The European NIS2 (Network and Information Security Directive 2) can make things more difficult for Czech organizations, but it can also help them solve their cybersecurity problems. This is particularly the case for those organizations that have not yet addressed this serious threat until now or could not justify the necessary budget for sufficiently qualified staff.
The NIS2 Directive aims to make the EU’s digital infrastructure more resilient to cyber attacks and improve coordination and incident response capabilities. “Many entities in the Czech Republic and elsewhere are not taking these matters seriously enough. This is due to the fact that there is a shortage of IT experts – let alone cybersecurity experts – on the market. Since the entities affected by the new directive will be obliged to ensure that their IT networks and information systems are sufficiently protected against cyber threats, this problem may become even worse,” says Petr Kocmich, Global Cyber Security Delivery Manager at Soitron.
The institutions concerned must implement measures to prevent cyber attacks and threats, such as performing regular software updates, securing network devices, and providing protection against phishing attacks. In addition, they must prepare contingency plans for cyber incidents and establish mechanisms to deal with them quickly and effectively.
Major incidents must be reported within twenty-four hours of becoming aware of the incident and cooperation with national security authorities will be required. Any company that fails to comply with these requirements may be subject to fines and other sanctions.
It would be great if the NIS2 Directive could help end the shortage of cyber security experts; however, this is unlikely, and, at first glance, it might even seem to exacerbate the problem. Having said that, the new regulation is an excellent opportunity to make organizations more secure. External cybersecurity service providers can help. They have sufficient capabilities that organizations are lacking. “Specialized companies focus on providing these services and can help entities implement security measures and risk management as a complete package, i.e. a turnkey service or a solution delivery including support and compliance with the NIS2 Directive,” says Kocmich.
Specialized companies can help organizations solve both problems in ensuring compliance with the new requirement and improving previously incomplete security of their IT infrastructure and information systems; however, even if organizations use the services of such providers, the responsibility is still theirs.
They should choose their service provider cautiously and ensure that they are sufficiently qualified, experienced, and certified. It is also important to make sure the tasks are properly assigned and that the contractor’s performance is monitored. To ensure the efficiency and effectiveness of the model, the roles and responsibilities should be clearly defined in the contract between the organization and the cybersecurity service provider. It should be understood that the quality of the service delivered often reflects the quality and management capabilities of the provider.
The directive will mean greater obligations for companies in the Czech Republic in relation to network and information system cybersecurity and protection. However, it will also improve protection and resilience against cyber threats and cooperation between European countries. Last but not least, meeting the requirements of the NIS2 Directive can help organizations gain the trust of their customers and partners, who will be more satisfied with the protection of their data and information. Overall, the directive could help entities to improve their security practices and minimize risks.
The NIS2 Directive applies to electricity producers, healthcare providers, electronic communications services, and over sixty other services categorized into eighteen sectors. In the Czech Republic, the directive will start to apply on 16 October 2024 and will cover up to 15,000 entities – these are medium and large companies with over fifty employees and companies with an annual turnover of over CZK 250 million. Although the NIS2 Directive will only apply to organizations that meet the defined criteria, and others are not directly obliged to comply with the requirements, it is worth considering using it as a recommendation for improving general cybersecurity in other companies.
“It is estimated that up to 70% of domestic organizations have a problem with their cybersecurity. Smaller and medium-sized enterprises in particular do not have sufficiently secure IT systems and do not comply with basic security measures,” says Kocmich. Common problems include benevolent user access rights, a lack of two/multi-factor authentication in combination with weak passwords (including those of administrators), mismanagement and the decentralization of user identities, outdated and unpatched hardware and software containing vulnerabilities, missing network segmentation, weak or missing email and Internet access protection, inadequate perimeter protection, low visibility into network traffic, low or missing endpoint security, a lack of central log management, and inadequate employee training. “Cybersecurity is a big issue for many companies in the country. They can become easy targets for attackers. The NIS2 Directive should help raise awareness and protection against cyber threats,” adds Kocmich.
For more information on obligations under the NIS2 Directive, see the dedicated website (http://nis2.nukib.cz) of the National Cyber and Information Security Bureau (NCISB).
We are in the process of finalizing. If you want to be redirected to our old version of web site, please click here.