What will the NIS2 directive bring and are Czech companies ready for it?

The topic of the NIS2 cybersecurity directive is beginning to resonate more and more intensely, and understandably so - as the deadline for its entry into force, which falls in mid-October this year, approaches, the pressure and a certain degree of nervousness is growing.

And it is undoubtedly in place. NIS2 will now affect nearly 6,000 additional companies and organisations for which the current obligations did not apply. And according to independent surveys carried out by specialist agencies (companies such as KPMG and EY), there is one common and disappointing conclusion: unpreparedness.

When we talk about entities that were not covered by the original NIS, in many cases we also encounter a completely trivial situation.

Of course, as the saying goes, you can't lump everyone together and it depends on the business area, the size of the company - and the overall management approach to cyber security in the long term.

However, it is undoubtedly striking that today some organisations still live under the assumption that they are secure through the deployment of firewalls and antivirus, and therefore have "made it".

First of all, ignorance is no excuse. Whether a company falls into the less or more regulated category (and is thus in a greater "crosshairs"), in either case, implementation needs to be addressed very rigorously.

Non-compliance with the requirements is associated with significant financial penalties (for smaller family-owned companies, they can be even liquidating), as well as the obligation to report incidents to the National Office for Cyber and Information Security(NCIS), and a number of specific obligations, such as employee training, up to the imposition of personal liability.

NIS2 will also have a direct impact on the standardisation of supply chains - for example, it now focuses specifically on the treatment of supplier security.

It should of course be in the interest of the organisations themselves to keep security at the highest possible level. What are the biggest bottlenecks as to why this is not happening?

This is usually based on the aforementioned overall approach and investment in cybersecurity in general. Thus, finances, lack of competent experts and also ignorance of the issue are frequent factors. Meeting the basic requirements of NIS2 often does not necessarily mean huge investments, but, for example, implementing the necessary processes.

If you are interested in learning more about NIS2 and whether you as an organisation are ready for it, please do not hesitate to contact us and we will be happy to help you audit the situation and set up the necessary measures.