An estimated 7,000 Czech companies and state institutions will have to comply with the new stricter EU cybersecurity directive NIS2. However, many businesses and authorities are not ready for the changes, warned experts from the NIS2READY alliance presented today. According to this association, the entities concerned tend to have deficiencies in, for example, risk analysis or network segmentation. At the same time, they will have to monitor the cyber security of their suppliers as well. Non-compliance with NIS2 threatens millions in fines and penalties for top management.
NIS2 will affect almost all sectors of the economy to varying degrees. It imposes obligations on up to 17 times more organizations than were regulated by the previous NIS1 directive.
All affected entities will need to create detailed risk analyzes and monitor cyber security in their supply chain as well. Among other things, regular training of employees, rapid reporting of incidents and sharing of security reporting at company, state and European level will be required. An important innovation is also the necessity to use the European system of certification of cyber security products.
Public administration will have to improve cyber security at the municipal level as well. Failure to comply with the NIS2 rules will result in fines of up to hundreds of millions of CZK and a ban on performing the function of a statutory representative.
The Alliance will also help with subsidies
The Alliance was created to raise awareness of the severity of NIS2 and help with adaptation. Due to NIS2, NÚKIB is finalizing the new law on cyber security, which is to enter into force within the next year.
The alliance includes both technical and legal experts, as only the cooperation of both groups will ensure compliance with NIS2. At the same time, the Alliance will also help by procuring subsidy support for the necessary investments in strengthening cyber security that NIS2 will require.
"The Cybersecurity Readiness Index research we conducted among 27,000 professionals from 21 countries shows that 82 % percent of companies expect to face cyber attacks in the next two years. However, only 15 % of them consider the level of cyber security in their businesses and firms to be strong enough to deal with these threats. At the same time, companies can ensure the basic protection of the ICT infrastructure at the same price as if they bought each employee one coffee per month in a global chain of cafes." said Michal Stachník, CEO of Cisco's Czech branch.
"NIS2 will be comparable in many ways to the revolutionary GDPR regulation, by which the EU tightened the protection of personal data across the board. Similar to GDPR, NIS2 also talks about the responsibility of the top management, so future hiccups can no longer be blamed only on the security manager. Therefore, it is better to start preparing for NIS2 now. Enlightened companies are already working out gap analyzes of what they have to catch up on," pointed out Tomáš Kudělka, head of KPMG's technology team.
Cyber attacks are on the rise
Last year, the police and NÚKIB registered an almost two-fold increase in the number of cybercriminal activities compared to the year before. Hackers have been successful, for example, in attacks on the Directorate of Roads and Highways, on hospitals and the Ministry of Foreign Affairs. A number of private companies also proved to be vulnerable, but they tend not to publicize the incidents so as not to damage their reputation.
"Up to 70 % domestic organizations have a problem with cyber security. In particular, small and medium-sized enterprises often do not observe even basic security measures. For example, user identity management, software and hardware updates, network segmentation, perimeter protection, endpoint security, and central log management are neglected." summarized cyber security specialist from Soitron Petr Kocmich.
The newly established NIS2READY platform, consisting of selected technology and consulting companies and law firms, offers organizations comprehensive professional support in the implementation of NIS2. In addition to experts from Cisco, KPMG and Soitron, the alliance also includes representatives of ALEF NULA, enovation and eLegal. At the beginning of next year, the alliance is preparing three educational and discussion seminars, also with the aim of combating misleading interpretations (more on the website www.nis2ready.cz).
NIS2 (Directive on Network and Information Security) was approved last December at the end of the Czech Presidency of the Council of the EU. NÚKIB wants to submit the new law on cyber security to the government at the beginning of next year.
