23rd. September 2024

NIS2 Directive

The new directive of the European Parliament and Council (EU) 2022/2555 on measures to ensure a high common level of cybersecurity in the Union ("NIS 2 directive") came into effect on January 16, 2023. Member states are obliged to implement the NIS 2 directive into their legal systems by October 17, 2024 at the latest.

The changes that the NIS2 directive brings are so fundamental that NÚKIB approached this task by preparing a completely new cybersecurity law and its regulations.

This is the first proposal from NÚKIB processed shortly after the official publication of the NIS 2 directive. It can be expected that the regulatory proposals will change, both based on public comments and within the standard legislative process.

Regulated entity ("Provider of regulated service")

The NIS2 directive will affect more than 6,000 private and state organizations instead of the original 400.
The primary way to determine whether a private or public organization falls under the regulation of the NIS2 directive, or the future new cybersecurity law, is the simultaneous fulfillment of two criteria:

  • The organization provides at least one service listed in the directive annexes (future new regulations), and at the same time is a medium or large enterprise, i.e., employs 50 or more employees, or achieves annual turnover or balance sheet total of at least 10 million EUR (approximately 250 million CZK).

  • However, for some listed services, it is determined that they will fall under the NIS2 directive regulation regardless of size (e.g., DNS service providers).

Main goal of cybersecurity regulation and responsibility of management bodies

The main goal of adopting the NIS2 directive is to ensure that important organizations implement preventive steps to strengthen their cybersecurity. This requirement is represented by the obligation to implement so-called security measures.

Management bodies of the organization will not only have to approve adopted security measures, but will also bear responsibility for them. In order to gain sufficient knowledge and skills in the field of cybersecurity, members of the organization's management bodies must regularly undergo training.

When and how to start?

Given the ever-increasing number of cybersecurity incidents, the rising costs they bring, and the effectiveness of the new NIS2 directive, it pays to deal with cybersecurity immediately.

In preparation for the new cybersecurity law, we recommend that all existing and new obligated entities conduct a comprehensive cybersecurity audit, through which the organization's state will be evaluated from technical, organizational, and legal perspectives, and based on the audit results, targeted solutions will be adopted in accordance with the NIS2 directive.

nis2-bs.png

NIS2 Directive 2

Are you a company or institution that takes security seriously?

We are ready to propose a tailored solution – and start quickly.

By sending the form, you agree to the processing of personal data.

Request sent successfully We will get back to you as soon as possible.