Organisations must take not only technical but also organisational measures to manage security risks. The new directive also aims to significantly strengthen the ability of organisations to respond to cyber incidents and crises. The NIS2 Directive came into force in January 2023 and EU Member States.
Why focus on security?
- Financial protection – Prevention is cheaper than the consequences of an attack.
- Customer trust – Data protection strengthens a company’s reputation.
- Minimise downtime – Stability is key to competitiveness.
- Legal liability – Failure to comply with NIS2 can result in heavy fines.
Who is it about?
In the Czech Republic, it will apply from 2025 and will affect approximately 6,000 entities, including:
- Organizations providing critical services (health, transport, finance, energy, etc.) and medium and large enterprises (over 50 employees or CZK 250 million turnover).
- The supply chains of these companies.
Main duties according to NIS2:
- Notification of regulated service – Within 60 days via the NUCIB Portal.
- Reporting of contact details – Within 30 days of receipt of the registration decision.
- Determining the scope of cybersecurity governance – Defining the scope of regulation in an organization.
- Implementation of safety measures – Within 1 year of receipt of the registration decision.
- Cyber incident reporting – Within 1 year of receipt of the registration decision.
- Informing customers of incidents – Within 1 year of receipt of the registration decision.
- Implementation of countermeasures issued by NUCIB – Immediately according to the deadline set in the countermeasure.
- Compliance with supply chain security mechanism obligations – Within 1 year of registration.
- Ensuring availability of strategic services from the Czech Republic – Within 1 year of registration.
How to prepare for NIS2?
1. Analysis of the current situation
First, you need to conduct a thorough assessment of the state of the IT infrastructure and compare it with the requirements of the NIS2 directive. Identify weaknesses in technical security measures and assess the company’s process management. Set realistic targets for the implementation of the measures, including both the technical solutions and the necessary documentation.
2. Implementation plan
- Designation of a responsible person and security team
- Definition of measures to be implemented, prioritization and oversight of the project schedule
- Allocation of resources and capacity
3. Introduction of measures
Implementation consists of technical, organizational and process steps, including:
Technical measures:
- Zero Trust Architecture
- Identity: authenticate the identity of users, devices and services using strong authentication and the principle of least privilege.
- Devices: modern management and security of all devices connected to the network, including mobile devices.
- Networks: Network segmentation and access control based on context and risk.
- Data: data protection through classification, encryption and access restriction based on data attributes. Creating and restoring from backup.
- Visibility and analytics: gaining visibility into security incidents and using analytics to detect threats and improve defences.
Organisational arrangements:
- Risk management: conducting a comprehensive assessment of cyber risks, from identification and prioritization to managing measures to manage them
- Management responsibility: the organisation’s management must oversee cyber security, approve measures and be trained on cyber risks.
- Incident reporting: the organisation must have processes for the prompt reporting of security incidents with a significant impact on service delivery. The NIS2 sets out specific timeframes for notification, such as 24-hour ‘early warning’.
- Business continuity: Planning for business continuity in the event of a cyber incident, including systems recovery, emergency procedures, and the creation of a crisis team.
4. Continuous monitoring
Regular audits and testing of the effectiveness of measures help to ensure continued compliance with NIS2, for example through penetration testing, scanning systems and applications for known vulnerabilities, or checking applications for vulnerabilities in code that could be exploited by attackers. These areas help to ensure that security measures are still effective and the organisation is prepared to counter cyber threats.
What’s next?
Ensuring compliance with NIS2 requires a systematic approach. The earlier firms start preparing, the better they can minimise the risks and costs associated with implementing the new rules.
Need some advice? We will guide you through the whole process!
