Read news, highlights, and expert articles related to NIS2.
Increasingly, headlines such as "Scare and invoice" are appearing on the internet. Still, the validity of the Directive does not mean that those covered by it must immediately start complying with all its obligations. The mandatory harmonisation deadline of October 2024 is likely to be noticed and there is talk of early 2025.
On 4 April 2024, the first meeting of the Legislative Council of the Government was held on the draft amendment to the Cyber Security Act. 
NIS2 (Network and Information Security 2) is a Directive of the European Parliament and of the Council on measures to ensure a high common level of cyber security in the Union. The Directive aims to extend the validity of the existing legislation to other entities by amending the existing law on cyber security.
The new NIS2 regulation brings several new obligations for more than 6 000 organisations to ensure a high common level of cyber security across the European Union. The specific obligations, i.e. organisational and technical measures, will be set out in an amendment to the existing Cyber Security Act.
The implementation of the NIS2 Directive in the context of the General Data Protection Regulation (GDPR) brings several benefits for dealing with data protection obligations in an organisation.

FAQ about NIS2

What is the NIS2 Directive?

The NIS2 Directive, Network, and Information Security 2, or the Cyber Security Directive, builds on the previous NIS Directive and deepens the cyber security legislative framework across the EU Member States.  

NIS2 aims to significantly strengthen the protection of EU companies and national infrastructures against cyber threats and to achieve a high level of common security across the Union.  

How to start implementing NIS2?

Before starting any activity that will lead the organisation to implement measures according to NIS2, it is always necessary to conduct a comprehensive information and cyber security audit to determine the state of the organisation.

A detailed audit of the existing organisational and technical cyber security measures identifies weaknesses to which organisational and technical measures should be applied and which should be implemented as a whole. This will ensure no significant constraints or delays during deployment, management, and operation.

When will NIS2 enter into force?
The NIS2 Directive entered into force on 16 January 2023. Member States are obliged to incorporate the Directive into national legislation by 18 October 2024.
When will the new law on cybersecurity come into force?

The transposition period for the "new" law on cyber security is set at 21 months.

The changes and new obligations introduced by the Act will only come into force in the Czech environment when the latest Cyber Security Act and its implementing decrees come into force. The Act is expected to be adopted in the second half of 2024.  

The new Cyber Security Act provides for a one-year transition period, i.e. until mid-2025, to give companies and organisations time to prepare for the new requirements.

Who are the obligated entities?

The "new" Cyber Security Act primarily divides obliged entities into two categories, based on the size of the company and the subject of activity.

The subjects or entities are divided into:

  • Providers of regulated services under the regime of lower obligations,  

  • Regulated service providers in the higher obligation regime,

about the critical importance of the sector/service and the level of dependence of other sectors/services on the sector.

What are the criteria for determining the size of a business?

The size of the enterprise for NIS 2 will be assessed by Commission Recommendation 2003/361/EC, which sets out the criteria for determining the size of an enterprise: 

  • micro-enterprise - has less than 10 employees and an annual turnover (amount of money raised over a certain period) or balance sheet (statement of assets and liabilities of the company) of up to EUR 2 000 000,  

  • small enterprise - has less than 50 employees and an annual turnover or balance sheet total of up to EUR 10 000 000, 

  • medium-sized enterprise - has less than 250 employees and an annual turnover of up to EUR 50 000 000 million or a balance sheet total of up to EUR 43 000 000.

Attention should also be paid in this context to the categories of so-called linked and partner enterprises.

What are the obligations of NIS2?

The primary role of the Directive is for entities to take appropriate and proportionate technical and organisational measures to manage the security risks faced by the networks and information systems they use to provide their services.

The above measures should include at least:

  • a risk analysis and an information systems security policy,

  • incident management,

  • business continuity, including backup, disaster recovery, and crisis management,

  • supply chain security, including security aspects relating to the relationship between each entity and its direct suppliers or service providers, 

  • ensuring the acquisition, development, and maintenance of network and information systems, including the disclosure of information on vulnerabilities and their resolution,

  • policies and procedures to assess the effectiveness of cyber security risk management measures,

  • basic cyber hygiene practices and cybersecurity training, 

  • policies and procedures regarding the use of cryptography and, where appropriate, encryption, 

  • human resource security, access control policies, and asset management, 

  • the use of multi-factor authentication or continuous authentication solutions, secure voice, video, and text communications, and secure emergency communications systems within the entity, as appropriate. 

Which sectors are covered by NIS2?

The NIS2 directive, or the new law on cyber security, will tentatively affect more than 6,000 private and public companies and organisations.

The law will affect 60 services in 18 sectors. For example, the energy, transport, water, banking and financial services, postal and courier services, and the food industry will be affected. In this context, the law refers to so-called regulated services.

  • Public administration 

  • Energy 

  • Manufacturing industry 

  • Food industry 

  • Chemical industry 

  • Water management 

  • Waste management 

  • Air transport 

  • Rail transport 

  • Water transport 

  • Road transport  

  • Digital infrastructure and services  

  • Financial market  

  • Healthcare  

  • Science, research, and education  

  • Postal and courier services  

How do I know that the Directive applies to my organisation?

The duty regime is determined through a process called self-identification, in which the organisation is required to assess whether or not it is complying with the duty regime.

In addition, the National Cyber and Information Security Authority (NCIS) will target the entities covered by the NIS2.

What are the penalties for non-compliance with the NIS2 Directive?

Organisations that fail to comply with the obligations of the NIS2 Directive may be subject to very high fines.

  • Under the regime of lower obligations, an organisation can be fined up to CZK 175 000 000 or 1.4% of its worldwide turnover.  

  • In the higher obligation regime, an organisation can be fined up to CZK 250 000 000 or up to 2% of its worldwide turnover.  

How to report cyber security incidents?

Cyber security event and incident reporting applies to entities subject to NIS2 obligations.

Without undue delay and in any event within 72 hours of becoming aware of the incident, the affected entity must submit an incident report, updating it as necessary.

The affected entity may be requested by the NCIB or the competent authority, as appropriate, to produce an interim report of relevant status updates.

How do I ensure the detection of cyber security events?

Reporting Cyber Security Events and Incidents applies to entities subject to NIS2 obligations about the Cyber Security Event Detection obligation

The obliged person, i.e. the entity, must use the Cyber Security Incident Detection Tool. This is called Security Information and Event Management (SIEM).

A SIEM is a system that collects, stores, and analyses security information and events from different sources to provide a unified interface for their management and analysis.

SIEM is a response to the growing need for better integration and analysis of security data in response to increasingly complex and sophisticated cyber threats. SIEM has gradually become one of the key elements of a cyber security management system.

The main functions of a SIEM include the following:

  • Data Collection and Aggregation: the SIEM collects and consolidates audit logs and other security information from various sources in the organization's network.

  • Threat detection: the SIEM analyzes the collected data to identify suspicious activities and potential security threats.

  • Alarms and Alerts: When a potential threat is detected, the system generates alerts to inform the security team of potential cyber security events and incidents.

  • Event Tracking and Analysis: The system provides tools to track and analyze cyber security events, allowing operational or security personnel to respond promptly.

  • Compliance: SIEM helps organizations comply with security standards and regulations by providing the necessary data and reports.

Materials for download 

Useful materials and documents to download
Full text of NIS2 

Nezávazná konzultace

Kontaktujte nás a domluvte si nezávaznou konzultaci

Vaše emailová adresa není ve správném formátu

Informace, které zadáte do tohoto formuláře, budeme zpracovávat za účelem zasílání obchodních sdělení a podle zásad zpracování osobních údajů.

Where can you find us?

CETIN, a.s.

Českomoravská 2510/19
Prague 190 00

View on map