Our partner Jan Zajíček focused on the key aspects of cybersecurity in a discussion of the NIS2 Directive for the weekly Týdeník Ekonom. He emphasized that the correct setup of processes, work organization and implementation of appropriate technical means is key to ensuring the continuity of the provided services and that NIS2 is not just about cyber security, but about protecting the entire core business of the company.
A key ambition of NIS2 is to strengthen the cyber resilience of individual Member States and companies doing business in the EU. It also includes measures to protect supply chains and supports the prevention and detection of potential cyber-attacks. NIS2 thus provides a legislative tool to strengthen cybersecurity in Europe, promotes cooperation between Member States and emphasises timely information and communication to all business partners and the state.
According to Jan Zajíček, it is essential to realize that cybersecurity is not just an IT issue. “The fundamental difference between current regulation and NIS2 is the focus on protecting business continuity. New legislation is moving away from IT and towards securing the core business of the company. In this context, IT is just a subset,” he explains.
Zajíček also praised the work of the National Cyber and Information Security Agency so far. “In the Czech context, I have never seen a branch law that was so well communicated in all its preparatory stages. Among other things, the National Cyber and Information Security Agency comes to the entities affected by the legislation and holds panel discussions. In addition, it has recently published ten so-called factsheets, which give even a layman a very good idea of the obligations associated with NIS2.”
Our partner further highlighted the differences in the impact of NIS2 on large corporations and medium-sized enterprises. “For holding companies, within which some firms are already in a higher duty regime, the implementation of NIS2 is primarily about capacity, not lack of know-how. Medium-sized enterprises, which will be subject to the new obligations, will not only have to deal with a lack of know-how, but primarily with a lack of capacity.”
Jan Zajíček sees one of the main risks in underestimating the preparations for the implementation of the obligations. “I fear that many companies will tend to turn their IT specialists into cybersecurity specialists. I’m afraid a lot of companies could suffer for such a strategy. The approach of “you’re in charge of managing the network, so you’re in charge of protecting it” is not only utopian, but literally dangerous. It is like entrusting a builder with construction supervision. A normal person wouldn’t do that. For my part, I would therefore recommend a more responsible approach and I would already start calculating the increased costs of preparing all the necessary processes and implementing technical means into the budgets.”
NIS2 has the ambition to move companies towards the role of an enlightened entrepreneur who understands not only their core business, but also the potential cyber threats that can quickly “disrupt” their business. “Prevention is the foundation, only then can detection and, in the event of an incident, response come into play. Obviously, cyber attacks cannot be completely eliminated, but it is possible to control how easily attacks can succeed and how much impact they will have on my business.”
“NIS2 basically mandates what an entrepreneur should normally do, but because it costs money and is not his core business, he doesn’t do it,” concludes Jan Zajíček.
Full debate of Týdeník Ekonom here