Amcham’s Objections to the Amendment to the Cybersecurity Act – What Are the Reasons?

The government recently postponed the discussion of a new law on cyber security, which aims to implement the European NIS2 Directive as a follow-up to the original NIS Directive. The directive is due to come into force in October, although the NISD has already indicated it may miss that deadline. However, Prime Minister Fiala has announced that the cabinet will revisit the law in July.

One of the reasons for the suspension was likely the objections raised by the American Chamber of Commerce in the Czech Republic (Amcham), which includes companies such as Microsoft, Oracle, GE Aerospace, Honeywell, and Onsemi. Amcham’s criticism centers on the belief that NIS-2 will increase costs without providing significant improvements. They also oppose the extent of the powers that the National Cyber and Information Security Bureau (NCIS) will gain. In a clear statement, Amcham members expressed their concern that the law, as currently drafted, will raise costs without corresponding enhancements in security. 

Specifically, Amcham argues that the bill imposes requirements for the public sector and providers of strategic services to have a plan for providing these services domestically within a specified timeframe. This aligns with NIS-2’s goal of identifying all primary assets within an organization, including their records. Organizations must determine which primary assets are related to regulated services and identify their supporting assets. This process involves controlling access to these assets and defining the scope of the security management system. The directive also emphasizes developing and updating security policies and documentation to ensure consistent protection and proper management of cyber risks.

However, this requirement poses a significant cost for companies using cloud services. Creating such a plan for strategic services utilizing multinational IT networks, especially the cloud, would likely necessitate purchasing partial or complete infrastructure in the Czech Republic, according to Amcham, which is expensive. Another significant change is the reporting of registration, contact, and other additional data to the NCIS and the obligation to report cyber security incidents within 24 hours of discovery—another point of criticism from Amcham.

NIS-2 also encourages sharing essential cybersecurity information between organizations, including information on cyber threats, vulnerabilities, breach indicators, tactics, techniques, procedures, cybersecurity alerts, and configuration tools. The directive aims to enhance cooperation between Member States and improve the sharing of information on cyber threats and incidents. Ironically, Amcham is less concerned about the need for companies to share assets and more about the difficulty and expense of identifying all these processes, which they believe will not yield significant benefits in individual company defenses.

One could argue that while NIS-2 is intended to strengthen cybersecurity, the volume of data that firms must share with state authorities and each other paradoxically makes them more “vulnerable” by making them more exposed. The NIS-2 strategy aims to create a collective defense that will be more effective against external threats. This coordinated approach seeks to improve responses to cyber attacks and minimize their impact. However, building such a defense is costly, as Amcham points out.

author: Oldrich Příklenk

picture: chatgpt