NIS2 DIRECTIVE - A CYBER SECURITY REVOLUTION

Mgr. Marek Zeman 30.08.2023

We are LAWYERS focusing on COMPANIES.

We will advise on the changes in the field of cyber security brought about by the NIS2 directive and the new Cyber Security Act.

Contact us

NIS2 DIRECTIVE – A CYBER SECURITY REVOLUTION

At the end of 2022, Directive (EU) 2022/2555 of the European Parliament and of the Council was adopted, which is usually referred to as the NIS2 Directive. Its goal is to increase the level of cyber security in key sectors of the state. It might therefore seem that the directive will not have any major impact on the daily life of small and medium-sized companies. In fact, nothing could be further from the truth, as the impact of the NIS2 directive will be absolutely fundamental, not only for people doing business in these critical industries, but also for their contractual partners.

The NIS2 directive is to be transposed into the Czech legal system by 17 October 2024 at the latest. The transposition will be carried out by adopting a new law on cyber security, which is to be approved by the government in the foreseeable future. Although the new law on cyber security has not yet been adopted and its final form is not known, it is already possible to deal with the changes that the NIS2 directive and the new law on cyber security will bring.

WHAT IS THE MEANING OF THE NIS2 DIRECTIVE?

The currently effective cyber security law (which will be repealed and replaced by a new law in the foreseeable future) imposes certain obligations in the field of cyber security on a certain group of usually large companies doing business in critically important sectors. The purpose of the NIS2 directive and the subsequent draft of the new law on cyber security is to extend this group of persons to other, smaller persons doing business in certain areas that are key to the functioning of the state, or in areas where a data leak or hacker attack would constitute a significant problem for a large number of people.

WHICH SECTORS ARE REGULATED?

The sectors that the NIS2 Directive considers to be of critical importance are listed in Annexes No. I and No. II of the NIS2 Directive, while the draft law further specifies this scope. According to the draft of the law, the regulated sectors should include: public administration, energy, manufacturing industry, food industry, chemical industry, water management, waste management, transport, digital infrastructure and services, financial market, healthcare, science, research and education, postal and courier services, the military industry and the space industry. However, not all activities related to, for example, the food industry will be considered regulated activities within the meaning of the law. Specific criteria for regulated services belonging to these sectors should be established by implementing legislation, namely the decree of the National Office for Cyber and Information Security (NÚKIB); within the framework of the decree, the activities that will be considered as regulated activities will be specified.

WHO WILL THE NEW REGULATION AFFECT?

Compared to the current situation, the range of persons who are subject to obligations in the field of cyber security is expanding significantly. NIS2 directive, or the draft law, primarily affects medium-sized enterprises, i.e. enterprises with 50 or more employees and an annual turnover of over EUR 10 million, which simultaneously carry out activities in any of the above-mentioned regulated areas. – link to the definition of a medium-sized enterprise Even if the company does not meet the definition of a medium-sized company or if it performs activities in other areas, it may still be subject to obligations according to the NIS2 directive, or of the law, catch. This is especially the case if the business:

• a) Provides services to a public electronic communications network provider, a trust-building service provider (e.g. qualified electronic signatures) or a top-level domain registry provider (CZ.NIC z.s.p.o.);
• b) Is the exclusive provider of services that have a fundamental impact on the preservation of critical social and economic activities;
• c) Is critically important for a certain industry due to its specific market position;
• d) Disruption of the service provided by this enterprise could have a significant impact on public order, safety, health or could have significant systemic risks.

Further, for example, professional chambers, universities or municipalities with extended powers are considered to be a regulated person.

ATTENTION, THE OBLIGATIONS MAY FALL ON AN UNREGULATED PERSON

Certain obligations according to the NIS2 directive, or the law, may also fall on a third party indirectly by providing its services to a regulated person. According to the NIS2 directive and the draft law, the regulated entity is, among other things, obliged to take measures that take into account possible risks of the supply chain, i.e. it will actually be forced to demand from its suppliers the adoption of certain measures or the assumption of contractual obligations. It can therefore be expected that the impact of the NIS2 directive, or of the Act, will be much broader, as it will in fact affect all direct (and probably also indirect) suppliers of regulated persons. Therefore, if you provide your services to a person who will be considered a regulated person, we definitely recommend not to underestimate the incoming legislation, and on the contrary, prepare for the fact that in the future you will probably have to take at least some measures aimed at minimizing cyber risks. With regard to the proposed strict sanctions for breaching the obligations of a regulated person, it is quite possible that the regulated person will not be willing to continue receiving services from its current supplier if the latter does not provide sufficient guarantees in the field of cyber security.

REGULATED PERSON IS REQUIRED TO REGISTER WITH NÚKIB

Every person who is considered a regulated person according to the law will be required to register with NÚKIB in the register of regulated service providers within 30 days from the day they become aware of their registration obligation, no later than 90 days from the date of fulfillment for registration. According to the bill, failure to register is sanctioned with a fine of up to CZK 250 million; even though the imposition of such a high fine is practically unthinkable and, especially at the beginning, one can rather assume a fine in the order of thousands of CZK, it is still necessary to reckon with the fact that a fine can be imposed. Therefore, the question of whether a specific person is considered a regulated person or not needs to be resolved ideally before the new law comes into force.

TWO MODES OF DUTIES

The draft law works with two categories of obligations, namely the so-called regime of higher obligations and regime of lower obligations. The specific regime of the regulated person will be determined by an implementing legal regulation – the NÚKIB decree. It can be said very simply, persons who have a significant position within the individual branches (whether with regard to their size or function, etc.) will be subject to the regime of higher obligations, and the remaining persons will be subject to the regime of lower obligations.

WHAT SPECIFIC MEASURES NEED TO BE TAKEN?

The scope of obligations is again determined by the NÚKIB decree. Given that the list of duties is very extensive, it is not quite possible to analyze the individual duties in more detail within this article, moreover, it is not the purpose of this article. In general, it can be said that the measures are of two types, namely organizational and technical. On the one hand, the draft law imposes obligations in relation to the management of information security and internal processes, risk management, control of supply chains, human resources security, management of cyber incidents, regular security audits, etc., and on the other hand, it also imposes obligations in relation to the protection of physical information, data and communication networks, to verify identities, manage and create passwords, use antivirus programs, record and solve cyber attacks, etc. So it's a diverse range of different responsibilities. At the same time, the draft law imposes obligations not only on the regulated person as such, but also on its top management, i.e. usually members of statutory bodies, who are, for example, obliged to regularly participate in training on cyber risks, ensure the introduction of organizational measures and regularly monitor cyber risks, analyze them and, as necessary, take the necessary measures. The correct setting and implementation of measures is therefore clearly in the interest of the members of the statutory bodies of the company.

WHAT MEASURES NEED TO BE TAKEN?

In this case, the draft law is fortunately quite accommodating, as according to it the regulated person is obliged to implement organizational and technical measures no later than 1 year from the date of delivery of the written notification to NUKIB about registration in the register of providers of regulated services. The provision of this period is certainly positive for regulated persons, however, it is still a draft law and it cannot be relied on that the law will be approved even with this period.

CONCLUSION

The NIS2 Directive and the subsequent Act on Cyber Security will bring fundamental changes, not only for persons directly doing business in regulated areas, but also for their suppliers. For all affected persons, the new regulation will of course mean the necessity to deal more with the protection of data and production facilities against cyber threats. Primarily, it will be necessary to deal with whether your company meets the conditions of a regulated person. If so, then you need to register with NÚKIB in time and start working on taking the necessary measures. This may include, in particular, an analysis of the current situation, the development and adoption of internal guidelines regulating specific procedures and the responsibility of specific persons, the provision of training for managers and employees, revision of contractual relations with business partners, etc.

If you are not sure whether you will be a regulated person according to the NIS2 directive, or of the new law on cyber security, or you do not know what obligations you will have to fulfill as a regulated person, contact us.

We are LAWYERS focusing on COMPANIES and we will gladly help you with this issue.

KEY WORDS: Directive (EU) 2022/2555 of the European Parliament and of the Council, on measures to ensure a high common level of cyber security in the Union, NIS2, NIS2 regulation, Act on Cyber Security, Amendment to the Act on Cyber Security, Amendment to the Act on Cyber Security 2024 , NÚKIB, National Office for Cyber and Information Security, registration with NÚKIB, registration of regulated service providers, regulated person, cyber security

Contact us