its activity at all.
Companies must therefore identify all regulated services they provide, whether this is their core business. Fulfilling the conditions of a regulated service is key.
It is important to remember that many companies will become providers of more than one regulated service.
So, what to do about it? You can read the draft Regulated Services Decree, which sets out the specific conditions of regulated services, and at the same time think in detail about all your activities, even if they do not seem important at first glance. And remember, you can provide more than one regulated service, and you must report all the services you provide!
Mistake #3: Incorrect sizing of the business
In addition to activity in regulated industries, another typical criterion is the size of the business. If you were operating within a regulated industry but did not meet the size requirement, the new cyber law will not apply to you. For example, under the regulated service of food manufacturing, the food manufacturing business is required to be a large or medium-sized business. If it is not, it will not become a provider of a regulated service.
However, even in this case, let us not forget about exceptions and other criteria regardless of size.
For example, in the provision of health care, regardless of your size, it is sufficient to have a certain number of acute care beds (270 for reference). For the regulated health care service mentioned above, you become an obliged entity when you meet the size criterion or when you meet the number of acute care beds mentioned above, regardless of the size of the undertaking.
Size calculator
The size of the entity is calculated according to Commission Recommendation 2003/361/EC, which defines micro, small and medium-sized enterprises and, as a result, large enterprises. The assessment of the enterprise is based on either theemployment or financial indicator.
The financial indicator is generally applied to those companies which, for their size, have a larger than usual annual turnover or annual balance sheet total. And whether to calculate annual turnover or annual balance sheet total is your choice (you can choose the lower value). Most companies determine their size based on the number of employees, which is why they most often make mistakes in this step as well.
In short, small companies have a maximum of 49 employees, medium companies have 50 to 249, and large companies have 250 or more. Many companies don't make mistakes in this section and get their own employee count correct. The problem arises in that the number of employees must also consider so-called "relevant links between property-related organizations". What does this mean?
Food companies are a good example. For a regulated food manufacturing service, the condition that the company is a large or medium-sized enterprise must be met. If the company had 10 employees (and did not meet the financial indicator), it would not meet the regulated service criterion and would not become a regulated entity. However, this is where most of the errors occur. Companies fail to consider that they are in a connected or partnership relationship with another company. For example, that they are a subsidiary of a large company or, more generally, that they are part of a holding company. In these cases, it is the property relationship, and the employees of the subsidiary, sister or parent companies are included in the total number of employees of the company under assessment. Either in full or pro rata according to the degree of affinity. Thus, a food processing undertaking with 10 employees may also become a large undertaking thanks to its parent company, since it will have more than 250 employees in total.
In May this year, a new exemption for asset-linked companies was introduced into the draft of Cybersecurity Act. This states that a person whose technical assets are entirely separate from the technical assets used by the person being assessed in the provision of a regulated service is not considered to be a partner or connected undertaking.
According to the Explanatory Memorandum, this would typically be in situations of investment in start-ups where there is no interconnection of the information systems or operations of the two persons apart from the equity input into the company. However, we will have to wait to see how this exception plays out and to whom it will apply until the end of the legislative process when the new cyber law is in place.
In addition to your own employees, don't forget to consider those from the parent, sister or subsidiary company. And if you think you might be covered by the new size exemption, be sure to check its wording and interpretation after the legislative process is complete, as it could still change significantly.
Mistake #4: Confusion in regulated services regimes
When you self-identify and report your regulated service as a regulated entity to the National Cyber and Information Security Agency (or all of them if you provide more than one), you have taken the first step. The National Cyber and Information Security Agency registers you and then your other obligations begin according to the regime in which you provide the regulated service. If you only have one regulated service, you will be subject to the safeguards and obligations under the regime that regulated service specifies. This may be a higher regime (more obligations) or a lower regime.
Companies make mistakes here where they want to prepare for new legislation and provide multiple regulated services, with one regulated service designated in the lower regime and the other regulated service in the higher regime. Companies then want to prepare for both regimes at the same time or choose the more favorable regime - the lower regime.
As companies can only have one scheme, the higher-take rule applies here. If you have even one of the many regulated services in the higher regime, the higher obligation regime is the one that applies to your company.
The purpose of this rule is for the company to adopt uniform rules. In practice, the presence of both regimes in one organization would not only be inappropriate but also very difficult to apply.
Mistake #5: I am a supplier to a regulated entity = I am a regulated entity?
The new draft law on the Cybersecurity Act also mentions suppliers of regulated entities. They will have to comply with certain obligations. These will mainly be rules that will affect them through their customers (regulated entities). The fact that you supply your services to a regulated entity does not in itself qualify you as a regulated entity.
The supplier must itself provide a regulated service to become a regulated entity, and at the same time meet all the other criteria that the regulated service will require. Therefore, a supplier, like any other company, must self-identify and determine whether it is a regulated entity. If it is not, it will only be subject to the obligations as a regulated entity supplier and will not have to report to the National Cyber and Information Security Agency.
