We have summarized for you the current status of a frequently discussed topic.
When does it break out and who is affected?
The NIS2 Directive gives rise to an updated form of the Cybersecurity Act. It has been a long road and we are currently about halfway through its legislative journey. The comment period closed on July 19 and we are currently responding to submissions. Its effective date is scheduled for October 2024.
To keep up-to-date on the status, we recommend monitoring the ODok Portal of the CCA’s information system, specifically the VeKLEP materials located in the Public Electronic Library of Legislative Processes. Therefore, the entire progress of the cyber law should not be underestimated and should be monitored for the subsequent ability to react and adjust all affected processes in society in a timely manner.
Regulation under NIS2 to increase data protection will affect medium and large businesses in both the private and public spheres. Which group you fall into is assessed by the number of employees and the annual turnover of the business (more here). However, it doesn’t stop there! The changes and rules will also affect suppliers and subcontractors.
We have to take appropriate measures to manage security risks, not only from a technical perspective, but also from an operational and organisational perspective. Their adequacy will be assessed, taking into account the level of exposure to risk, the likelihood of occurrence and the severity of incidents, including the social and economic impact. Of course, a risk analysis is necessary before obligations can be set, which, together with data protection measures, is the cornerstone of the obligations under the NIS Directive2 and the Cyber Law.
Freely available information
- Draw law on cyber security
- Bill amending certain laws in connection with the adoption of the Cybersecurity Act
Areas of responsibility in the overview
- risk analysis and information systems security policy
- security incident management
- business continuity including backup and disaster recovery management and crisis management
- supply chain security
- ensuring the acquisition, development and maintenance of networks and information systems, including vulnerability disclosure and resolution
- policies and procedures for evaluating the effectiveness of security measures (i.e. auditing)
- basic cyber hygiene practices and cybersecurity education
- policies and procedures regarding the use of cryptography, including encryption where appropriate
- human resources security, access and asset management
- use of multi-factor identity authentication, secure communication tools and emergency communication tools
The duties are further divided into services according to essential and important mode, broken down into technical and organisational measures. The whole area is regulated by §15 of the draft new cyber law and the implementing decree.
A huge emphasis is placed on education and training resulting from the responsibility of the actors of the obliged organisations for the implementation of security measures to reduce risks. At Faster CZ, we have already established our own CERT team, which is professionally trained both organizationally and technically and passes on the overall cyber awareness towards other employees. In addition, the team is registered as a so-called verified vendor according to international FASTER-CSIRT (CZ) standards.
In practice, this means that we have met the necessary criteria for registering our corporate security team to coordinate and escalate cyber security incidents at national and European level. Among other things, the establishment of a CSIRT team, including the procedure for its approval and international registration, is one of the ISP’s obligations under NIS2.
Our expert team is therefore far from fulfilling only an internal role.
What is surprising about NIS2?
In particular, for organisations falling under the higher obligation (essential) regime, the measures will also affect subcontractors by fulfilling the requirement to manage their suppliers. In order to ensure the security and quality of supplier relationships, it will be necessary to properly set up processes for selecting them for trustworthiness, regularly assess the status of their cybersecurity measures based on established security requirements, preferably with an overlap into OOU (data protection) and quality contractual treatment.
We asked Radim Ševčík, MBA, our cyber specialist at Faster CZ, for his opinion: “Both the European regulator and NUCIB are attaching increasing importance to the safety of suppliers. This is due not only to the increased frequency of attacks through the supply chain, but also to increasing dependencies in the supply chain itself. The Czech security community is calling for a rational grasp of the obligation to actively manage cybersecurity in the selection of its suppliers. For major suppliers under the so-called higher obligation regime, the pending NIS2 settlement sets out additional obligations, including requirements for the content of the supplier contract, evaluation of the supplier’s implemented security measures and follow-on risks, contract review, and regular monitoring of the supplier’s measures.
A completely new feature is the incorporation of the NCIB assessment into the significant contractor selection processes, where the subject of the assessment will be the contractor’s country of operation criteria, the contractor’s criminal activity, economic activity, the actions of the contractor’s representatives, and other areas described in more detail in the Contractor Risk Criteria Decree.
Only the practical implementation of NIS2 in companies and entities with so-called lower obligations will show how significantly the standard will affect the behaviour of almost 6,000 companies in relation to their suppliers. In practice, the NIS2 national regulation is designed to put the brakes on the domino effect of the spread of cyber threats through suppliers and assumes that companies will actively pursue security initiatives with their key suppliers to prevent both real threats and the potential application of financial penalties of up to €10,000,000 or 2% of net turnover for the most recently completed financial year.”
Preparation saves not only time
From our own experience, we recommend that you do not delay your preparations. While October 2024 is not yet in sight, if you are just starting out in cybersecurity, you may not have enough time to put all the measures into practice.
Do not hesitate to reach out to the Faster CZ team, who will be happy to help you with cybersecurity coverage.
Data protection is a fundamental goal of all IT security measures.