23. 10. 2024
Cybersecurity Shake-Up: Is Your Company Ready for the New Rules?
The Czech government intends to introduce a new cybersecurity law in times of increasing digital threats and an evolving cybersecurity landscape. It transposes the European Union’s NIS2 Directive, which aims to establish a high common level of cybersecurity across the EU. Vulnerabilities in critical infrastructure are addressed, ensuring a more unified approach to cybersecurity across member states.
Existing regulations are significantly updated, expanding their scope to cover more entities, including medium and large-sized companies. Reporting requirements are tightened and stricter security measures to protect national infrastructure are introduced. The law aims to increase the resilience of essential services, mitigate cyber risks, and improve cooperation between private entities and the state. It aligns with broader EU goals of building a secure and unified digital market by ensuring that critical sectors are well-protected against cyber threats.
It is important to note that this is currently only a government bill prepared in collaboration with the National Cyber and Information Security Agency (NÚKIB). As the bill is still to be debated in the Parliament, it may be subject to amendments or revisions before final approval.
The bill is expected to take effect from 1 January 2025, so companies should stay informed about the legislative process to anticipate changes that may affect their obligations under the new law. There are the highlights of the proposed changes:
Designation as a Regulated Service Provide
Companies whose services are deemed critical for social or economic functions may be classified as regulated service providers by the National Cyber and Information Security Agency (NÚKIB). This includes sectors such as energy, manufacturing, finance, healthcare, and digital infrastructure. Once classified, these companies must meet strict cybersecurity standards and will be subject to regular audits. They are also required to register with NÚKIB within 60 days of meeting the conditions for designation.
Implementation of Security Measures
The law mandates that companies classified as regulated service providers implement both organizational and technical security measures. These include risk management, access control, identity verification, and incident detection systems. For companies with higher responsibilities, stricter requirements will apply, including the establishment of a formal information security management system and continuity planning.
Incident Reporting
Companies are required to report any significant cybersecurity incidents to NÚKIB. These incidents must be reported within 24 hours of discovery, and additional updates must follow within 72 hours. Final incident reports must be submitted within 30 days.
Supply Chain Security
Another critical aspect is supply chain security. Companies must assess the cybersecurity risks associated with their suppliers and ensure that these risks are managed through appropriate contractual agreements.
Penalties for Non-Compliance
Failure to comply with the new cybersecurity requirements can result in substantial financial penalties. The maximum fine for serious violations is set at CZK 10 million which is substantially lower than under the maximum under the NIS2 Directive. Violations that trigger fines include failing to implement adequate security measures, not reporting incidents in a timely manner, and not cooperating with the regulatory authorities during inspections.
Additionally, the law allows for other punitive measures such as public disclosures of non-compliance, which could harm a company’s reputation.
Preparing for the New Regulations
Companies should begin preparing for the new regulatory landscape by conducting a thorough review of their cybersecurity policies and incident response protocols. The proposed law represents a shift towards more proactive cybersecurity management, particularly in sectors critical to national infrastructure. Failing to meet these new obligations may not only result in financial penalties but also disrupt operations and damage reputation.
Companies should consider working closely with their legal counsel to ensure compliance with the new requirements. This includes registering services with NÚKIB if necessary, implementing the mandated security measures, and ensuring that cybersecurity risks are addressed in all contractual arrangements with suppliers.
In summary, the new law emphasizes the growing importance of cybersecurity and places significant responsibilities on companies in key sectors. Management teams must ensure that their companies are ready to meet these new challenges to avoid penalties and ensure the security of their operations.
By Mgr. Radek Werich
Download
Author
News & Publications
IFLR 1000 Rankings 2024: Giese & Partner Among Czech and Slovak Recommended Law Firms
According to the IFLR 1000 rankings 2024, which have recently been released, Giese & Partner continues to be one of the recommended law firms in the Czech Republic and Slovakia in the areas of Banking, financial and corporate, M&A, and Restructuring and insolvency.
Webinar: Verschärfte Vorschriften im Bereich Geldwäsche
Martin Holler wird am 20.11.2024 über die Umsetzung der europäischen Geldwäscherichtlinie in Tschechien und die Folgen bei Nichtbeachtung referieren.
Energy Efficiency Conference 2024 in Prague
„Legal reform to advance the decarbonisation of the building and heating sectors” will be the main topic of the AEEC (Association of European Energy and Climate Lawyers) Autumn Conference 2024 which is going to take place on November 14, 2024 in Prague, Czech Republic.