The NIS2 ↗ directive and the nový new draft law on cybersecurity ↗, recently published by the NCIS bring major changes to the field of cybersecurity. A number of updated obligations await the affected organisations and their statutory bodies. But the crucial question is who are the affected organisations? Indeed, NIS 2 will increase the number of entities affected by the legislation. And it is going to be quite a mess. So how can you find out if the new rules will affect you?
Here is a three step guide:
If you already have to comply with cybersecurity obligations, 99% chance that you will continue to be regulated.
However, if you haven't dealt with cybersecurity before and you operate in the EU, start by looking to see if you fall under the definition of an obliged entity under NIS2.
Are you a medium or large enterprise or the sole provider of a service in an EU country?
If not, you can probably breathe a sigh of relief. If yes, continue with the second step. ✅
The second step is to determine whether you are carrying out a relevant activity under NIS2.
Be alert if you are in the energy sector, including mining and distribution, or in:
Have you found yourself in any of these industries? Go to step three. ✅
In the third step, refer to Annexes I and II of the NIS2, which will give you a specific indication of whether your business will be regulated or not. This step is the most time-consuming.
The annex contains many references to other NACE sectoral regulations and catalogues, so a proper assessment can take a couple of hours. Depending on the specifics of the enterprise and business, you will then fall into the regime of:
Don't want to stress about whether the sectoral regulations will affect you? Do not hesitate to turn to us ↗.
If you have found yourself in all three steps, you should address the requirements of national cybersecurity regulation in member states. These may extend the applicability of NIS2, or they may impose a greater obligation regime for a particular activity, even if NIS2 would otherwise only require a lesser obligation regime.
And how is it in Czech Republic? Let's take a look at our national requirements.
In the Czech Republic, the new law on cybersecurity (as currently proposed by the NCIS) has a slightly broader impact than the NIS2. Moreover, it imposes stricter obligations than the NIS2 directive on a number of entities. In terms of the identification of the obliged person, the regulation is essentially the same.
However, there are differences in the definition of the regulated service. What are they?
It explicitly extends the scope to the military industry.
That the military industry does not concern you at all? The military industry also includes the production and distribution of dual-use goods. This can be anything, including software and technology, that can be used for both civilian and military use under the European regulation ↗.
A licence is required for the export of specific dual-use goods listed in Annex I - the regulation then applies, for example, to:
The time you will spend on analysing whether the regulation will affect you will usually be several times higher than in NIS2. It is still the case that the new draft law is also intended to apply to dual-use goods not listed in the Annex, i.e. anything that can be used for military purposes. With exaggeration, you could say that even collections of Christmas carols are potentially subject to regulation if you intend to torture people within earshot with them. 🙃
Our recommendation? Focus on the NIS2 specifications. The law and decrees are of course in the legislative process, so we hope that the production and distribution of dual-use goods will either fall out of the scope of regulation or at least be limited to those goods specifically defined in the Annex to the European Dual-Use Regulation. So if you are potentially producing dual-use goods, including cans of beans, keep a close eye on further legislative developments.
If you conclude that NIS2 will impact you, the simplest, but by no means easiest, approach is to bring all companies and processes in the group under the required level of cybersecurity. However, if NIS2 impacts a minority of your companies or processes, this approach does not make sense from an efficiency perspective.
Consider therefore whether to ensure an appropriate level of cybersecurity according to NIS2 only for those entities carrying out regulated activities. If only the production of goods and not their distribution is subject to regulation, or if the activity is regulated only in some of the states in which you operate, consider implementing a level of cybersecurity only for the processes associated with that regulated activity.
Regulators at the Czech and European level are so far favourable to this approach, albeit with the caveat that the NIS2 and the current draft law may not allow for such a thing and the obligations would always fall on the company as a whole, even if the regulated activity would be absolutely minor.
A cheaper and more certain way is to separate the regulated activity into a separate entity.
If you want to know what specific obligations will apply to you, please do not hesitate to contact us ↗.
Don't panic. The deadline for the law to be adopted is mid-October 2024, but we certainly recommend that you make an informed check now to see if NIS2 and any current version of the new law will apply to you: in many cases you can be sure of this now.
If you are certain to be hit by the new regulation, don't panic and start project planning and strategy for NIS2 implementation. Implementing security measures, updating your assets (especially hardware and software) and acquiring new ones will take some time. There is no point in acquiring non-compliant assets in the interim. Changes related to the organisational or corporate separation of regulated activities will then take even longer.
If you are not sure that you will be regulated (typically for the dual-use goods mentioned above), monitor national legislative processes.
And even if you are not affected by regulation, always keep cybersecurity in your business in mind.
The year-on-year increase in cyber-attacks in 2022 was 38% and the average global damage ↗ from a cyber incident was €4.35 million. So while you won't have to comply strictly with legal obligations, it's certainly worth focusing on cybersecurity as one of your main themes for the coming years.
Are you looking for a partner to manage the implementation of NIS2 and related regulations in your organisation? Drop us a line ↗.
Bohuslav Lichnovský and Tomáš Kasalický.