The European NIS2 directive imposes a number of obligations on firms to better protect their cyber security. These include, among others, various reporting requirements. So what will you have to record and report, to what extent and to whom?
New rules for companies under NIS2 should be in force in the Czech Republic from October. It is already clear that the Cybersecurity Act, which introduces the obligations into our law, will not be adopted by this deadline. But there are small progresses.
The bill is finally in the Chamber of Deputies after a complicated comment procedure. It could be approved at the beginning of next year and then companies will have a full year to comply with the new obligations.
Important obligations include notification and reporting of various facts.
What you need to report
As you already know from our blog, the key is to report yourself as a compulsory entity. This means that you have to find out for yourself whether the law will apply to you, and if it does, you have to register yourself with the NCIB.
Read on to find out how to do this.
Next, you need to send the following to the office:
- Contact details for specific persons acting for the company in the area covered by the Act. Or such a cybersecurity liaison officer. This is within 30 days of confirmation of registration.
- Information about the owners of the company, within 30 days of confirmation of registration.
- Technical information relating to the regulated service (that’s your activity that brings you under the Cybersecurity Act).
- The territory in which you operate, or if you provide services across borders – all also within 30 days of confirmation of registration.
- You also need to inform them of any changes to this information, this time you have 14 days to do so after the change has been made. Exceptions are changes to contact persons, which are entered in the public registers.
- It is also necessary to report changes in your activities that may lead to a change of scheme. For example, if you grow from a medium sized business to a large one and come under the stricter essential regime. Or you take on a business in an industry where the business is in the essential regime regardless of size. You must report this change within 60 days.
- And if NÚKIB directs you to take any action to resolve an incident that is imminent or already in progress, to improve protection as a precaution or as a result of a resolved incident (called reactive countermeasures), you must inform the agency that you have complied with its direction and implemented the action.
Cybersecurity incident reporting
Of course, the reporting of cyber incidents deserves special attention.
What’s being reported:
- Cyber incidents of a specified scope that are intentional. This means that if it is confirmed within 24 hours that the incident was caused by, for example, negligence or unintentional error, you do not have to report it. It should therefore be some form of deliberate attack.
- Companies in a stricter regime report all such intentional incidents.
- Companies in the lighter regime only report intentional incidents that have a significant impact on the service or activity they provide.
- However, you can voluntarily report all incidents as well as threats and vulnerabilities.
- Exceptions are companies operating in the digital infrastructure sector (e.g. operators of DNS servers, cloud services, data centres, online marketplaces or search engines, etc.). They must report all incidents with a significant impact on the service they provide, regardless of intent in the culpability.
To whom and where you report:
- Companies in the stricter regime report directly to the NCIB.
- Companies in the lighter regime to the National Cyber Security Incident, Event and Threat Coordination and Management Team (National CERT).
- There will be a single point for reporting, namely the NCIB Portal.
How to proceed:
- If you assess that this is a reportable incident, then you must submit an initial report within 24 hours of the incident occurring. This will include your identifying information, basic details of the cybersecurity incident, whether you believe it was caused by unlawful interference, and whether it could have an international impact.
- If it is a significant impact incident, after 72 hours you must complete: an update of the information from the initial report, an initial assessment of the incident, its impact, and indicators of compromise.
- You must also submit interim reports on the management of the incident, if requested by the competent authority.
Finally, you must submit a final report within 30 days of the incident occurring (or, if the incident lasted longer, of its resolution).
Are you confused about the many responsibilities that are coming your way? Do you have no idea to what extent you already meet the requirements of the law and where you have reserves? Don’t leave the answers to the last minute. Contact us and we’ll be happy to explain the ins and outs of the Cybersecurity Act and the NIS2 Directive. We will audit your security, suggest – and if you wish, implement – the necessary measures. Just contact us.