The forthcoming set of broader EU cybersecurity requirements could hit obstacles in the form of insufficient financial and staff capacities, prompting fears in the Czech Republic that they could create new headaches, particularly for private companies.
The Czech Interior Ministry and the Czech National Cyber and Information Security Agency (NÚKIB) experienced massive attacks on their systems in mid-April. Moreover, a few regional airports’ websites and the major railway operator’s mobile app also faced failures recently.
Despite the high priority of crucial institutions regarding cybersecurity, these incidents show that they are still vulnerable to external attacks.
The EU’s forthcoming cybersecurity directive – so-called NIS2 – is intended to improve EU countries’ resilience. More stringent supervision measures and enforcement are expected to be introduced. However, new rules might be quite challenging.
The current NIS Directive has applied the most stringent cybersecurity rules to critical service providers – leading companies in the energy, transport, banking, healthcare and drinking water supply sectors.
However, the proposed update of the legislation further expands this scope. For example, public administration and municipal services, pharmaceutical companies, laboratories, wastewater treatment plants and ground-based space infrastructure will have to meet the highest security standards.
Stringent measures should be applied by postal services or chemical, food, and car manufacturers. The NIS2 Directive would also affect those operating in the digital sector, such as data centres.
Security standards as a burden
The broader scope of the new European cybersecurity legislation raises concerns in the eyes of Czech private companies as the NIS2 will impose additional financial and administrative burdens on their businesses. It is mainly the case for companies that have not had to deal with any cybersecurity obligations before.
“We have to remember that not every company has the financial resources or staff capacity to build special departments dedicated to this issue,” Kateřina Kalužová, digital economy manager at the Czech Confederation of Industry and Transport (SPCR), told EURACTIV.cz.
According to the SPCR, the costs and administration should be as low as possible so that companies do not face unnecessary complications. Entities that do not adopt or comply with the measures could face high sanctions of 2% of the company’s annual turnover or €10 million.
“At first glance, this may seem excessive, but these are sectors that are essential to the functioning of the society and the economy. In the case of repeated major problems, such as ignoring guidelines, the fine must be significant,” said Czech EU lawmaker Evžen Tošenovský (ODS, ECR).
“I assume that the ceiling of fines will be lowered for the less critical entities,” he added.
The NIS2 Directive is currently awaiting the first reading in the European Parliament. According to Tošenovský, the implementation would be challenging not only for companies but also for national authorities responsible for cybersecurity.
“It will take a couple of years for the whole ecosystem to sit down,” the Czech MEP said.
Czech business is getting ready
Czech companies are aware of the risks of cyberattacks and are taking steps to improve their resilience.
Last year’s opinion poll conducted by the SPCR showed that two-thirds of the nearly 100 Czech companies canvassed consider the risk of a cyber-attack to be the biggest threat in the digital sphere. More than 80% of them are taking steps to secure their own systems and computers.
According to SPCR’s Kalužová, the issue of educating companies on cyber security is crucial, particularly for those that do not primarily operate in the technology sector but would be affected by the NIS2 Directive.
“One of the biggest cybersecurity threats is between the chair and the keyboard – the human being. That’s why it is good that more than half of the companies in our survey have educated their employees on cybersecurity,” Kalužová explained.
“Anyone who has access to the company network or has a business phone should be trained,” she added.
[Edited by Luca Bertuzzi]