Blog - cetin.cz
FAQ about NIS2
The NIS2 Directive, Network, and Information Security 2, or the Cyber Security Directive, builds on the previous NIS Directive and deepens the cyber security legislative framework across the EU Member States.
NIS2 aims to significantly strengthen the protection of EU companies and national infrastructures against cyber threats and to achieve a high level of common security across the Union.
Before starting any activity that will lead the organisation to implement measures according to NIS2, it is always necessary to conduct a comprehensive information and cyber security audit to determine the state of the organisation.
A detailed audit of the existing organisational and technical cyber security measures identifies weaknesses to which organisational and technical measures should be applied and which should be implemented as a whole. This will ensure no significant constraints or delays during deployment, management, and operation.
The transposition period for the "new" law on cyber security is set at 21 months.
The changes and new obligations introduced by the Act will only come into force in the Czech environment when the latest Cyber Security Act and its implementing decrees come into force. The Act is expected to be adopted in the second half of 2024.
The new Cyber Security Act provides for a one-year transition period, i.e. until mid-2025, to give companies and organisations time to prepare for the new requirements.
The "new" Cyber Security Act primarily divides obliged entities into two categories, based on the size of the company and the subject of activity.
The subjects or entities are divided into:
Providers of regulated services under the regime of lower obligations,
Regulated service providers in the higher obligation regime,
about the critical importance of the sector/service and the level of dependence of other sectors/services on the sector.
The size of the enterprise for NIS 2 will be assessed by Commission Recommendation 2003/361/EC, which sets out the criteria for determining the size of an enterprise:
micro-enterprise - has less than 10 employees and an annual turnover (amount of money raised over a certain period) or balance sheet (statement of assets and liabilities of the company) of up to EUR 2 000 000,
small enterprise - has less than 50 employees and an annual turnover or balance sheet total of up to EUR 10 000 000,
medium-sized enterprise - has less than 250 employees and an annual turnover of up to EUR 50 000 000 million or a balance sheet total of up to EUR 43 000 000.
Attention should also be paid in this context to the categories of so-called linked and partner enterprises.
The primary role of the Directive is for entities to take appropriate and proportionate technical and organisational measures to manage the security risks faced by the networks and information systems they use to provide their services.
The above measures should include at least:
a risk analysis and an information systems security policy,
incident management,
business continuity, including backup, disaster recovery, and crisis management,
supply chain security, including security aspects relating to the relationship between each entity and its direct suppliers or service providers,
ensuring the acquisition, development, and maintenance of network and information systems, including the disclosure of information on vulnerabilities and their resolution,
policies and procedures to assess the effectiveness of cyber security risk management measures,
basic cyber hygiene practices and cybersecurity training,
policies and procedures regarding the use of cryptography and, where appropriate, encryption,
human resource security, access control policies, and asset management,
the use of multi-factor authentication or continuous authentication solutions, secure voice, video, and text communications, and secure emergency communications systems within the entity, as appropriate.
The NIS2 directive, or the new law on cyber security, will tentatively affect more than 6,000 private and public companies and organisations.
The law will affect 60 services in 18 sectors. For example, the energy, transport, water, banking and financial services, postal and courier services, and the food industry will be affected. In this context, the law refers to so-called regulated services.
Public administration
Energy
Manufacturing industry
Food industry
Chemical industry
Water management
Waste management
Air transport
Rail transport
Water transport
Road transport
Digital infrastructure and services
Financial market
Healthcare
Science, research, and education
Postal and courier services
The duty regime is determined through a process called self-identification, in which the organisation is required to assess whether or not it is complying with the duty regime.
In addition, the National Cyber and Information Security Authority (NCIS) will target the entities covered by the NIS2.
Organisations that fail to comply with the obligations of the NIS2 Directive may be subject to very high fines.
Under the regime of lower obligations, an organisation can be fined up to CZK 175 000 000 or 1.4% of its worldwide turnover.
In the higher obligation regime, an organisation can be fined up to CZK 250 000 000 or up to 2% of its worldwide turnover.
Cyber security event and incident reporting applies to entities subject to NIS2 obligations.
Without undue delay and in any event within 72 hours of becoming aware of the incident, the affected entity must submit an incident report, updating it as necessary.
The affected entity may be requested by the NCIB or the competent authority, as appropriate, to produce an interim report of relevant status updates.
Reporting Cyber Security Events and Incidents applies to entities subject to NIS2 obligations about the Cyber Security Event Detection obligation.
The obliged person, i.e. the entity, must use the Cyber Security Incident Detection Tool. This is called Security Information and Event Management (SIEM).
A SIEM is a system that collects, stores, and analyses security information and events from different sources to provide a unified interface for their management and analysis.
SIEM is a response to the growing need for better integration and analysis of security data in response to increasingly complex and sophisticated cyber threats. SIEM has gradually become one of the key elements of a cyber security management system.
The main functions of a SIEM include the following:
Data Collection and Aggregation: the SIEM collects and consolidates audit logs and other security information from various sources in the organization's network.
Threat detection: the SIEM analyzes the collected data to identify suspicious activities and potential security threats.
Alarms and Alerts: When a potential threat is detected, the system generates alerts to inform the security team of potential cyber security events and incidents.
Event Tracking and Analysis: The system provides tools to track and analyze cyber security events, allowing operational or security personnel to respond promptly.
Compliance: SIEM helps organizations comply with security standards and regulations by providing the necessary data and reports.