The Director of the National Office for Cyber and Information Security (NÚKIB) Lukáš Kintr and the Director of the Department of Regulation Adam Kučínský informed about it. NÚKIB wants to start a public debate about the changes, which is why it launched a new website nis2.nukib.cz.
“The biggest change brought by the new cyber regulation is the expansion of the number of obliged persons. We expect around 6,000 of them, that means about 6,000 organizations will have to compulsorily deal with cyber security, implement certain security measures,” said Kučínský.
According to him, the new measures are aimed at increasing resilience in the field of cyber security. The directive deepens the regulations already in force. Affected companies will have to implement preventive measures to avoid security incidents as much as possible. If they do happen, companies must have procedures in place to handle the problems, i.e. a plan for how to get the organization back up and running. The directive also addresses the issue of supply chain security or the obligation to conduct an internal audit of implemented measures.
NÚKIB has been taking care of the cyber security of the Czech Republic for five years
Until now, about 400 entities had the obligation to comply with cyber regulations, now, according to estimates, there will be about fifteen times that number. The reason is that the number of industries covered by the regulation is expanding threefold. Organizations that have at least 50 employees in the given sector or achieve an annual turnover of at least ten million euros (about 245 million crowns) will have to comply with the directive.
The penalty increases significantly. In extreme cases, it can reach up to ten million euros or two percent of the company’s global annual turnover, organizations can also have their licenses suspended or natural persons prohibited from performing the function of statutory representative. According to Kintra, NÚKIB’s goal is not to approach liquidation sanctions.
NÚKIB will be in charge of the inspections
In the Czech Republic, NÚKIB will be in charge of inspections, which will mean an increase in work for the office. NÚKIB wants to prepare a proposal for a solution to handle the situation.
“We are aware that the change is quite substantial. On the other hand, many organizations are already dealing with cyber security voluntarily because it is simply necessary,” said Kintr’s director. He added that the office will try to help organizations as much as possible and make it easier for them to fulfill their obligations.
According to NÚKIB representatives, the content of the directive has already been adopted within the EU, now lawyers are working on the final text. The beginning of its validity is expected between October and December. Member States subsequently have 21 months to introduce it into their legislation. NÚKIB expects that the approval of the amendment to the cyber law in the Czech Republic will take about 15 months, so the office will have about half a year to prepare its wording. That is why he wants to start an expert public debate on how the text should look. At the same time, NÚKIB wants to use the planned change to revise the law on cyber security, which, according to its executives, has become less clear due to a number of amendments.