The Legislative Council of the Government returns the cyber law to NUCIB for further review and amendments

autor: | Apr 16, 2024 | Articles

The Government Legislative Council (LGC) on Thursday, 4 April 2024, returned the draft of the new Cybersecurity Act (nCSA) to the National Cyber and Information Security Bureau (NCISB). This article provides comprehensive information on the events that took place, their impact on Czech companies and the next steps to expect.

What happened and what is the LGC criticising?

The draft law on cybersecurity has encountered significant opposition in the Legislative Council of the Government. Virtually no part of it remained uncommented and the National Office for Cyber and Information Security (NCIS) will have to rework it and resubmit it to the LRC. In the meantime, deliberations are suspended. 

The Governmental Advisory Board is criticizing, in part, the same comments that state agencies and public entities had that NCIB, the drafter of the law, received during the previous comment process. For example, the Act by its very nature does not create additional requirements directly, but does so through the decrees that implement the Act.

The definition of the scope of the Act's substantive authority is largely based on implementing regulations, for which, however, the proposed Act does not provide a sufficient statutory basis and limits within which the anticipated regulations could be issued by the Authority" claims the LGC.

The supply chain security scheme also displeases lawyers in the Government Legislative Council, who said it: 'very broadly defines the powers of the authority'. They therefore want the government to be involved in all decisions taken in this area.

What can we expect to see now?

The adoption of this new legislation, replacing the current Act No. 181/2014 Coll. and the related implementing Decree No. 82/2018 Coll., is likely to be postponed, with the original October deadline no longer realistic. At the same time, for every day of delay, the European Commission or the European Court of Justice may impose a fine for incomplete implementation of the Directive if legal proceedings are initiated against the Czech Republic. This has already happened several times in the past (see the Whistleblowing Act).

How does the NÚKIB react?

According to NUCIB, the latest developments are to be expected. This is a natural part of the legislative process, as is the announced suspension of the deliberations. It is nothing exceptional, which wouldn't count. For new, similarly complex standards, this is a fairly common practice. So the law is not going back to "square one", but has instead passed another milestone and we are already working hard to incorporate all the comments. We will not comment further on the closed LRC meeting" claimed the NÚKIB in its official announcement.

What do these developments mean for businesses and government organizations under NIS2?

It is clear that we have a long and perhaps complicated road ahead of us in this regard. Negotiations in the Chamber of Deputies and the Senate will continue for several more months.

However, the main criticisms of the LRC were mainly directed at the security of the supply chain and the competences and powers of NÚKIB, or imposing obligations only from decrees (not of the law itself). The sectoral criteria and requirements are clearly set out and there are unlikely to be major changes in this area, i.e. in cyber security management itself, including organisational and technical measures. 

This most recent development gives organisations a little more time to really prepare for the new law in an honest way. And they should certainly do so while the market is still relatively calm. It's important to remember that the market for security consultants in the Czech Republic is very limited, so securing them to prepare your company may become more difficult as the deadline approaches.

A secure IT infrastructure should not just be a requirement of NIS2, but should be a key business decision. Due to a shortage of qualified security consultants, even industry leaders may only take on 10 to 15 clients per year. Securing consulting services from a reliable and reputable partner and guiding the client through the entire information security management system process can be quite challenging, as there are over 6,000 companies that NIS2 will fall, " explains Michal Zedníček from Alef Nula company.

In conclusion, we can only add that despite some problems, another significant milestone in the implementation of NIS2 in the Czech legal environment has been achieved. A thorough revision of the draft legislation is necessary, but should not significantly change the demands and expectations placed on on the organization. While senior management and those responsible for a secure corporate environment have been given more time, they should not slacken in their efforts, as cyber threats already exist, not with standing the state of the new law. 

Recources:

https://www.lupa.cz/aktuality/vladni-legislativci-vratili-kyberzakon-nukibu-k-prepracovani/

https://www.linkedin.com/pulse/nis2-i-nov%C3%BD-z%C3%A1kon-o-kybernetick%C3%A9-bezpe%C4%8Dnosti-smeten-ze-pavel-do%C4%8Dkal-psncf/

https://nukib.gov.cz/cs/infoservis/aktuality/2103-legislativni-rada-vlady-jednala-o-navrhu-noveho-zakona-o-kyberneticke-bezpecnosti/

Logo NIS2CHECKER
Logo NIS2CHECKER

Don't hesitate to check if your company is under the NIS2 and nCSA guidelines.
The basic check is fully anonymous. The data is not stored anywhere. No one will contact you.

You could be interested in