WHAT IS NIS2?
This is a pan-European piece of legislation on cyber security. It aims to achieve a high level of cyber security in all EU Member States.
Final text approved
27.12.2022 Final text approved by the Council of the European Union
Stricter obligations under the NIS Directive Introduction of new obligations in the Czech Republic by 16.10.2024 at the latest.
Tightens the requirements for cyber security.
Who is affected by the new directive
- The new directive applies to more than 6000 entities in the Czech Republic. The entities that will be subject to the regulation are divided into 2 parts – essential (higher obligations) and important (lower obligations) regimes. For more information, see the annex to the NÚKIB
- It applies to medium-sized and larger enterprises (i.e. employing 50 or more employees or having an annual turnover of at least €10 million or an annual balance sheet total of at least €10 million)
- After the self-assessment, the provider of the regulated service must report the registration data to the NÚKIB via a new communication tool, the NÚKIB portal.
Obligation to carry out self-assessment
Technical and organisational measures
- The principle of the arrangements is that the organisation, if it has not already done so, should map its environment, identify what it needs to ensure the operation of its regulated service, assess the risks to the service and put in place appropriate measures to reduce those risks to an acceptable level.
- One of the measures is the handling and reporting of cyber security incidents.
Obligation to store logs of all systems and IT infrastructure
- The directive also requires the storage of logs from all systems and IT infrastructure and their subsequent storage in an unalterable form for at least 18 months.
Allocation of financial resources
- Under the new Directive, the funding needed to meet these obligations in the future needs to be secured. There are 3 steps to planning the cost of security in an organisation:
- Identify the needs within your organisation
- Incorporate the need within budgeting
- Spread the costs over time in the budget
- Specific persons are newly held accountable, they are the leaders in the organization, e.g. Owners, Managing Directors, Directors, IT Managers, Network Administrators, Cyber Security Department, IT Specialists
Cyber incident reporting
- Upon discovery of an incident, give an early warning
within 24 hours at the latest
- Initial assessment of the incident, including severity and impact, within 72 hours
- Within 1 month, a final report containing a detailed description of the incident
- Monetary – up to 10M EUR or 2% of global turnover
- Sanctioning penalties – temporary suspension of certification and/or barring of any manager
- Sanctions can be given repeatedly until remediation is achieved.
Method of control
- Varies according to essential (higher duties) x important (lower obligations)
- The group with higher responsibilities will be controlled by the NÚKIB and its staff
- The group with lower responsibilities will be controlled as well
New EU Directive on Network and Information Security (nukib.cz)
WHY IS LOG MANAGEMENT IMPORTANT?
Compliance with legislation and the NIS2 Directive
Compliance with regulations and laws provides detailed documentation in the event of a critical incident ZoKb Sb. no. 82/2018, GDPR and ČSN ISO 27001:2013.
In the event of a critical incident, use the collected logs to find the origin of the incidentRecords all events in the IT infrastructure for later review.
It records all events in the IT infrastructure for later review.
Full overview (visibility) of all data from the IT infrastructure and what is happening in the company.
Interested in more information about NIS2 directive? How will TeskaLabs or Teskalabs LogMan.io help you to meet the requirements in your country? Contact us and ask for a DEMO.