Welcome to the website dedicated to the upcoming regulation of cyber security in the Czech Republic - the Directive of the European Parliament and of the Council on measures to ensure a high common level of cyber security in the Union, the so-called NIS2 Directive and the changes that this Directive will bring for cyber security in the Czech Republic. These changes will only come into force with the entry into force of the new Act on Cyber Security (scheduled for the second half of 2024).
The NIS2 Directive brings many changes in the area of cyber security and affects not only organisations that are already obliged to secure their systems under the current Act on Cyber Security, but also a large number of organisations that will be newly covered by the regulation and have not had to fulfil any obligations to date.
In the context of numerous changes and the interest of the public in the topic, NUKIB has launched this website to provide clear and comprehensive background information on what the new NIS2 Directive represents, to describe the major changes to the existing requirements and how the European requirements will be implemented into national legislation.
We have selected the 12 most interesting and important topics related to the future regulation of cyber security that we would like to present to you. We will continuously update the published information. The topics also include proposals of changes in the Czech legislation.
THE TEXT OF NIS2 DIRECTIVE
The final official text of the NIS2 Directive was published in the Official Journal of the European Union on 27 December 2022 in all official languages of the European Union. NUKIB recommends to also consider the English version when reading the Czech version of the official text as this is the language in which the Directive was drafted and is most consistent with the intent of the regulation.
THE NEW ACT ON CYBER SECURITY
AND OTHER LAWS
The Directive is a legal act setting the minimal regulatory requirements that all EU Member States, including the Czech Republic, must meet. It is up to the individual countries to formulate their respective national laws and how to achieve relevant objectives. The changes brought by the NIS2 Directive are so fundamental that the NUKIB has approached this task by preparing a completely new Act on Cyber Security and its decrees, which has been recently submitted to the public for comments and discussion.
Public comments and suggestions have been incorporated in the initially published proposal of the Act on Cyber Security. The following version will be submitted to the Interdepartmental Comment Procedure. Further changes can therefore be expected as part of the standard legislative process. Public comments have also been taken into account in the draft decrees, but these are still not final legislative proposals but theses accompanying the draft law. The decrees will have their own legislative process.
Proposal of the Act on Cyber Security
All the documents are unofficial translations of non-binding proposals which will be further edited.
The rights and obligations in the field of cyber security, i.e. the determination of regulated entities, their obligations and other institutes, whether new or existing, are based on the content of the new proposal of the Act on Cyber Security. Decrees issued under the Act further specify these rights and obligations. In each proposed document you will find a short managerial summary of its content and its relation to other regulations for better orientation.
RESULTS OF THE PUBLIC CONSULTATION
The public consultation of experts on the proposed Act on Cyber Security and the theses of related decrees took place from 26 January to 12 March 2023..
Over a period of more than 6 weeks, the NUKIB received a total of 1144 unique comments, suggestions and proposals on the published legislative materials. The overwhelming majority of all comments received were considered in updating the draft law and decrees.
A summary of all the comments and suggestions received is available only in Czech.
We would like to thank the authors for all the submitted suggestions. We appreciate their initiative and helpfulness in cooperation leading to the optimal setting of the regulatory framework for cybersecurity in the Czech Republic.
The NIS2 Directive was published in the Official Journal of the European Union on 27 December 2022. The published text of the Directive is official and will not be changed any further. The information on the website is based on the final text of the Directive and may be modified in the future only in the light of developments in the interpretation of the content of the Directive - however, such possible modifications should only be made in exceptional circumstances.
The presented information concerning the future Czech national regulation depending on the content of the NIS2 Directive may contain the opinions and plans of the NUKIB as the responsible authority for this issue. It should be borne in mind that such opinions and plans are based on currently available information and that a necessary part of the adoption of legislation is the legislative process, within which the presented issues may undergo changes.
The aim is to provide a basic overview of the regulatory landscape associated with NIS2, not a detailed guide to implementing the requirements in a specific organisation's environment.