In 2022, the European Union adopted the NIS2 directive on common rules for compliance with cyber security, which will be implemented into Czech law in the form of a new Cyber Security Act (nZKB). Although regulations recognize that cyber attacks cannot be completely prevented, these obligations must be taken seriously and prepared for implementation. In this article, we focus on possible sanctions that threaten companies and their statutory bodies for non-compliance with the established rules according to the latest version of the draft law.
Inspection and possible financial penalty of up to 250 million crowns
The state authority that will supervise the implementation of nZKB will be the National Office for Cyber and Information Security (NÚKIB). The draft law gives the authority the authority to carry out inspections, impose corrective measures and also to assess fines in case of detected violations.
The basic penalty is a fine of up to EUR 10 million (250 million crowns) or 2 % of annual turnover (whichever is higher). But the draconian number follows directly from the joint directive and targets European or global giants. The authority should decide on fines in such a way that they are reasonable and not practically liquidating for the company. Of course, it will not only be about thousands of crowns.
A scarecrow bigger than a financial fine - loss of certification and a statute on the criminal bench
It follows from the draft law on cyber security that financial sanctions do not have to be the only sanctioning mechanism. There are two other threats; suspension of the validity of the security certification, and mainly suspension of the performance of the function for the statutory body.
According to the draft law, NÚKIB can suspend the validity of a company's European cyber security certificate, which aims to demonstrate the trustworthiness of companies and products. But the biggest "spook" can be the unusual institute of suspension of the performance of the function for a statutory body or other person. In cases of suspension, it is valid until the deficiencies are eliminated, but at least for a period of 6 months.
A company without security certification, or without an executive or other leading person, can of course be significantly paralyzed. Day-to-day management (e.g. signing contracts), but also participation in public contracts, for example, may be difficult.
Fortunately, however, these sanctions can only be imposed on subjects under the regime of so-called higher obligations. This is a smaller part of all companies and bodies to which the obligations according to NIS2/nZKB apply. The threat also applies only to situations where the company has violated its obligations in the management of the company and thwarts the elimination of deficiencies found during the inspection. It therefore does not apply to situations where there is negligence in preparing to meet cyber security requirements.
What with this? Keep calm as always.
It is important to realize that cyber security is not just an unnecessary legal regulation. In the times we live in, protection against cyber threats is as important, if not more important, than physical protection. A simple attack can cripple a company financially, reputationally and operationally, and thus bring great losses. Active cyber security management must therefore become an essential part of every medium and larger company. But the good news is that companies have a number of subsidy programs available that can be used to increase cyber security.
"...currently, the subsidy programs to support cyber security are prepared more than CZK 8 billion for public and private entities and at the same time we are recording record interest in help in the preparation of subsidy projects from our clients from the entire public sector. In this case, the state behaved extremely strategically when setting up the programs..."
Jiří Pavlíček, Managing partner, enovation s.r.o
Second, as always, proper communication with the authorities is important. The Czech office is one of the most active in the EU and tries to facilitate implementation as much as possible. If the audited entity provides cooperation and proves that it has made some efforts to ensure cyber security, NÚKIB will certainly look more lenient on any identified deficiencies.
The project of implementing the new rules according to NIS2 can seem demanding and even unmanageable for companies that will be affected by cyber security. However, this should not dissuade companies from starting the preparations, moreover, there are a number of experienced suppliers available on the market who can guide companies through the implementation. And their use can greatly speed up the process and even reduce costs. "NIS2 and nZKB bring a whole range of responsibilities. It would certainly be extremely costly to fulfill all of them. But not all companies have to address all the listed requirements. A properly conducted audit and analysis can determine only those obligations that are really necessary for a specific company," adds Tomáš Pauch, attorney from AK eLegal and member of the independent information and advisory platform Alliance NIS2 READY. With regard to the number of new mandatory entities, however, implementation should not be delayed, as the number of experts in this field is limited in our territory and a significant increase in demand can be expected in 2024, and there is also a threat of a lack of capacity.
