Czech Republic Implements New โฃCybersecurity Law with Stiff Penalties
Prague, Czech Republic -โ A new cybersecurity law, implementing โthe EU’s NIS2 directive,โ has โขcome into effect in the Czech Republic, perhaps impacting up to 10,000 entities and carrying meaningful financial penalties for non-compliance. While the Czech republicโ missed theโ initial European deadline for implementation โฃby over a year, the finalized law includesโ stricter requirements beyond the original directive, leading to concerns about increased bureaucracy and costs โขfor businesses.
Accordingโฃ to legal experts at Dentons,individualsโ in statutory bodies of affected organizations risk โpersonal liability โfor damages resulting from โขviolations,potential liability for company debts,removal from office,and bans on โฃholding office for at least โขsix months. Sanctions for individuals โฃcan reach up to 20 million Czech crowns.
Companies face even steeper penalties, with fines potentiallyโค reaching 250โข million crowns orโข two percent of their annual โขturnover.
The law’s scope extends beyond core cybersecurity businesses. BDO cybersecurity expert Libor ล rรกm cautioned that โขcompanies should analyze all โ their activities,not just their primary business. “Regulationโ may โapply โnot only to the primary sector of theirโ business, but also to related โคactivities โthat interfereโค with regulated areas,” โhe stated. He cited examples of logistics, manufacturing, โฃand retail companies potentially falling under the regulations due to related activities impactingโ key โขinfrastructure.
Petra Stupkovรก, co-founder of the Czechโ Association of Artificial Intelligence, emphasizedโค the importance of the law, stating it represents a “minimum level of cyber hygiene”โฃ needed across the EU. “AI has accelerated the number of cyberattacks, as well as the possibilitiesโ to defend against โฃthem. Data hasโข become the new oilโฆMost of our human โactivity has moved to โฃthe networkโฆFor these reasons, the quality and level of โsecurity is a matter of European importance.”
However, the implementation โprocess has drawn criticism.Adam Hanka, data director at Creative Dock, pointed out that the Czechโข Republic’s delay and addition of stricter measures beyond the EU directive have created unneeded hurdles. “Soโ while the Czech Republicโข could have ensured that Czech โbusinesses were clear about โขtheโ obligations and standards a long โtime โขago, the Czechโ Republic spent too much time approving it, and in โaddition added โits own, stricter requirements to the directiveโข that go beyond the directive. The result is higher security, but also higher bureaucracy and costs for companies and organizations.”
The Czech Republic was originally slated to introduce the NIS2 โขdirective into law by October of last year, but the process was prolonged due to the inclusion of additional measures, notably concerning supply chains.
