Similarly to other countries, the Czech Republic is undergoing a digital transformation. Without a doubt, this transformation allows businesses to facilitate their operations and makes all of our lives much easier. On the other hand, this transformation leads to new cybersecurity threats that may hinder businesses and cause significant losses.
Threats of cyberattacks have become more imminent recently due to several factors, such as the COVID-19 pandemic that made companies adapt to remote working and, consequently, created more opportunities for cybercriminals. The war in Ukraine has also increased the risk of cyberattacks.
Such attacks are usually aimed at confidential information and data which present an essential value for businesses and organizations. Attackers also often try to disrupt the operations of certain organizations – in particular, of providers of important services or utilities.
The fact that cybersecurity risks have increased is evidenced by data published by the authorities as well as by certain businesses. The 2022 Report on the State of Cybersecurity in the Czech Republic issued by the Czech National Cyber and Information Security Authority (Authority) on July 17, 2023 (the Authority’s most recent report on this topic), states that while the Authority recorded a slight decrease in cyber incidents in 2022, the Czech Police recorded an almost twofold increase in cybercriminal activities. The report also mentions that the activities of state-sponsored cyber actors and cybercriminal groups continue to be the greatest threat to the Czech Republic’s cybersecurity. The increase in cybersecurity risks was confirmed by businesses. For instance, according to a press release published on January 30, 2024, by the Czech Banking Association, in 2023, Czech banks recorded 69,685 attacked clients with a total damage of CZK 1.35 billion.
These steadily increasing cybersecurity risks have been reflected in various pieces of legislation. The most significant piece of legislation concerning cybersecurity is EU Directive 2022/2555 on Measures for a High Common Level of Cybersecurity Across the EU, called NIS 2, which modifies the current cybersecurity legislation applicable in the EU. NIS 2 entered into force on January 16, 2023, and EU Member States must implement it into their national legislations by October 17, 2024. In the Czech Republic, the Authority already published a bill that is going to implement the NIS 2 Directive and which shall soon be introduced to parliament.
The obligations to be imposed on the organizations by the new legislation will include the obligation to take appropriate and proportionate technical, operational, and organizational measures to manage the risks posed to their systems. These measures will consist of adopting policies assessing the effectiveness of cybersecurity risk-management measures or ensuring supply chain security and human resources security. Members of management bodies will be required to attend regular training to gain sufficient knowledge and skills to identify risks and their impact on the services provided by the organizations.
Non-compliance with the obligations may lead to significant fines as the EU legislation requires EU member states to ensure that the fines will reach a maximum of at least EUR 10 million or 2% of total worldwide turnover.
It is presumed that the new legislation will impose cybersecurity requirements on a much broader number of businesses than the current legislation. According to some estimates, in the Czech Republic, the number of organizations affected by the new legislation will increase from 600 to at least 6,000. Some say that it may even concern 15,000 subjects. The costs for implementing the obligations imposed by the new legislation are not negligible either. Czech organizations that are already dealing with cybersecurity have indicated that they annually spend tens of millions of Czech koruna (e.g., hospitals or Czech Post), hundreds of millions of Czech koruna (banks), or even billions of Czech koruna (the Czech conglomerate generating, distributing, and trading electricity and heat).
Although cyberattacks may present significant risks and the breach of obligations imposed by cybersecurity legislation may bring important sanctions, many businesses have not yet begun preparing for the new rules. According to some surveys, up to 80% of employees of IT departments in Czech companies do not know whether their organizations will be affected by the new legislation. This number seems high. Since the implementation of new requirements may take time, Czech companies should begin to prepare at their earliest convenience. Otherwise, cybersecurity may become a real challenge.
By Petr Hradil, Head of Cybersecurity, Peterka & Partners
This article was originally published in Issue 11.4 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.