Thousands of domestic companies will be affected next year by a law that will determine how they will have to protect themselves from cyber attacks. For companies that have not yet paid much attention to their security, implementing the necessary measures could be very costly. However, the law is expected to represent a rather minimal level of security and companies should be more consistent in their cyber protection in their own interest. They should be committed to cyber protection for the long term; a one-off investment is not enough.
In particular, the state administration, the healthcare segment and medium-sized Czech-owned companies often wait for the specific legislative concept of the Cybersecurity Act and not at all whether the obligation will apply to them. In any case, these entities should also protect themselves from hacker attacks, and they should do so now. Without proper security, they face the risk of millions of dollars in financial losses and possibly even reputational problems in the event of a successful cyber-attack.
The legal obligation will be based on the European Directive NIS2, which the Czech Republic, together with other EU Member States, has committed to adopt by 17 October this year at the latest, as part of the forthcoming law on cyber security. However, it is already clear that the law will not come into force until January 2025 at the earliest.
Its adoption will be delayed also because in early April the Legislative Council of the Government returned the draft law to the National Office for Cyber and Information Security (NUCSIS) with comments for reworking. It is expected that a number of details of the draft law will be modified, but the main obligations for companies will remain unchanged and should therefore already be provisionally taken into account. Overall, the law will affect at least six thousand companies, and depending on the parameters, this may even be double that number.
For companies, the new obligation will mean first creating documents that set out the organisation's procedures and conduct in accordance with the new Cybersecurity Act. Expenditure in the order of hundreds of thousands of crowns is expected. The second step will be the introduction of technical security measures. If the company does not have any technical measures in place yet, the costs may be in the higher range of hundreds of thousands to units of millions of crowns. To this is added the subsequent support of these technologies in the following years of their operation. Companies should be mindful of maintaining active protection and the necessary funding over the long term. It happens that although they have the processes and documentation in order, the actual practice lags behind, which unnecessarily puts the company at risk.
Once companies have their protection in place, they should test their resistance to attacks - either through external vulnerability tests or penetration tests. At the same time, companies should audit their critical systems to see what vendors they have, how secure they are, and what risks exist with their vendors.
Cyber attacks are becoming more complex and insidious, so it's essential for companies to stay on top of current trends to protect themselves and properly train their employees. One relative new development is the luring of sensitive data no longer through broad and relatively random spamming, but by targeting a specific employee. Called spear phishing, the method involves targeting the people whose data is most valuable, to whom the attackers will send a tailored message to increase the likelihood of success and extract what they need.
In particular, the state administration, the healthcare segment and medium-sized Czech-owned companies often wait for the specific legislative concept of the Cybersecurity Act and not at all whether the obligation will apply to them. In any case, these entities should also protect themselves from hacker attacks, and they should do so now. Without proper security, they face the risk of millions of dollars in financial losses and possibly even reputational problems in the event of a successful cyber-attack.
The legal obligation will be based on the European Directive NIS2, which the Czech Republic, together with other EU Member States, has committed to adopt by 17 October this year at the latest, as part of the forthcoming law on cyber security. However, it is already clear that the law will not come into force until January 2025 at the earliest.
Its adoption will be delayed also because in early April the Legislative Council of the Government returned the draft law to the National Office for Cyber and Information Security (NUCSIS) with comments for reworking. It is expected that a number of details of the draft law will be modified, but the main obligations for companies will remain unchanged and should therefore already be provisionally taken into account. Overall, the law will affect at least six thousand companies, and depending on the parameters, this may even be double that number.
For companies, the new obligation will mean first creating documents that set out the organisation's procedures and conduct in accordance with the new Cybersecurity Act. Expenditure in the order of hundreds of thousands of crowns is expected. The second step will be the introduction of technical security measures. If the company does not have any technical measures in place yet, the costs may be in the higher range of hundreds of thousands to units of millions of crowns. To this is added the subsequent support of these technologies in the following years of their operation. Companies should be mindful of maintaining active protection and the necessary funding over the long term. It happens that although they have the processes and documentation in order, the actual practice lags behind, which unnecessarily puts the company at risk.
Once companies have their protection in place, they should test their resistance to attacks - either through external vulnerability tests or penetration tests. At the same time, companies should audit their critical systems to see what vendors they have, how secure they are, and what risks exist with their vendors.
Cyber attacks are becoming more complex and insidious, so it's essential for companies to stay on top of current trends to protect themselves and properly train their employees. One relative new development is the luring of sensitive data no longer through broad and relatively random spamming, but by targeting a specific employee. Called spear phishing, the method involves targeting the people whose data is most valuable, to whom the attackers will send a tailored message to increase the likelihood of success and extract what they need.