NIS 2 and the Cybersecurity Act

Strengthening cyber security in Europe.

At a time of growing digital dependence and increasing cyber threats, the European Union revised the Network and Information Security Directive, giving rise to the NIS Directive2.

This Directive, which will become part of national legislation across the European Union by October 2024 at the latest, brings new rules and requirements for companies and organisations. 

What is NIS2?

The NIS2 regulation was created as a response of the European Union to the deepening digitalisation of society and the related growing cyber threats in the European space. It builds on the existing Network and Information Security (NIS) framework adopted in 2016.

NIS2 significantly expands the scope of the current legislation and presents a new solution to strengthen and secure European cyberspace. 

The Czech Republic has a distinct advantage over some Member States as it has implemented and well-developed the Cyber Security Act (CSA).

  • 17th October 2027
    • Every 36 months, the Commission will review the functioning of Directive NIS2.
  • 17th April 2025
    • Member states will create a list of essential and important entities.
  • 18th October 2024
    • Directive NIS2 is immediately repealed.
  • 17th October 2024
    • Expected deadline for transposing Directive NIS2 into national law.
  • 28th November 2022
    • Directive NIS2 adopted.
  • 16th December 2020
    • Directive NIS2 proposed by the European Commission.
  • 9th May 2018
    • Deadline for transposing Directive NIS1 into the national law of EU member states.
  • 6th July 2016
    • Adoption of Directive NIS1.

What is Cybersecurity Act? 

The purpose of the Act on Cyber Security (ZKB) No. 181/2014 Coll. is mainly to increase the security of cyberspace and the state's efforts to protect that part of the infrastructure whose disruption would lead to damage or endanger the interests of the Czech Republic. 

The changes introduced by the NIS2 Directive are substantial and will have an impact on companies that have not been subject to the existing regulations. Therefore, the NCIS has taken on this task by preparing a completely new law on cyber security and its decrees, which are expected to be approved in 2024.

What is the purpose of the NIS2 Directive?

The aim of NIS2 is to harmonise and strengthen Member States' cyber security across sectors and key EU businesses.

It brings stricter standards for handling cyber and information security and incident reporting requirements for medium and large organisations that form the backbone of society. Any disruption to these organisations can have serious consequences throughout the internal market, including significant economic and public health impacts. Maintaining their networks and information security is therefore essential for the normal functioning of society and the economy. 

Who is covered by the Directive?

The NIS2 applies to undertakings that provide the services listed in Annexes I and II of this Directive within the European Union. Under the new rules, the entities concerned are supervised primarily by the jurisdiction of the Member State in which they are established. Where an entity has establishments in more than one Member State, it should accept the jurisdiction of all Member States concerned and these States should act in a coordinated manner, in particular where joint supervisory measures are necessary.

The Directive generally applies to medium-sized and large organisations, i.e. entities with 50 or more employees and an annual turnover of more than EUR 10 million (approx. CZK 250 million).

The number of services and sectors covered is significantly expanded compared to the older NIS Directive. Some 60 services in 18 sectors are divided into categories:

    • Highly critical sectors
    • Other critical sectors

Organisations will be categorised as 'essential' or 'critical' based on factors such as size and level of criticality.

It is estimated that there will be more than 6,000 businesses in the country.


Exceptions

Micro and small enterprises are generally not affected by this Directive. However, there are some exceptions where the size and turnover requirements are disregarded:

  • the nature of the entity's activities is critical;
  • the organisation is the sole provider of the service in question in a Member State;
  • a disruption of the service provided by the entity could lead to a significant risk with a cross-border impact.

NIS2 focuses on the entire supply chain. The new Directive will also affect organisations that cannot be described as essential per se, but which trade with essential entities. As a result, small suppliers may also be affected by the obligations under NIS2.

* Overlap with the Digital Operational Resilience Act (DORA)

To ensure a harmonious implementation, the European Commission has issued Guidelines clarifying the exemption of entities to which sector-specific legal acts apply from the NIS2 Directive. These Guidelines explicitly state that DORA has priority over NIS2 provisions on ICT risk management, cyber incident reporting, digital operational resilience testing, information-sharing, ICT third-party risk, supervision, and enforcement.

DORA incorporates a provision known as "lex specialis", granting it priority over the NIS2 Directive, which is considered a general law. This provision ensures that if there are any conflicts or overlaps between the two directives, DORA takes precedence. The "lex specialis" provision in DORA helps to avoid confusion and ambiguity in the regulatory landscape.

How does NIS2 affect your organisation?

If you are affected by NIS2, you must put in place appropriate technical, operational and organisational measures to manage risks and prevent or minimise the impact of incidents related to systems supporting socially critical services. 

Overall, the organisation must put in place effective procedures for risk management, incident management, vendor management and engagement with management

These measures must be based on a risk-based approach aimed at protecting the network and information systems, as well as the physical environment of these systems, from incidents, and must include at least the following:

Incident handling
Business continuity
Supply chain security
Vulnerability handling and disclosure
Cryptography
Human resources security, access control policies and asset management
Security in network and information systems acquisition, development and maintenance
Policies on risk analysis and information system security
Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
Basic cyber hygiene practices and cybersecurity training

What are the consequences of non-compliance with NIS2?

The bodies concerned can expect the competent national authorities to carry out supervision through audits, on-the-spot checks and requests for evidence of compliance with the NIS2. Proactive surveillance will be carried out for essential entities, while follow-up surveillance will continue to be carried out for essential entities in the event of an incident. 

If an entity fails to comply with the NIS2 requirements, the authorities may impose administrative fines, with basic entities facing a maximum fine of up to EUR 10 million or at least 2% of the total worldwide annual turnover for the previous financial year. 

Important operators can be fined up to EUR 7 million or at least 1.4% of their total worldwide annual turnover in the previous financial year.

Among other things, management may be held liable for deficiencies. Penalties may be imposed in the form of a temporary ban on the exercise of managerial functions or temporary suspension of services.

However, the main scare for companies should not be the fines and penalties, but the risk that their company will be attacked in real terms with a direct negative impact on their business. 

How can BDO help you?

Our cybersecurity experts can not only help you achieve NIS2 compliance, but also enable you to leverage this situation to strengthen your overall security and resilience.

Are you unsure how prepared you are for the implementation of the new NIS2 regulation and where you will need to invest in measures to meet these requirements? Then a GAP analysis is the right place to start.  

The primary objective of a GAP analysis is to assess your existing processes, applications and staff capacity against the requirements set and required by the NISC. Through workshops and an assessment of existing documentation, our experts will determine your cybersecurity posture and identify weaknesses and opportunities for improvement. Our experience is based on many years of practice and experience from inspections carried out by the NKIB.  

How such a GAP analysis works in practice: 

  1. Our experts assess the security documentation and its level of compliance with the requirements set out in the NIS2.

  2. At the follow-up workshops, we will present the initial findings, which will be confronted with the practical management of your company's cybersecurity.

  3. We will produce a final GAP analysis that reflects the current state of cybersecurity against the NIS2 requirements.  

Based on the GAP analysis, areas where compliance with NIS2 requirements needs to be achieved were identified. It is now necessary to draw up an implementation plan for the identified measures, with clearly defined deadlines and responsible persons. In order to ensure that the implementation runs smoothly and everything is done within 1 year (the implementation deadline set by the Cybersecurity Act), we can provide you with expert consultation or technical supervision. And what our team of experts can help you with, for example in the following areas: 

  • Company cyber risk management; 

  • Third party risk management; 

  • Security incident reporting and threat analysis; 

  • Vulnerability scanning or penetration testing; 

  • Cybersecurity awareness raising, a form of training, or social engineering; 

  • Business Continuity Plan (BCP) testing. 

The goal is not to generate high costs that do not bring the expected effect, but to prepare cost-effective solutions that help you maximize security and protect your assets. Thanks to our many years of experience in practice and in various industries, we are able to propose optimal and practical solutions.  

Make sure you have security under control and meet any regulatory requirements required by NIS2 or the Cybersecurity Act. Through a compliance audit, you will gain a comprehensive and independent view of your company's cybersecurity posture.  

Based on the results of the compliance audit, you will be able to identify weaknesses in the system and take appropriate process, organisational and technical measures to reduce the risk of a security incident, but these can also help to make the process more efficient. At the same time, it is advisable to conduct similar reviews at regular intervals (at least once a year) or when there are major changes in the management system (e.g. switching to a different information system) so that the setup continues to meet regulatory requirements and you move safely within your business.  

In the first phase, it is advisable to focus on a compliance audit to determine the level of compliance with regulatory requirements and the weaknesses in the security system. After implementing the recommendations from this audit, you then need to focus on the technical areas of analysis, e.g. vulnerability testing, penetration testing, etc. Last but not least, you will need to focus on audits with your vendors, i.e. 3rd party assessment.  

How can an audit focus on cybersecurity help you? 

  • Identifying your company's risk areas; 
  • Assessing threats and vulnerabilities; 
  • Assessing the status and suggesting appropriate actions. 

The Cybersecurity Act places a strong emphasis on creating and securing roles that will ensure and verify the setup of a cybersecurity system in an organization. We can help you meet these requirements. Outsource security roles and put your security in the hands of experts. 

Cybersecurity management system roles: 

  • Cybersecurity Manager - is the person responsible for the information security management system. The cybersecurity manager is responsible for regularly reporting to senior management on activities that arise from his or her scope of responsibility and the status of the information security management system. 
  • Cybersecurity Architect - is the person responsible for designing the implementation of security measures (to ensure a secure information and communication system architecture). The architect is responsible for designing the implementation of a secure architecture (e.g. from infrastructure to application level security). 
  • Cybersecurity Auditor - is the person conducting the cybersecurity audit. The cybersecurity auditor performs their role impartially and the performance of their role is separate from the performance of other security roles.

We provide outsourcing of system roles. And what cooperation with our experts will bring you: 

  • Flexible communication according to the customer's needs and solutions to their current needs. 

  • We provide independence and expertise. Our experts will advise you on the most suitable solution and implementation method with the necessary insight and practical experience. 

  • You do not have to deal with substitutability, investment in training and availability of the employee, thus saving on the company's personal costs.  

  • Our team of experts will ensure coverage of the complete cybersecurity landscape, resulting in more effective planning and coordination of the organization's security levels. 

  • Collaboration with the supervisory authority for reporting security incidents. 

  • We regularly monitor compliance with legislation. 

  • Raising awareness of cyber security and current risks to the company. 

The NIS2 regulation and the subsequent law on cybersecurity follow the trend defined by ENISA (European Union Agency for Cyber Security), which has identified the TOP 10 main cyber threats for 2030 and the very first place is taken by supply chain compromise. It is therefore evident that in the future it will not be enough to monitor only the level of cybersecurity within one's own organisation, but it is already necessary to focus on the suppliers with whom the company works.  

The biggest change under the new regulation, as already mentioned, is therefore the obligation to manage the entire supply chain. This obligation will apply to entities in a higher compliance regime and should also only apply to supplies to specified parts of major and critical infrastructure. So how to prepare for this new obligation? Our experts can help: 

  • By preparing a methodology for selecting significant suppliers;

  • Identifying suppliers at risk;

  • Assessing their cyber security posture;

  • Setting the minimum thresholds required to meet the "secure supplier" category;

  • Regular evaluation of suppliers;

  • Independent third party audits based on international standards (SOC2, SOC for Cyber).  

Main contacts

Related insights