New cybersecurity regulation according to NIS2

Q: What is NIS2 and how does it relate to the cybersecurity regulation?

Povinností každé členské země Evropské unie je „přijmout“ vydané směrnice do svého právního řádu – vydat k nim příslušný zákon. NIS2 je zkrácený název evropské směrnice, která řeší otázku kybernetické bezpečnosti. A nový zákon o kybernetické bezpečnosti je způsob, kterým je směrnice NIS2 v Česku přijímána.Proto nový zákon o kybernetické bezpečnosti upravuje povinnosti subjektů v oblasti zajišťování bezpečnosti informačních systémů a sítí, klade povinnosti na vedení společnosti i její zaměstnance, zavádí povinnost řídit aktiva a rizika a řadu dalších. Vše s cílem zvýšit odolnost společností proti kybernetickým útokům.

Q: When will the new law on cyber security be effective?

Podle původních předpokladů měl být zákon přijat do konce roku 2024, ale vzhledem k vývoji legislativního procesu se očekává jeho přijetí v roce 2025.Nové povinnosti, které zákon podle směrnice NIS2 zavádí, budou účinné rok po jeho účinnosti, tedy v roce 2026. S přípravou na změny však doporučujeme začít co nejdříve – zejména kvůli čím dál tím většímu rozšíření kybernetických hrozeb, nedostatku odborníků a potřebě racionálního plánování výdajů společnosti.

Q: Who will be affected by the new Czech Cybersecurity Act?

Nový zákon o kybernetické bezpečnosti významně rozšiřuje okruh subjektů. Odhaduje se, že nové povinnosti dopadnou na tisíce českých společností, kterým budou za nedodržení pravidel hrozit přísné sankce.Platit budou pro poskytovatele regulovaných služeb, tedy pro společnosti spadající do 22 vybraných odvětví. Jedná se například o energetiku (elektřina, pohonné hmoty, plyn, vodík i teplo), vodní hospodářství (vodovody a kanalizace) nebo zdravotnictví. Kromě toho se povinným subjektem můžete stát, pokud budete učeni NÚKIBem v rámci stanovených výjimek. Nebudete sice splňovat kritéria pro poskytovatele regulované služby, ale přesto budete muset povinnosti plnit.Zda bude vaše společnost spadat pod nový zákon si můžete jednoduše ověřit v naší aplikaci Urči.se.

Q: What is the difference between a regime of lower and higher obligations?

Vyšší a nižší režim povinností si můžete představit jako dva stupně obtížnosti. S nižším režimem se pojí méně povinností, rozsah vyžadované dokumentace je sotva poloviční a je třeba obsadit jednu bezpečnostní roli. Pokud máte šikovné IT, možná nebudete muset ani přijímat nového člověka. Teoreticky jen potřebujete někoho, kdo vám vysvětlí obsah nových povinností.Společnosti spadající pod režim vyšších povinností oproti tomu musí obsadit minimálně tři bezpečností role, řídit rizika, spravovat a pravidelně aktualizovat více než 20 dokumentů, zavést a udržovat systémy pro monitorování sítě a mnoho dalšího.

Q: What is self-identification and how does it work?

Povinnost samoidentifkace znamená, že si každá společnost musí posoudit, zda je poskytovatelem regulovaných služeb a jestli se tím pádem musí řídit novou úpravou kybernetické bezpečnosti. Je to jedna z těch významných změn, kdy oproti původnímu zákonu o kybernetické bezpečnosti společnosti určoval přímo sám NÚKIB.V případě, že společnost zjistí, že vykonává činnost dle vyhlášky o regulovaných službách, bude se muset u NÚKIB ohlásit jako poskytovatel regulované služby a začít plnit zákonné povinnosti. Povinnost registrace u NÚKIB je nutno splnit nejpozději do 60 dní od účinnosti nové právní úpravy.

The new cyber security regulation, which is based on the European directive NIS2 introduces several new cyber security obligations for thousands of companies. Stricter rules and new requirements will impact all those companies designated as providers of regulated service.

Changes are due in 2025, but you can leave everything to us - we will guide you through the entire process of implementing cybersecurity in your company. From initial analysis, through implementation, auditing, to outsourcing security roles. In short, we will make sure that cybersecurity is not a bogeyman for you, but that you understand everything, keep your business safe and compliant with the law.

Who does the new law according to NIS2 apply to?

The new cybersecurity regulations according to NIS2 bring new obligations to many entities that were not previously covered. They will affect anyone who meets the criteria of a so-called "regulated service".

Typically, these are size ('large' and 'medium' enterprises as recommended by the European Commission) and specific aspects of the sector - number of customers in telecoms, Energy Regulator's license in energy, or number of acute care beds in healthcare.

Even if you are not a provider of a regulated service, you may fall under exemptions designated by the National Cyber and Information Security Authority (NCIS). And then your cybersecurity obligations will also apply to you. Areas affected in this way will include the provision of certain IT services, food processing, manufacturing, chemicals and many others.

The draft of the new Czech Cybersecurity Act introduces several new obligations for the targeted entities. Some of the most significant ones include:
Self-identify whether your company is a provider of a regulated service and the new law apply to your company.
Responsibility of the company's management for the measures taken in the area of cyber-information security.
Obligation for top management to attend regular training sessions.
Obligation to implement security measures.
Implementation of countermeasures and many others.
For some entities, measures should also include the assessment and management of security risks arising from supply chains and supplier relationships.

Do the changes brought by the NIS2 directive apply to your company?

You can find out in our guide.

What duties will the new cybersecurity regulation bring?

Duties for top management

The purpose of this obligation is to ensure that those in decision-making positions understand the consequences of their decisions and their impact not only on the cybersecurity of the company, but on its overall functioning. This will require managers to be familiar with key documents or attend regular training sessions.

Repeated breaches may result in the suspension of a member of senior management.

Human resource security

In cybersecurity, employees need to be educated first and foremost. And record that you have educated them. The most advanced (and expensive) technical cybersecurity solution can fail if your employees are not properly trained and open a phishing email.

Training plans, the training itself, and evidence of the training are key responsibilities in this duty.

Access control system

Only carefully selected people should have access to important information about your company. The creation and registration of user accounts and the control of their access serve this purpose. An HR employee should not have access to company business data, unlike an economist. Conversely, an economist should not have access to employee data.

Business continuity management

Business continuity helps your company anticipate the consequences of cyber attacks and other disasters. What would be the response in the event of a failure of a vital information system? How quickly can it be restored? How much will it cost me if I want it to be faster? Knowing the answers to these and follow-up questions is better before the incident happens. At that point, it's essential to have all procedures thought out and written down in advance - that's what business continuity management is for.

Security of communication networks

You can ensure the security of a communication network, for example, by separating the individual parts of the network using logical units. The mischief will then remain only in the sub-part and will be ended.

Remote access and the introduction of VPNs are also related to communication network security. Its implementation is related to the ability to verify the identity of those accessing the network using MFA and to keep records of them.

Cryptographic algorithms

The purpose of using cryptographic algorithms is to secure communications, technical assets and other tools. It is important, for example, to choose appropriate communication protocols and to establish rules for the handling of cryptographic algorithms.
The National Cyber and Information Security Agency actively monitors and informs about this area. The document 'Minimum requirements for cryptographic algorithms' is posted on its official board. If you follow it, you can't go wrong.

Application security

For any software in use, it is important whether the manufacturer or supplier supports it. For those that are not supported, it is not possible to ensure their security. Application security requires, for example, maintaining a list of unsupported software and other assets and scanning for internal network vulnerabilities.

Asset management

An asset is anything that has value to your company. It is usually information, systems or processes.

By evaluating your assets, you will know which ones are most important to you, what they depend on and who is responsible for them.

Risk management

Risk management is an activity that needs to be repeated regularly. A company must establish a methodology that describes how it assesses risk, identifies threats and vulnerabilities. The goal is to make it clear how to manage risks going forward.

Other security measures will apply to your company depending on whether your business will be in the lower or higher regime according to the new Czech regulation on cybersecurity. Want to find out which regime you fall into? Use our guide Urči.se ↗

Standards related to cybersecurity

Law of the Czech Republic

New Cybersecurity Act (according to the NIS2 Directive)

EFFECTIVE

2025

APPLIES TO

Providers of regulated service.

MAIN OBLIGATIONS

Identify the regulated service by self-identification and registration through the NÚKIB portal.
Implementation of cybersecurity measures (in the regime of higher or lower obligations).

European Union Regulation

DORA

EFFECTIVE

17 January 2025

APPLIES TO

Financial entities.

MAIN OBLIGATIONS

Implement security measures to ensure digital operational resilience.
Information and Communication Technology (ICT) risk management.

International and cross-industry standard for Information Security Management System (ISMS)

ISO 27001

EFFECTIVE

Since 2005 (the latest version of the standard is from 2022).

APPLIES TO

All organizations that want to protect their assets.

MAIN OBLIGATIONS

Implement information security measures (certification).
Asset and risk management. Business continuity management.
Incident management.

European standard, assessment and information exchange mechanism for the automotive industry

TISAX®

EFFECTIVE

Since 2017 (version 5.1 of the VDA ISA survey from 2022 is mandatory for all new TISAX assessments).

APPLIES TO

Organizations in the automotive industry.

MAIN OBLIGATIONS

Meeting the specific safety requirements for successful TISAX® certification.
The assessment for TISAX® certification takes place once every 3 years.

Frequently asked questions

What is NIS2 and how does it relate to the cybersecurity regulation?

It is the responsibility of each member state of the European Union to "adopt" the issued directives into its legal system - to enact the relevant law. NIS2 is the short name of the European Directive, that addresses the issue of cybersecurity. And the new cybersecurity regulation is the way in which the NIS2 Directive is being adopted in European countries.

Therefore, the new cybersecurity regulation sets out the obligations of entities in the area of ensuring the security of information systems and networks, assigns obligations to the management of a company and its employees, introduces the obligation to manage assets and risks, and many others. All with the aim of making companies more resilient to cyber-attacks.

When will the new law on cyber security be effective?

The Czech Cybersecurity Act was originally expected to be adopted by the end of 2024, but due to the evolution of the legislative process, it is expected to be adopted in 2025.

The new obligations introduced by the law according to the NIS2 Directive will take effect one year after its entry into force, in 2026. However, we recommend starting to prepare for the changes as soon as possible - especially due to the increasing prevalence of cyber threats, the lack of experts and the need for rational planning of company spending.

Who will be affected by the new Czech Cybersecurity Act?

The new Cybersecurity Act in Czechia significantly expands the range of entities. It is estimated that the new obligations will affect thousands of Czech companies, which will face severe penalties for non-compliance.

They will apply to providers of regulated services, that means companies in 22 selected sectors. These include energy (electricity, fuel, gas, hydrogen and heat), water (water supply and sewerage) and healthcare. In addition, you can become a mandatory entity if you are selected by the Cyber Protection of the Civil Service within the framework of the specified exemptions. You wont meet the criteria for a regulated service provider, but you will still have to comply with the obligations.

You can easily check whether your company will be affected by the new regulation in our app Urči.se.

What is the difference between a regime of lower and higher obligations?

You can think of the regime of lower and higher obligations as two levels of difficulty. The lower regime involves fewer duties, the amount of documentation required is barely half the size and there is one security role to be covered. If you have a skilled IT, you may not even need to hire a new person. In theory, you just need someone to explain the detail of the new obligations.

By contrast, companies in the regime of higher obligations need to fill at least three security roles, manage risk, manage and regularly update more than 20 documents, implement and maintain network monitoring systems, and much more.

What is self-identification and how does it work?

The self-identification obligation means that each company must assess whether it is a provider of regulated services and therefore must comply with the new cybersecurity regulation in the Czech Republic. This is one of those significant changes where, compared to the original Czech Cybersecurity Act, companies were identified directly by the National Cyber and Information Security Agency itself.

If a company is found to be operating under the Regulated Services Decree, it will have to register with the National Cyber and Information Security Agency (NÚKIB) as a regulated service provider and start complying with its legal obligations. The obligation to register with the NÚKIB must be fulfilled no later than 60 days after the entry into force of the new legislation.

How can we help?

With regular cyber security setup

We will analyse the specific legal provisions set out in the local cybersecurity regulation to determine their application to your company.
We will continuously monitor compliance with laws and regulations. on cyber security.
We will prepare a plan to implement policies and procedures appropriate to your company.
We will help you implement and improve your technical and organizational measures.
We will train your employees and raise awareness of cybersecurity in your company.
In addition to analysis, implementation, documentation creation, auditing, etc. we will provide you with an outsourced cybersecurity manager.

With the new cybersecurity regulation

By doing a gap analysis, we will verify the situation in your company and prepare a plan for further steps and measures that will need to be implemented.
We can help you identify the regime, your company will be in and help you to set up security measures to ensure you are fully compliant with the law.
We will explain the details of your obligations according the new cybersecurity regulation and provide training for senior management..
We will prepare an asset and risk analysis.
We will assess the security risks of your supply chains and help you to identify and evaluate significant suppliers.
We will prepare a business continuity plan and help you with all the other obligations that the new regulation on cyber security brings.

Why to work with us?

Experienced cyber experts

Our experts have many years of experience in the complete implementation of cyber security measures in companies of various industries and sizes

Always here for you

We are outsourcing security roles, including a Cyber Security Manager who is available 24/7.

We stay updated

We monitor the current situation regarding the transposition of NIS2 into valid local legislation and we know the news and current events first hand.

We respect the business

We set up cybersecurity in a practical and comprehensible way so that it is mainly beneficial for you and so that everyone in your company understands and knows how to use it.

Focus on legislation

We are consultants with a legal background. We will translate directives and regulations into a comprehensible language for you so that you fully understand everything.

We can adapt

In addition to the procedural setup of cyber information security, we can also connect you with certified consultants for the technical part.

Contact us and get your umbrella against cyber threats!

We will help you create the foundations, principles and documentation for the effective security. We will teach you how to understand and rely on your security in case of incidents, so that it is preventive and does not limit the operations.