Prague – Thousands of Czech companies will have to fulfill new obligations in cyber security from around the middle of 2024. The European Union directive NIS2 takes this into account, the final text of which should be known in the coming months. The Czechia will then have 21 months to introduce it into its legislation. It will concern not only organizations that have to secure their computer systems already, but many other entities. They will face heavy fines for failure to fulfill their obligations. The director of the National Office for Cyber and Information Security (NÚKIB) Lukáš Kintr and the director of the regulation department Adam Kučínský told journalists today. NÚKIB wants to start a public debate about the changes, which is why it launched a new website nis2.nukib.cz.
“The biggest change brought about by the new cyber regulation is the expansion of the number of obliged persons. We expect around 6,000 of them, that means about 6,000 organizations will have to deal with cyber security and implement certain security measures,” Kučínský told ČTK.
According to him, the new measures are aimed at increasing resilience in the field of cyber security. The directive deepens the regulations already in force. Affected companies will have to implement preventive measures to avoid security incidents as much as possible. If they do happen, companies must have procedures in place to handle the problems, i.e. a plan for how to get the organization back up and running. The directive also addresses the issue of supply chain security or the obligation to conduct an internal audit of implemented measures.
Until now, about 400 entities had the obligation to comply with cyber regulations, now, according to estimates, there will be about fifteen times that number. The reason is that the number of industries covered by the regulation is expanding threefold. Organizations that have at least 50 employees in the given sector or achieve an annual turnover of at least ten million euros (about 245 million crowns) will have to comply with the directive.
The penalty increases significantly. In extreme cases, it can reach up to ten million euros or two percent of the company’s global annual turnover, organizations can also have their licenses suspended or natural persons prohibited from performing the function of statutory representative. According to Kintra, NÚKIB’s goal is not to approach liquidation sanctions.
In the Czech Republic, NÚKIB will be in charge of inspections, which will mean an increase in work for the office. NÚKIB wants to prepare a proposal for a solution to handle the situation.
“We are aware that the change is quite substantial. On the other hand, many organizations are now dealing with cyber security voluntarily, because it is simply necessary,” said the director of Kintr. He added that the office will try to help organizations as much as possible and make it easier for them to fulfill their obligations.
According to NÚKIB representatives, the content of the directive has already been adopted within the EU, now lawyers are working on the final text. The beginning of its validity is expected between October and December. Member States subsequently have 21 months to introduce it into their legislation. NÚKIB expects that the approval of the amendment to the cyber law in the Czech Republic will take about 15 months, so the office will have about half a year to prepare its wording. That is why he wants to start an expert public debate on how the text should look. At the same time, NÚKIB wants to use the planned change to revise the law on cyber security, which, according to its executives, has become less clear due to a number of amendments.
EU computer security NÚKIB