The European Parliament and the Council have agreed on a new directive to improve cybersecurity in the EU. The NIS2 directive introduces new obligations and will affect companies that are not covered by existing rules.

The motivation is clear – the huge increase in cyber attacks on public institutions and private companies threatens the functioning of vital services, brings significant financial losses and can also endanger national security.

Cybersecurity issues affect every business and organization. Surveys have shown that many companies that faced massive data loss have not recovered from the event and have gone out of business.

Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union was published on 27 December 2022 and is effective from 16 January 2023.

Member States now have 21 months to implement the measures into their law. The date from which companies will then be obliged to comply with the new Directive is yet to be determined when the amendments to the Cybersecurity Act are adopted.

The directive aims to encourage major organisations to implement preventive measures to strengthen their cybersecurity. This includes preventing threats caused by illegal activities as well as damage caused by human negligence or even natural disasters.

Will you be affected by the Directive?

NIS2 increases the number of companies and sectors that will be subject to the obligations. It is believed that this will now include more than 6,000 entities in the Czech market alone. Are you one of them?

  1. Industry. The Directive applies to a company that offers at least one service defined in the annexes of the Directive. These set out 60 services divided into 18 sectors, including electricity generation, district heating, healthcare, provision of electronic communications or cloud services, public administration, banking, waste management including waste water treatment, production of pharmaceuticals and vaccines, production of drinking water, but also transport, postal and courier services and others.
  2. Size. The obligations will fall on large and medium-sized institutions. However, in some cases, such as the provision of electronic communication services, size does not play a role and the directive will always apply to these undertakings.

But there is no need to panic, as not all companies will have the same scope of obligations. They will still be divided into essential and important regimes. The stricter essential regime will include companies providing services listed in Annex I of the Directive, as well as large companies. All others covered by the Directive will be in the lighter important regime.

There are exceptions to the table. In certain sectors, such as public administration, the size of the organisation is not relevant for inclusion in the essential scheme. States may specify other exceptions.

Not sure if the obligations will apply to your organisation? Consult our experts on this issue. We will tell you whether the directive applies to you, and help you put the measures into practice.

What topics are addressed by the Directive?

Among the areas addressed by the Directive, and therefore setting out obligations for organisations, are:

  • Incident management
  • Business continuity, backup, disaster recovery, and crisis management
  • Supply chain security
  • Security in the acquisition, development and maintenance of systems
  • Evaluating the effectiveness of security measures (audits)
  • Basic cyber hygiene and cybersecurity education
  • Use of cryptography and encryption
  • Use of multi-factor authentication and secure communication tools and other areas

What obligations and penalties are imposed by the Directive?

First and foremost, it is a comprehensive strengthening or, in some cases, introduction of cybersecurity and risk management policies. This means that businesses will have to proactively address their cybersecurity. For example, they will have to assess risks, monitor vulnerabilities for suppliers in the supply chain, use encryption, secure data backup or multi-factor authentication. Of course, training for managers and employees in cybersecurity is a must.

The obligation to report cyber threats and incidents to the state authority is also being extended.

Those who violate their obligations under the directive will face fines of:

  • €10 million or 2% of the total worldwide annual turnover of the offending company if it is in the essential regime,
  • €7 million or 1.4% of the total worldwide turnover for companies in the important regime.

Directive and the Czech Republic

The Czech Republic has a certain advantage in relation to the Directive, because a number of the rules newly imposed by the Directive are already contained in our Cyber Security Act. The implementation of the Directive should therefore not cause any major difficulties both at the legislative level and at the level of individual companies, especially those already covered by the Cyber Security Act.