On 22 February, Camic held a webinar on the highly topical subject of cyber security. Speaker Hana Gawlasová, head of the digital legal department at Deloitte Legal, presented the new legal provisions concerning companies’ obligations to protect data through a proactive approach to cyber security, regulations that reflect the evolving digital environment.
Introduction to the NIS2 directive
Recent cyber security provisions are contained in the NIS2 (European Network and Information System Security Directive), which came into force on 16 January 2023. These regulations are dedicated to all those extremely important subjects and entities on which the national economy is based, expanding both the number of subjects and the obligations to which they are subject. The main objectives that drove the new provision are:
- increase the level of cyber security in key sectors such as banking, healthcare, energy and transport;
- create new minimum security standards in the digital environment as in the physical location;
- greater protection of personal data;
- improve cooperation between individual member states and regulated entities.
The recent changes stem from the need to address the growing number of cyber-attacks. According to EU data, the main threats are ransomware attacks (an estimated 60% of affected organisations pay the ransom demanded), privacy breaches and supply chain incidents.
Division of mandatory organisations
In order for an entity to fall within the scope of the regulation, its activity must be expressly stated in the regulation. A further requirement is that the company must have a turnover of more than 250 million and more than 250 employees. If both of these conditions are met, the entity automatically becomes regulated.
The identified entities are then divided into two categories:
- essential entities: including transport, energy, banking, health and water services;
- important entities: such as postal and shipping services, waste management, chemical production and processing, food and digital service providers.
This distinction entails the application of different imposed obligations and penalties: while for the former, regulatory requirements are stricter, as continuous preventive control and more pronounced and significant intervention in their operation is required (up to and including the imposition of a ban on performance); for the latter, control is reactive and present only in the event of problems, entailing the application of fewer powers by public authorities against such entities.
Obligation to implement security measures and incident reporting
The regulation requires member states to introduce appropriate technical, operational and organisational measures in processes concerning: incident management, internal policies, supply chains, network security, human resources and business continuity.
In addition to these obligations, member states must ensure that key entities notify their CSIRT group (Computer Security Incident Response Team) or another competent entity, such as the NÚKIB (National Office for Information and Computer Security) of any incident that significantly affects the provision of their services.
An incident is considered significant if: it has caused or may cause serious operational disruption of services/financial loss to the entity concerned, or has caused/may cause significant material or immaterial damage to other natural or legal persons. The incident reporting process requires the implementation of several obligations:
- Timely notification to the competent authority of a significant incident no later than 24 hours after its discovery;
- Incident report on what happened no later than 72 hours after its discovery and any changes in case of important events and information;
- Upon request by the CSIR team or, where applicable, by the NUKIB competent authority, an ongoing report on significant updates to the status of the incident;
- No later than the submission of the incident notification, a final report is required, including a detailed description of the incident, the severity, the type of threat or root cause, the measures taken and the ongoing impact, including cross-border impact.
In this regard, personnel must be well trained and repeatedly updated on the assimilated processes to enable better communication on incidents through the use of appropriate technological systems.
Monitoring compliance and sanctions
The supervision will be carried out by NÚKIB, which will have different authorisations depending on whether it is a basic or important entity. According to the GDPR (General Data Protection Regulation), in case of security incidents, the competent authorities are obliged to cooperate with the national supervisory authorities. These are responsible for:
– control and supervise, i.e. request access to premises or data;
– control security by using an independent body or through the competent authority;
– issue breach notices, publish warnings, publish instructions on how to act;
– verify relevant facts based on the type of breach, its severity, duration, previous breaches, subjects involved, amount of damage and measures taken.
The amount of sanctions can reach quite high amounts, up to several billion euros depending on turnover. Sanctions may be imposed in addition to other coercive measures: adoption of binding instructions, orders to implement recommendations following a security audit or orders to warn customers of the vulnerability of their services. Sanctions are distinguished according to the person to whom they apply.
Until 17/1/2025, Member States have to provide for a certain level of administrative pecuniary sanctions for basic entities of a maximum amount of at least EUR 10 million or 2% of the worldwide total annual turnover in the preceding business year, whichever is higher. For large entities, on the other hand, the maximum fine may be at least EUR 7 million or at least 1.4% of the worldwide total annual turnover in the preceding business year, whichever is higher.
Conclusions
Being a European directive, states have until 17 October 2024 to ratify it. In December 2023, the Czech Republic together with the authority NÚKIB published the draft law in the Official Journal. From publication in the Jounal to the effective date of the law, companies have six months to adopt the necessary changes to their structure. To support this, the regulatory authority has provided an application on which it is possible to enter data, turnover, number of employees and sector of activity in order to preliminarily assess whether the entity will be regulated or not.
It is evident that the NIS2 directive will have a significant impact on companies both in terms of implementing new security measures and in terms of increased operational costs. However, it should be considered that this reform was designed with the aim of enhancing cyber security strategies, especially considering the increase in verified cyber-attacks. The need to adapt to these new regulations and to invest in the necessary infrastructure and processes therefore becomes a priority for companies operating in this context.
Sources: https://www.camic.cz/it/
AI-generated image
Graphic source: www.storyset.com
