The State Of Cybersecurity Regulation In The Czech Republic: NIS 2 Transposition Underway, Deadline 17 October 2024

SA
Schoenherr Attorneys at Law

Contributor

We are a full-service law firm with a footprint in Central and Eastern Europe providing local and international companies stellar advice. As the go-to legal advisor for complex commercial matters in the region, Schoenherr aims to use its proximity to industry leaders, in developing practical solutions for future challenges. We keep a close eye on trends and developments, which enables us to provide high quality legal advice that is straight to the point.
The NIS2 directive is a landmark piece of European cybersecurity legislation, significantly impacting the cybersecurity practices and responsibilities...
Czech Republic Technology
To print this article, all you need is to be registered or login on Mondaq.com.

The NIS2 directive1 is a landmark piece of European cybersecurity legislation, significantly impacting the cybersecurity practices and responsibilities of European businesses and organisations

While the Czech Republic has been a pioneer in cybersecurity regulation with its own dedicated law, to align with the NIS2 requirements, national legislators decided to enact a completely new Act on Cybersecurity (the "Act"). This Act is currently in an advanced stage of the legislative process and should enter into force in the second half of this year.

To assist you, we have prepared this summary of the Act's main features, as well as the current timeline for its adoption.

DORA
Another important piece of European cybersecurity legislation is the Digital Operational Resilience Act (DORA), which introduces a harmonised framework for the oversight and supervision of ICT risk management by financial institutions and ICT third-party service providers. We will provide more details on the scope and implications of DORA in a separate overview.

What are the main changes introduced by the Act?

Expanded scope

In contrast to the current regulatory framework, the new Act will substantially broaden the scope of the law to cover new sectors and expand the existing ones. As a result, it is estimated that the number of regulated entities, referred to as regulated providers under the Act, will increase significantly, from currently around 300 Czech entities to up to 10,000 new ones, mainly from large and medium-sized enterprises.

The regulated providers will have to follow a new (self-)identification procedure with the supervisory authority (National Cyber and Information Security Agency - NCISA). Depending on their size and turnover, they will be classified as either essential or important providers, which will determine the applicable regulatory regime and the extent of their obligations.

Obligations

The Act will further build on the existing Czech rules and NIS2, and impose on regulated providers the following core obligations around which the specific rules are structured:

  1. registration with and data reporting to NCISA;
  2. implementation and enforcement of security measures;
  3. reporting of cybersecurity incidents;
  4. implementation of countermeasures; and
  5. determining the scope of cybersecurity management.

In addition, the Act will increase management accountability and impose a revamped requirement for the training of responsible persons and employees in the field of cybersecurity or the establishment of compulsory new roles within the organisation, such as cybersecurity architect or manager. Lastly, the Act will introduce new requirements for supply chain security, requiring regulated entities to implement and adopt adequate and proportionate technical, organisational and legal measures.

As is common with high-impact EU regulation transposition, the Act will introduce higher and new forms of sanctions, including GDPR-like fines based on a percentage of global turnover. Furthermore, given the EU-wide high priority of cybersecurity regulation, the NCISA is expected to conduct rigorous inspections. Its significantly increased powers will include the authorisation to conduct dawn raids.

Regulated sectors include, among others:

  • energy: electricity, oil, gas, hydrogen;
  • transport: air, rail, water, road;
  • banking;
  • financial market infrastructure;
  • ICT service management;
  • space;
  • manufacture, production and distribution of chemicals;
  • production, processing and distribution of food;
  • manufacturing: medical devices, invitro, computers, electronic and optical products, electrical equipment, machinery, vehicles;
  • digital providers;
  • research.

What should every company do now?

The specific obligations under the Act are expected to roll out in 2025, but we recommend that every Czech company stay abreast of the legal developments. Even before the Act comes into force, a preliminary assessment can be done to determine whether the company will be affected by the new rules and to what degree.

The Act will entail substantial obligations, and compliance will demand considerable time and resources. Therefore, we advise allocating sufficient resources and obtaining technical and legal advisory support in a timely manner.

Footnote

1. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More