Thousands of companies will be required to invest in their cybersecurity

Medium and large enterprises in particular should be alert to the emerging law on cybersecurity. In fact, they may now fall under its regulation. The purpose of the law is to improve the resilience of digital infrastructure against increasing cyberattacks across the European Union. Indeed, the emerging law, which is expected to come into force in mid-2024, is based on the European NIS2 Directive, which obliges entities within the EU to ensure the security of their networks and information systems.

In December 2022, the European Parliament approved the NIS2 Directive, which sets minimum requirements for cyber security and obliges EU entities to ensure the security of their networks and information systems. The directive aims to improve the resilience of digital infrastructure against cyberattacks and to ensure that EU actors are prepared for and able to respond to such attacks.

The transposition of the NIS2 Directive includes the adoption and implementation of the New Cybersecurity Law, which is expected to come into force in mid-2024.

The emerging law on cybersecurity, which is already undergoing a comment process, brings together the existing fragmented regulation of several types of obliged persons into one - regulated service providers. Providers are further regulated under the Decree on Regulated Services. The latter divides them into lower and higher regime providers according to how they fulfil their legal obligations.  

The new criterion for regulated services is the size of the organisation. The number of obligated persons is expanding dramatically from an estimated 400 organisations to an estimated 6,000. Thus, organisations listed in the Annex to the Regulated Services Ordinance with a medium or large enterprise size will have to comply with the requirements of the Act. It is also important to mention that the rule on the aggregation of the size of enterprises has been modified. If a small company is part of a holding company, it can suddenly become large. The draft Czech law draws certain entities into the regulation according to the service they provide, regardless of their size. The law thus fulfils the mandatory requirements of the Directive but is further specified. This effectively means that if, by the nature of NIS2, your organisation was not covered by the regulation, it is possible that it will be drawn into the Czech law.

In practice, for businesses this will mean, among other things, implementing a range of cybersecurity management and security measures, reporting cybersecurity incidents and informing their customers, implementing countermeasures, introducing a supply chain security management mechanism (in the case of providers in a higher obligation regime) or subjecting inspections to inspectors or a supervisory authority.

If the identification criteria are met, the organisation will carry out the assessment and subsequent registration itself, and if the designation criteria are met, the National Office for Cybersecurity (NUCS) will conduct the administrative procedure for designation.

If companies fail to comply with their legal obligations, they can be fined up to CZK 230 million.


We will help you

If your company has gone through the self-identification process and you already know that the amendment to the Cybersecurity Act will affect your business, you can contact us to help you with the process. We have strengthened our team and are ready to offer assistance to our clients to achieve compliance with the Act. Everything will be based on an initial comparative GAP analysis where we will determine your business's current situation in the light of the amended law. We are also available to consult on the implementation of proposed changes to bring your organisation into compliance and avoid the hefty fines resulting from the regulation.