The EU directive entered into force on 27th of December 2022 and is now being implemented in the Czech legal system. It will be approved in mid-October and will come into force by the end of 2024. Moreover, NIS2 will be a significant extension of the older directive (NIS) from 2016. The directive will now affect up to 6,000 Czech companies instead of the original approximately 400. And meeting its conditions will not be easy.
What exactly is it?
You can read the full text of the Directive (in English) HERE.
In short, EU Member States are obliged to identify all entities that provide them with backbone services and these entities must then implement defined measures to prevent cyber attacks. This is a way to unify national strategies, procedures or criteria and risk assessments, as in the past countries had different approaches to cybersecurity. Each Member State must also set up a national Cyber Security Incident Response Team (CSIRT).
The Directive names the specific public and private sectors affected by the measure. At the same time, it divides firms into entities of “fundamental” and “major” importance.
Subjects of fundamental importance (higher importance) | Subjects of major importance (lower importance) |
Energy | postal and courier services |
transport | waste management |
financial markets | chemical industry |
Healthcare | food industry |
water management | manufacturing industry |
digital infrastructure and services | |
public administration | |
space industry |
A disruption of services of a critically important entity would have a serious impact on the country’s economy and the functioning of society. Therefore, the conditions are more stringent for these companies.
A company of fundamental importance
- adopts the full text of all the requirements of the Directive,
- must report all security incidents,
- must follow the NÚKIB’s warnings and respond to threats with proactive measures,
- is under the control of the NÚKIB,
- data and information must be processed on a server in the region,
- must also vet their critical suppliers.
A company of major importance
- adopts the reduced requirements of the Directive,
- is only obliged to report security incidents with a significant impact,
- do not have to follow the NÚKIB warnings,
- is under the control of a certified inspector of the NÚKIB,
- data and information may not be processed on a regional server,
- they don’t have to vet their suppliers.
What changes will NIS2 bring in practice?
The new Directive introduces measures of an organisational and technical nature.
In the organisational area, managers need to: focus on risk assessment and management; implement comprehensive security policies with an emphasis on the sustainability of service operations; and ensure staff training. The focus is also on supply chain security.
In the area of technical measures, this primarily concerns the security of IT infrastructure, including:
- Telecommunications network protection and properly distributed systems, including those with high availability architectures.
- Identity management and authentication, including external users and suppliers.
- Control access permissions across the entire organization.
- Cryptography and protection of sensitive data, with emphasis on backup and recovery.
- Protection of all devices with network access.
A new feature will be the requirement to record the resolution and reporting of vulnerabilities and incidents. The first report must be submitted within 24 hours of discovering a security problem, and a second, more detailed report must be submitted within one month.
The aim of the first notification is to limit the potential spread of incidents and to enable operators to eliminate a potential threat as quickly as possible. The second report is to ensure that lessons are learned from previous incidents.
It is the reporting obligation that is the biggest challenge for companies as they have to monitor and respond to incidents 24/7/365. At the same time, there is a shortage of qualified IT specialists on the market, so it will be difficult to find internal people for continuous operation. The focus should be on smart solutions with maximum use of advanced technologies.
The Directive will enter into force on 31 December 2024 at the latest. The control authority may impose sanctions for non-compliance from the following month.
With NIS2 we can help you
In response to the introduction of NIS2, our company System4u offers Managed Detection & Response – a package to cover all the requirements of the directive. This service includes:
- A security audit of your IT infrastructure and a detailed analysis of its condition using modern techniques and penetration tests (on-premises and cloud hosting, networks, application layer, identity management, endpoints, data storage, data security, backup, recovery, etc.).
- Expert consultation including architectural design and subsequent implementation of recommended changes.
- Security Support Service (SOC365) including incident handling and reporting.
With Managed Detection & Response, you’ll be confident that you’re operating in compliance with NIS2 and other regulations such as GDPR or ISO 27001. If you want to talk about it further, let us know.