On 22 February, Camic held a webinar on the highly topical subject of cyber security. Speaker Hana Gawlasov\u00e1, head of the digital legal department at Deloitte Legal, presented the new legal provisions concerning companies’ obligations to protect data through a proactive approach to cyber security, regulations that reflect the evolving digital environment.<\/p>\n\n\n\n
Recent cyber security provisions are contained in the NIS2 (European Network and Information System Security Directive), which came into force on 16 January 2023. These regulations are dedicated to all those extremely important subjects and entities on which the national economy is based, expanding both the number of subjects and the obligations to which they are subject. The main objectives that drove the new provision are:<\/p>\n\n\n\n
The recent changes stem from the need to address the growing number of cyber-attacks. According to EU data, the main threats are ransomware attacks (an estimated 60% of affected organisations pay the ransom demanded), privacy breaches and supply chain incidents.<\/p>\n\n\n\n
In order for an entity to fall within the scope of the regulation, its activity must be expressly stated in the regulation. A further requirement is that the company must have a turnover of more than 250 million and more than 250 employees. If both of these conditions are met, the entity automatically becomes regulated.<\/p>\n\n\n\n
The identified entities are then divided into two categories:<\/p>\n\n\n\n
This distinction entails the application of different imposed obligations and penalties: while for the former, regulatory requirements are stricter, as continuous preventive control and more pronounced and significant intervention in their operation is required (up to and including the imposition of a ban on performance); for the latter, control is reactive and present only in the event of problems, entailing the application of fewer powers by public authorities against such entities.<\/p>\n\n\n\n
The regulation requires member states to introduce appropriate technical, operational and organisational measures in processes concerning: incident management, internal policies, supply chains, network security, human resources and business continuity.<\/p>\n\n\n\n
In addition to these obligations, member states must ensure that key entities notify their CSIRT group (Computer Security Incident Response Team) or another competent entity, such as the N\u00daKIB (National Office for Information and Computer Security) of any incident that significantly affects the provision of their services.<\/p>\n\n\n\n
An incident is considered significant if: it has caused or may cause serious operational disruption of services\/financial loss to the entity concerned, or has caused\/may cause significant material or immaterial damage to other natural or legal persons. The incident reporting process requires the implementation of several obligations:<\/p>\n\n\n\n
In this regard, personnel must be well trained and repeatedly updated on the assimilated processes to enable better communication on incidents through the use of appropriate technological systems.<\/p>\n\n\n\n
The supervision will be carried out by N\u00daKIB, which will have different authorisations depending on whether it is a basic or important entity. According to the GDPR (General Data Protection Regulation), in case of security incidents, the competent authorities are obliged to cooperate with the national supervisory authorities. These are responsible for:
– control and supervise, i.e. request access to premises or data;
– control security by using an independent body or through the competent authority;
– issue breach notices, publish warnings, publish instructions on how to act;
– verify relevant facts based on the type of breach, its severity, duration, previous breaches, subjects involved, amount of damage and measures taken.<\/p>\n\n\n\n
The amount of sanctions can reach quite high amounts, up to several billion euros depending on turnover. Sanctions may be imposed in addition to other coercive measures: adoption of binding instructions, orders to implement recommendations following a security audit or orders to warn customers of the vulnerability of their services. Sanctions are distinguished according to the person to whom they apply.<\/p>\n\n\n\n
Until 17\/1\/2025, Member States have to provide for a certain level of administrative pecuniary sanctions for basic entities of a maximum amount of at least EUR 10 million or 2% of the worldwide total annual turnover in the preceding business year, whichever is higher. For large entities, on the other hand, the maximum fine may be at least EUR 7 million or at least 1.4% of the worldwide total annual turnover in the preceding business year, whichever is higher.<\/p>\n\n\n\n
Being a European directive, states have until 17 October 2024 to ratify it. In December 2023, the Czech Republic together with the authority N\u00daKIB published the draft law in the Official Journal. From publication in the Jounal to the effective date of the law, companies have six months to adopt the necessary changes to their structure. To support this, the regulatory authority has provided an application on which it is possible to enter data, turnover, number of employees and sector of activity in order to preliminarily assess whether the entity will be regulated or not.<\/p>\n\n\n\n
It is evident that the NIS2 directive will have a significant impact on companies both in terms of implementing new security measures and in terms of increased operational costs. However, it should be considered that this reform was designed with the aim of enhancing cyber security strategies, especially considering the increase in verified cyber-attacks. The need to adapt to these new regulations and to invest in the necessary infrastructure and processes therefore becomes a priority for companies operating in this context.<\/p>\n\n\n\n
Sources: https:\/\/www.camic.cz\/it\/<\/a><\/p>\n\n\n\n AI-generated image<\/p>\n\n\n\n