NIS 2 In Czech Legislation: Common Mistakes in Self-Identification - How to Overcome Them?
The NIS2 Directive and its implementation into Czech legislation are fast approaching. It is expected that the draft of the new Cybersecurity Act will be in force as early as mid-2025. The first key obligation under the new law is to self-identify, i.e., to determine whether your company will be a regulated entity.
However, many entrepreneurs are already struggling at this point, so let's take a look at the most common mistakes and how to ideally avoid rgem. As the implementation of the NIS2 Directive into Czech legislation rapidly approaches, the draft of the new Cybersecurity Act is anticipated to be in effect by mid-2025. One of the crucial obligations under this new law is self-identification - companies must determine if they will be considered regulated entities.
Recognizing the challenges faced by many entrepreneurs in this regard, let's examine the most frequent mistakes and strategies to avoid them effectively:
Mistake #1: I don't know I have to do any self-identification
Although the National Cyber and Information Security Agency (NÚKIB) is doing a very high level of awareness-raising in this area, we still find companies that have not been reached by the planned new obligations. The amount of all regulations for companies is huge, but as the well-known legal principle says: ignorance of the law is no excuse.
The NIS2 Directive has expanded the number of regulated entities from approximately 360 to an estimated 12-15,000 in the Czech Republic and 10,000 entities in Slovakia. The expected increase is therefore dramatic and the chances that the new law will affect you are quite high.
Why is self-identification actually such a key obligation? If you were a regulated entity and did not report to NÚKIB, you would be committing an offence. And because NÚKIB views this conduct as an attempt to avoid your obligations, it can impose the highest fines for it (CZK 250,000,000 or up to 2% of the company's net worldwide annual turnover, whichever is higher). Despite NÚKIB's extensive awareness-raising efforts, several companies remain unaware of the new obligations mandated by the NIS2 Directive. The sheer volume of regulations can be overwhelming. However, as the legal maxim goes, "ignorance of the law is no excuse."
The NIS2 Directive has significantly expanded the scope of regulated entities, increasing from approximately 360 to an estimated 12,000-15,000 in the Czech Republic and 10,000 in Slovakia. This dramatic increase means there's a high probability that the new law will impact your organization.
Self-identification is a crucial obligation under the NIS2 Directive. If a regulated entity fails to report to NÚKIB, it will be considered an offense. NÚKIB views this conduct as an attempt to evade obligations and can impose substantial fines. The maximum penalty is CZK 250,000,000 or up to 2% of the company's net worldwide annual turnover, whichever is higher.
Mistake #2: Regulated services misuderstandings
The draft new legislation will affect companies that provide a service from a regulated sector and meet other criteria. Regulated services are important for the security of important social or economic activities or for security and are from 15 different sectors.
These sectors are:
public administration and exercise of public authority,
energy,
manufacturing industry,
food industry,
chemical industry,
water management,
waste management,
transport,
digital infrastructure and services,
financial market,
healthcare,
science, research and education,
postal and courier services,
defense industry,
space industry.
It sounds relatively simple and so if I don't do anything in these sectors, I don't have to deal with the new cyber legislation at all? Wrong. One of the exceptions listed in the Act may still apply to you.
Another and much more common mistake companies make is that they confuse their main activity with the regulated service sectors. However, the new law is not only interested in activities that are your core business, but in everything you do.
We can illustrate this with an example where a company makes, say, pet toys. It has verified that the manufacturing industry does not apply to this manufacturing, and so has concluded that the regulation will not apply to it. But then it wouldn't be a good example if that was the end of the story. However, this company has a subsidiary that sews dog clothes and the parent company manages all of their IT, and then invoices them for these services. This already classifies it into the digital infrastructure and services sector, specifically it could provide the regulated service of Managed Service Providing (MSP) or Managed Security Service Providing (MSSP). It doesn't matter that providing IT services is not its main activity.
Companies must identify all regulated services they provide, whether or not they are their main activity. Think about all your activities, even if they don't seem important to you at first glance. And don't forget, you can provide more than one regulated service and you have to report all of them. It may seem simple to think that if you don't engage in specific sectors, you won't be affected by the new cyber legislation. However, this is incorrect. Exceptions listed in the Act might still apply to you.
Another common mistake is for companies to confuse their main business activity with the regulated service sectors. The new law encompasses everything you do, not just your core activities.
For example, a company manufacturing pet toys may assume the regulation doesn't apply to them since their industry is not listed. However, this company has a subsidiary that sews dog clothes, and they manage all of their IT, billing them for these services. This classifies them into the digital infrastructure and services sector. They could be providing the regulated services of Managed Service Providing (MSP) or Managed Security Service Providing (MSSP), regardless of their primary focus.
Companies must identify all regulated services they provide, whether or not they're their main activity. It's essential to comprehensively consider all your activities, even if they seem minor. Additionally, it's possible to provide multiple regulated services, and you're required to report all of them.
Mistake #3: Incorrect determination of enterprise size
In addition to operating in regulated sectors, another typical criterion is the size of the enterprise. If you were to carry out an activity within a regulated sector but did not meet the necessary condition of the required size, the new Cyber Act would not apply to you.
However, even in this case, let's not forget the exceptions and other criteria regardless of size. The size of an entity is calculated according to Commission Recommendation 2003/361/EC, which defines micro, small, medium and large enterprises. The assessment of an enterprise is based on either the employee or financial indicator.
Small companies have a maximum of 49 employees, medium-sized companies 50 to 249 and large companies 250 or more. The problem arises in that the number of employees must also take into account the so-called "relevant links between affiliated undertakings". What does this mean? For example, when you are a subsidiary of a large company or part of a holding company. In these cases, there is the aforementioned affiliation and the total number of employees also includes the employees of subsidiaries, sister or parent companies. This is either in full or proportionately according to the degree of affiliation. A company with 10 employees can thus become a large enterprise thanks to its parent company, because in total it will have more than 250 employees.
A new exemption for these affiliated companies was inserted into the draft Cyber Act in May this year. This states that affiliated or linked undertakings shall not be considered to be undertakings whose technical assets are completely separate from the technical assets used by the undertaking under assessment in the provision of the regulated service. According to the explanatory memorandum, this should typically involve situations of investing in start-ups. However, we will have to wait until the end of the legislative process to see how this derogation will turn out.Criteria for Assessing the Applicability of the New Cyber Act
In addition to operating in regulated sectors, another critical criterion for determining whether the new Cyber Act applies to an enterprise is its size. If an entity operates within a regulated sector but does not meet the required size threshold, the Act will not apply.
However, exceptions and other criteria may still apply, regardless of size. The size of an entity is calculated according to Commission Recommendation 2003/361/EC, which defines micro, small, medium, and large enterprises. The assessment is based on either the number of employees or financial indicators.
Small companies have a maximum of 49 employees, medium-sized companies have 50 to 249 employees, and large companies have 250 or more employees. The calculation of employees must consider "relevant links between affiliated undertakings." This means that if an entity is a subsidiary of a large company or part of a holding company, the total number of employees includes those of subsidiaries, sister companies, or parent companies. This can be either in full or proportionately, based on the degree of affiliation. Consequently, a company with only 10 employees may be considered a large enterprise if its parent company has more than 250 employees.
A new exemption for affiliated companies was introduced into the draft Cyber Act in May. This exemption states that affiliated or linked undertakings will not be considered as such if their technical assets are entirely separate from those used by the assessed undertaking in providing the regulated service. The explanatory memorandum suggests that this typically applies to situations involving investments in start-ups. However, the final outcome of this exemption will only be known upon completion of the legislative process.
Mistake #4: Confusion in the regulated services regimes
Once you self-identify and report your regulated service to NÚKIB as a regulated entity, you have the first step behind you. NÚKIB will register you and you will then start to have further obligations according to the regime in which you provide the regulated service. If you have only one regulated service, you will follow the security measures and fulfil the obligations according to the regime that this regulated service dictates. This may be a higher regime (more obligations) or a lower regime.
Companies make a mistake here if they want to prepare for the new legislation and provide more than one regulated service, with one regulated service being designated in a lower regime and the other regulated service in a higher regime. Companies then want to prepare for both regimes at the same time or choose the more advantageous one for them - the lower regime. Because companies can only have one regime, the higher takes precedence rule applies here.
If you have even one of many regulated services in a higher regime, the higher obligations regime is decisive for your company.After identifying and reporting your regulated service to NÚKIB as a regulated entity, you have taken the initial step. NÚKIB will register you, and you will have specific obligations based on the regime associated with your regulated service. If you have only one regulated service, you must adhere to the security measures and fulfill the obligations according to its designated regime, which may be higher (more obligations) or lower.
Companies often make a mistake when preparing for the new legislation. When providing multiple regulated services, they may have one service designated in a lower regime and another in a higher regime. In such cases, companies may want to prepare for both regimes simultaneously or choose the more advantageous lower regime. However, companies can only have one regime, and the "higher takes precedence" rule applies. If at least one of your many regulated services falls under a higher regime, the higher obligations regime will be decisive for your company.
Mistake #5: I am a supplier to a regulated entity = Am I a regulated entity?
The draft of the new Cybersecurity Act also mentions suppliers to regulated entities. They will have to comply with certain obligations. These will mainly be rules that will affect them through their customers (regulated entities). The fact that you supply your services to a regulated entity does not in itself qualify you as a regulated entity.
A supplier must itself provide some regulated service in order to become a regulated entity, and at the same time meet all other criteria that the regulated service will require. Therefore, even a supplier, like any other company, must self-identify and determine whether it is a regulated entity. If it is not, it will only be subject to obligations as a supplier to regulated entities and will not have to report to NÚKIB.
Do you already know if you fall under the new legislation? Check the free URČI.SE application to see if you are likely to fall under the new regulation or not. You will also find out what you will have to comply with and what your next steps should be.The draft of the new Cybersecurity Act includes provisions for suppliers to regulated entities. These suppliers will be required to comply with certain obligations, primarily through their interactions with their regulated customers. However, it's important to note that simply providing services to a regulated entity does not automatically make a supplier a regulated entity itself.
To be considered a regulated entity, a supplier must provide a regulated service and meet all other criteria required for that service. Therefore, like any other company, suppliers must self-identify and determine whether they meet the criteria to be considered regulated entities. If a supplier does not meet these criteria, they will only be subject to the obligations imposed on suppliers to regulated entities and will not be required to report to NÚKIB.