Strengthening cybersecurity: new law to tighten rules for Czech companies
The bill submitted by the National Cyber and Information Security Agency (NCISA) sets new obligations in cyber security arising from the NIS 2 Directive. A conservative estimate is that the number of entities affected by the new obligations will rise from about 400 to at least 6,000.
Although the Cyber Security Act already exists in the Czech Republic, following the adoption of the NIS 2 Directive, the NCISA decided to prepare a new law rather than amending the existing one. They chose a somewhat unusual approach: first, in January this year, they published the bill on their website and invited the public to comment. They received over a thousand comments and considered more than half. Only afterwards, the NCISA released the modified bill into the regular legislative process.
Who will be affected by the regulation?
The main objective of the law is to increase the resilience of Czech companies and entities to cyber-attacks, ideally to prevent situations such as those we witnessed during COVID, when a cyber-attack significantly restricted the operations of a Brno hospital. The regulation will apply to companies and entities active in sectors critical to the functioning of society. These include, e.g., energy, manufacturing, chemical and food industries, water and waste management, transport, financial markets, and healthcare. The regulation will mainly affect large and medium-sized enterprises operating in these sectors. However, smaller enterprises should also pay attention to the new law as the criteria determining whether an entity is subject to the regulation (total number of employees and annual turnover) will be calculated on figures that include related enterprises.
New obligations for regulated entities
If an enterprise meets the criteria of a regulated entity, it will first have to register with NCISA. The law also stipulates the duty of obliged entities to implement technical and organisational security measures. The extent of the measures that an entity must comply with will depend on whether it falls under a higher or lower obligations regime.
Obliged entities subject to the higher obligation regime will have to report all cyber-attacks, while entities subject to the lower obligation regime will have to notify NCISA of all attacks with a significant impact on the provision of regulated services. One of the most discussed measures is the proposed obligation of selected entities to check the security of their suppliers.
Threat of heavy sanctions
For breaches of certain obligations, the law stipulates a fine of up to CZK 250 million or 2% of an entity’s net global annual turnover. The bill also envisages a new sanction – suspension of the performance of executive functions. This reflects the requirement of the NIS 2 Directive to increase the responsibility of the senior management of entities under higher obligations to ensure cybersecurity.
Recommended steps
The law should be effective from October 2024. Due to the complexity of the issue, it is advisable to start preparing now. The first step should be to assess whether your company is at all subject to the new regulation. Our team will be happy to help you with the assessment, and with the preparation for and implementation of the new regulation, if relevant.