Czech Republic Implements New Cybersecurity Law with Stiff Penalties
Prague, Czech Republic - A new cybersecurity law, implementing the EU’s NIS2 directive, has come into effect in the Czech Republic, perhaps impacting up to 10,000 entities and carrying meaningful financial penalties for non-compliance. While the Czech republic missed the initial European deadline for implementation by over a year, the finalized law includes stricter requirements beyond the original directive, leading to concerns about increased bureaucracy and costs for businesses.
According to legal experts at Dentons,individuals in statutory bodies of affected organizations risk personal liability for damages resulting from violations,potential liability for company debts,removal from office,and bans on holding office for at least six months. Sanctions for individuals can reach up to 20 million Czech crowns.
Companies face even steeper penalties, with fines potentially reaching 250 million crowns or two percent of their annual turnover.
The law’s scope extends beyond core cybersecurity businesses. BDO cybersecurity expert Libor Šrám cautioned that companies should analyze all their activities,not just their primary business. “Regulation may apply not only to the primary sector of their business, but also to related activities that interfere with regulated areas,” he stated. He cited examples of logistics, manufacturing, and retail companies potentially falling under the regulations due to related activities impacting key infrastructure.
Petra Stupková, co-founder of the Czech Association of Artificial Intelligence, emphasized the importance of the law, stating it represents a “minimum level of cyber hygiene” needed across the EU. “AI has accelerated the number of cyberattacks, as well as the possibilities to defend against them. Data has become the new oil…Most of our human activity has moved to the network…For these reasons, the quality and level of security is a matter of European importance.”
However, the implementation process has drawn criticism.Adam Hanka, data director at Creative Dock, pointed out that the Czech Republic’s delay and addition of stricter measures beyond the EU directive have created unneeded hurdles. “So while the Czech Republic could have ensured that Czech businesses were clear about the obligations and standards a long time ago, the Czech Republic spent too much time approving it, and in addition added its own, stricter requirements to the directive that go beyond the directive. The result is higher security, but also higher bureaucracy and costs for companies and organizations.”
The Czech Republic was originally slated to introduce the NIS2 directive into law by October of last year, but the process was prolonged due to the inclusion of additional measures, notably concerning supply chains.
