NIS2 (Network and Information Security 2) is a Directive of the European Parliament and of the Council on measures to ensure a high common level of cyber security in the Union. The Directive aims to extend the validity of the existing legislation to other entities by amending the existing law on cyber security. 

Which organisations will be affected by NIS2?   

The 'new' Cybersecurity Act will come into force at the end of 2024, together with several implementing decrees. The Czech Republic is thus facing an amendment to the decree and the Cyber Security Act.  

"The adoption of the new law on cybersecurity is expected by 18 October 2024 at the latest."  

The new NIS2 directive will affect hundreds of organisations that provide regulated services (sectors in the list below). Other criteria (such as the size of the business) are set out in the Order for each regulated service. According to these, the organisation will have to comply with so-called higher or lower obligations.  

• Public administration
• Power Engineering
• Manufacturing industry
• Food industry
• Chemical industry
• Water management
• Waste management
• Air transport
• Rail transport
• Water transport
• Road transport
• Digital infrastructure and services
• Financial market
• Healthcare
• Science, research, and education
• Postal and courier services
• Military industry
• Aerospace

What obligations does NIS2 bring?

Organisations affected by NIS2 must take organisational and technical measures. This is according to the obligation regime in which the organisation will be located (obligations in the list below). The obligation regime is determined through a process called self-identification, in which the organisation is required to assess whether or not it meets the obligation regime.

Lower obligation regime

• Ensuring cyber security
• Duties of senior management
• Asset management
• Risk management
• Human resources security
• Business Continuity Management
• Access management
• Identity and permissions management
• Detection and recording of cyber security events
• Cyber security incident response
• Communications network security
• Application security 

The higher duty regime

• System
• Responsibilities of senior management
• Security roles
• Management of security policy and security documentation
• Asset management
• Risk management
• Supplier management
• Human resources security
• Change management
• Acquisition, development and maintenance
• Access Control
• Cyber security event and incident management
• Business Continuity Management 
• Cyber security auditing
• Physical Security
• Communications network security
• Identity management and authentication
• Access rights and permissions management
• Cyber security event detection
• Event logging
• Evaluating cyber security events
• Application Security
• Cryptographic algorithms
• Ensuring availability of regulated service 
• Security of industrial, control and similar specific technical assets

What are the penalties for non-compliance with NIS2?

Organisations that fail to comply with their obligations under the NIS2 Directive may be subject to significant fines.

• Under the lower obligation regime, an organisation can be fined up to CZK 175 000 000 or 1.4% of its worldwide turnover.
• Under the higher obligation regime, an organisation can be fined up to CZK 250 000 000 or up to 2% of its worldwide turnover.

>For all organisations, the higher of the two above fines is always used in the event of a fine being imposed.