How NIS2 can help you improve your cyber security

The essence of cyber security

Cybersecurity is a hot topic and will continue to be. Just as we know the principles of occupational health and safety (OHS) and fire protection (FP), so too should our knowledge of cyber security.

Cybersecurity today is no longer just about firewalls and antivirus, but also about setting up processes, rules and responding to current threats. It's not just about IT, but also about the behaviour of employees and suppliers. So we all have a responsibility for data securitynot only in the context of work, but also in private life.

What is NIS2 

NIS2 Directive (more precisely Directive of the European Parliament and of the Council on measures to ensure a high common level of cybersecurity) is there to lay the foundations of cybersecurity for a wider range of organisations than NIS1, and thus enhance the cybersecurity of EU Member States. It is intended to do this in particular by:

• Deepening cooperation between the EU and the national supervisory authority, which in our case is the National Cyber and Information Security Authority (NCIS),
• giving more powers to the supervisory authority (in the form of issuing warnings, taking action or carrying out audits of organisations),
• by adopting a national cybersecurity strategy,
• by increasing fines for non-compliance,
• expanding regulated services - i.e. increasing the number of organisations that will be subject to the obligations (estimated 6-12 thousand entities),
• introducing security measures for regulated services.

The requirements of the NIS2 Directive are nothing new in the field of cyber security. If your organisation was covered by the Cybersecurity Act or you have an information security management system in place, you are likely to find the news minimal. However, if cybersecurity is new to your organization, then yes, you will need to make a greater effort to comply with the new obligations. But there's no need to panic.

How much time do we have to implement NIS2

It's important to note that the NIS2 Directive itself does not directly impose any obligations on organisations. Although it came into force on 16 January 2023, it also states that Member States have 21 months to incorporate the requirements of the Directive into their local legislation. This is therefore a different situation to that of, for example, the DORA regulation, which we wrote about here.

The amendment should be published within the mentioned period Cybersecurity Actwhich is likely to allow some time for the fulfilment of obligations. On a timeline, it would look like this:

From this depiction, one could conclude that there is plenty of time and cybersecurity is not something that needs to be addressed. The opposite is true. Cybersecurity should not be underestimated, even in the light of what is happening in the world. It should not be underestimated by responsible organisations. deal with them continuously and do not wait for new legislation.

What the new draft Cybersecurity Act says 

In the second half of January this year, the NICB has already elaborated the requirements of the NIS2 Directive and issued draft of the new Cybersecurity Act and its decrees. So we know that some obligations will be even stricter than required by the NIS Directive2. In general terms, organisations will have to:

• identify whether they are covered by the Act (unless determined by the NUCIB itself),
• register for the NCIB Portal,
• determine the scope of cyber security management,
• report cyber security incidents,
• inform customers about incidents and threats,
• implement countermeasures to reduce risks,
• manage the supply chain,
• implement organisational and technical security measures.

How to find out what specifically will have to according to NIS2, your organisation must meet

The first thing to do is to look into draft decree on regulated servicesif it lists the service you provide. If so, you have met the first criterion for identification.

The second criterion is the size of your organisation. If you are a large or medium-sized enterprise, you will be subject to the obligations. However, beware - some small businesses providing this service may also fall under the new law.

Also, if you are a micro or small enterprise and your parent organisation is abroad, the number of employees is added up. So you need to look at this carefully and identify if your organisation's service is listed in the decree.

You can use this overview page, which was prepared by NUCIB on the topic of NIS2.

Like the NIS2 Directive, the new draft law divides regulated services into two groups. The Directive provides for a division into Essential a Important, which did not sound understandable when translated into Czech. Therefore, the draft of the new law and its decrees provides forby dividing it into higher and lower obligation regimes. It imposes obligations on organisations to put in place the following organisational and security measures:

There are several differences between the two modes. They differ in some measures and in the way they are implemented. An example is the security roles (persons with different responsibilities to deal with cybersecurity), where the higher regime describes four roles and the lower regime only two.

There is also a difference in the potential fines for non-compliance: for the higher regime, the fine is set at up to €10 million or 2 % of worldwide annual turnover. For the lower regime, the fine is set at up to €7 million or 1.4 % of worldwide annual turnover. These are therefore not low amounts.

What to do with NIS2 information? 

I understand the views and concerns expressed in the introduction to this article. They are usually based on the expectation of additional work and additional expenditure, the return on which will not be quick (perhaps more likely none).

However, it is important to note that all security measures that will be mandatory (and which are also based on international information security management standards and best practices over a number of years) have only one goal: Protect your organisation's data and business, and therefore your customers.

Cyber incidents are on the rise, and no organisation can guarantee that the next one won't be perpetrated against it - no matter how interesting we think we are to cyber criminals. So address cyber security nowregardless of the legislation - either on your own or with professional help. Above all, keep your data safe, whether on local servers or in the cloud.