Are you ready for NIS2?

You’ve probably already heard about the European NIS2 Directive, which focuses on cyber security. However, you may not know that the deadline for its implementation in the Czech legal system has already passed in October 2024. Although the Czech Republic missed this deadline, the new law on cybersecurity transposing the directive is expected to come into force in mid-2025. Companies will therefore be obliged to comply with the new rules already during this year. What does this mean for you and what needs to be addressed? We have the answers.

Important questions and answers in one place

Are Czech companies ready?

Unfortunately, the answer is not very positive. According to a survey by EY Czech Republic, only 2% of Czech companies would currently meet the requirements of the NIS2 Directive. Many companies either do not address the directive at all or believe that it does not apply to them. Low awareness is another problem; up to 72% of respondents to a recent survey said they had not heard of NIS2. Underestimating the preparation for the new legislation can have serious consequences for companies.

What is NIS2?

NIS2 (Network and Information Security 2) is an updated European directive aimed at strengthening cyber security in EU Member States, with the aim of making organisations more resilient to cyber attacks and harmonising the level of security across Europe. The Directive expands the range of entities covered and introduces stricter requirements for the security of information systems. Failure to comply with these requirements carries heavy penalties to encourage companies to take a proactive approach to cyber security.

What requirements will need to be met?

The NIS2 Directive emphasises several key areas:

• Risk management: regular assessment and management of cyber risks.
• Security measures: implementation of technical and organisational measures to protect information systems.
• Incident Reporting: obligation to report cyber incidents to the relevant authorities within specified deadlines.
• Supply chains: Ensuring security throughout the supply chain.
• Penalties: non-compliance is punishable by fines of up to €10 million or 2% of the company’s worldwide annual turnover, whichever is higher.

How many companies are affected?

In the Czech Republic, it is estimated that approximately 6,000 entities will be affected by NIS2, including organisations in critical sectors such as energy, transport, healthcare, finance and digital infrastructure. However, many of these companies have not yet taken the necessary measures to comply with the new requirements. Failure to comply with the Directive can lead not only to financial penalties, but also to reputational damage and loss of trust with customers or business partners.

What should companies do?

• Monitor and update: Continuously monitor the state of cybersecurity and adapt measures to current threats.
• Inform yourself: familiarise yourself with the requirements of the NIS2 Directive and find out if it applies to you.
• Conduct a risk analysis: assess the current state of cybersecurity in the company and identify vulnerabilities.
• Implement measures: implement the necessary technical and organisational measures to strengthen security.
• Train staff: ensure that staff are informed of new procedures and rules.
• Monitor and update: Continuously monitor the state of cybersecurity and adapt measures to current threats.

Preparing for the NIS2 Directive should be a priority for companies to avoid potential sanctions and ensure the continuity of their business in the digital environment.