The implementation of the Critical Entities Resilience Directive is approaching. It will cost companies up to tens of millions of Czech crowns.

The implementation of the Critical Entities Resilience Directive is approaching. It will cost companies up to tens of millions of Czech crowns.

Critical infrastructure represents key elements and entities whose disruption would have serious impacts on the functioning and security of society and the state. With the implementation of the directive, which must take place by October 17 at the latest, stricter security standards will be introduced, along with a greater emphasis on cooperation between EU member states. According to Vlachová, this should lead to more effective risk prevention.

What obligations arise from this for the Czech Republic?
States primarily have the obligation to identify critical entities by 2026. This process will need to be repeated regularly to maintain an up-to-date list of entities considered critical for national security and the economy. Furthermore, it will be necessary to create and apply a strategy to increase the resilience of critical entities and establish effective oversight over them.

Can we therefore expect legislative changes at the level of the Czech legal system?
Since CER is a directive, it is not directly binding. Transposition into Czech law is therefore necessary. Currently, a new Critical Infrastructure Act is being prepared. However, it is already clear that it will not be adopted within the set implementation deadline but probably only in 2025.

What is delaying the timely implementation of this legislation?
Similar to the Cybersecurity Act, there are some risk areas slowing down the preparation of the law. Experts particularly criticize some proposed provisions related to supply chain security or high penalties. These are mostly tools that do not directly stem from the CER directive and are specific to the proposed Czech regulation.

Will new obligations also apply to the entities themselves that fall under critical infrastructure?
Yes, especially to those entities that have not previously been subject to similar regulation. These entities will also need to regularly assess risks and report them to supervisory authorities, in line with the state strategy. Additionally, it will be necessary to implement advanced security systems covering both physical and digital security, subject to regular audits. The system will also include training for employees and management to effectively respond to potential threats.

Will there be any changes affecting their suppliers?
The CER directive will increase the responsibility of suppliers for securing the services and products provided to critical infrastructure entities. Since the critical entities themselves will have the obligation to monitor and oversee the security of their suppliers, they will also require these suppliers to demonstrate compliance with various security requirements.

What should entities affected by the new legislation prepare for?
At this moment, I would especially recommend a careful study of the CER directive itself and monitoring the legislative process of the new Critical Infrastructure Act. To ensure compliance with the new regulation, it would be advisable to start with a GAP analysis to identify the extent to which the required measures are already fulfilled. For those measures that are not yet met, it is necessary to determine a procedure to achieve compliance with the legislation. After implementing the new regulation in the organization, established measures must be continuously monitored, evaluated, and adjusted if necessary. The new obligations will thus become part of the company’s broader compliance framework, i.e., one of its pillars.

What will be the costs for companies due to these changes?
The costs associated with implementing the CER directive into national law will mainly depend on the size of the entity and the criticality of the services it provides. These can range from hundreds of thousands up to tens of millions of Czech crowns. An important factor is also the current state of established processes. To minimize costs, I would recommend early preparation for the obligations arising from the CER directive and spreading their fulfillment over a longer period.

The article was published on prioritymagazin.cz (August 1, 2024)