The Cybersecurity Act will most likely be approved only next year, says lawyer Vlachová.
05 \ 12 \ 2024
The new Cybersecurity Act is currently being reviewed by committees of the Chamber of Deputies, which aim to somewhat limit the proposed powers of the National Cyber and Information Security Agency (NÚKIB) in favor of the government. An amendment, which envisions transferring decision-making authority, was supported at the end of November by both the Security and the Economic Committees responsible for the bill.
The bill aims, among other things, to enable the screening of suppliers who could pose a security risk to the state, as well as their exclusion. The proposal also plans to expand the scope of authorities and persons affected by it, whose protection and functioning are in the economic and societal interest. Barbora Vlachová, lead attorney of the legal team at the Portos law firm specializing primarily in cybersecurity, digital transformation, and IT law, discusses the most significant changes in cybersecurity in the e15 cast podcast.
The new Cybersecurity Act transposes into Czech law the European directive on measures to ensure a high common level of cybersecurity, known as NIS2. The goal of this directive is primarily to eliminate disparities between EU member states in cybersecurity legal regulation, which arose from the transposition of the original NIS directive. NIS2 focuses on strengthening the EU’s cyber resilience and enhancing the ability to respond to cyber threats and incidents.
“We already know that we missed the directive’s implementation deadline, which had to be transposed into Czech law by October this year. Realistically, we expect to succeed only by mid-next year, with the law potentially coming into effect from January 1, 2026,” says Barbora Vlachová from the Portos law firm.
According to the amendment, the main implementing regulation setting criteria for determining the so-called strategically significant services that form the essential scope would not be issued by the cybersecurity agency as a decree but by a government regulation. This way, the government would bear appropriate responsibility and also set the parameters for measures. The government would determine the strategically significant services and, according to the bill’s proposer, ODS MP Pavel Žáček, would assess not only suppliers but also the security of the country from which they originate.
The Chamber of Commerce warned of the threat of increased costs for companies and public administration and the subsequent impact on service prices for customers. The NIS2 directive affects large and medium-sized enterprises, but the state also has the power to designate critical sectors to which the law may apply. Ultimately, this regulation could also affect smaller companies.https://www.e15.cz/podcasty/e15-cast/zakon-o-kyberbezpecnosti-bude-nejspis-schvalen-az-pristi-rok-rika-advokatka-vlachova-1420693
“The most frequently cited number is 6,000 to 10,000 entities that the law might affect. But I have also seen the figure of 12,000,” says Barbora Vlachová, noting that costs for companies could reach tens of billions of CZK.
The main purpose of the new cybersecurity law is to ensure that important organizations implement preventive measures to strengthen their cybersecurity, including reporting and managing cybersecurity incidents.
