NIS-2 will be handled by government and NÚKIB

Even though it seemed that NIS-2 will be handled by NÚKIB, the new government’s draft law on cybersecurity has made some significant shifts — According to the amendment of paragraph 29, the supply chain will be reviewed at the government’s command. “It is right that such a decision, which may have an impact on state budget expenditures, should be made by the government,” stated minister Bartoš.

The entire dual approach (NÚKIB + Government) is based on how quickly it will be necessary to get rid of potentially problematic suppliers of strategically significant services. If it is sufficient for the ban to take effect only after the problematic supplies have been tax-deducted, or after five years from the purchase of the hardware, it is within the scope of NÚKIB (National Cyber and Information Security Agency). Furthermore in case of emergency, NÚKIB can enforce a ban, but the government has ensured that the regulation is primarily under its control. However, for the rest it is under governmental control. 

RIA: impact assesment

However, that’s not the only news regarding NIS-2, as there was newly released Regulatory Impact Assessment (RIA) report, writes Lupa.cz. Report spans a hundred pages and in it, NÚKIB recommended focusing in detail, for example, on the financial impact assessment on the obligated entities, divided into regimes of higher and lower obligations. RIA acts as an assessment of why to implement or not implement NIS-2.

The impacts are divided into several categories: In the zero variant, meaning if nothing is done at all, the office identified the initiation of infringement proceedings by the European Commission and a conflict with the legislative work plan as threats. In the minimalist variant, where only the necessary transposition of the NIS2 directive would occur without any regulator creativity, the RIA speaks of an “inestimable strategic threat in the form of dependency on risky suppliers or the presence of highly risky ICT supplier technologies in this infrastructure.”

As evidence of the threat, RIA notes the 2022 attack on the Directorate of Roads and Highways, which resulted in a loss of at least 30 million crowns, and the 2020 attack on the Brno University Hospital with damages amounting to tens of millions of crowns, are mentioned. The RIA also mentions the commercial sector. According to their umbrella association of Czech insurers, the total damages over the past three years did not exceed 50 million crowns. However, insurance is commonly sought only by large and IT-focused medium-sized companies. RIA also considers even more drastic scenarios, such as a significant incident in telecommunications services, where communications and internet traffic would be completely paralyzed. Such an incident would cause damages amounting to 2.5 to 10% of daily GDP, or from 400 million to 1.644 billion crowns each day.

On the other hand, the RIA estimates that a single secured proposal would cost approximately between 800 thousand and 1.5 million crowns per secured system. 

Who has different conditions for what is regarded as significant incident?

Regarding the scope of regulations, The European Commission has published a draft in which it tells us how many will impact digital service providers. These providers include cloud computing services, trust services, DNS system operators, search engines, or online marketplaces. The directive expects this narrow group of providers to have different conditions from all others. This primarily concerns the definition of a significant incident and the associated obligations. Incident is significant if it meets one or more conditions: if it caused or could cause damage to a regulated entity exceeding either 100 thousand euros or 5% of annual turnover, whichever is lower, or if the incident caused reputational damage or leaked trade secrets.

Regulator from Brno estimates that at least 6,000 entities will newly fall under the regulation. A thousand of them will face stricter regimes, while the remaining five thousand will have milder ones.

Article was inspired by article by Martin Drtina on Lupa.cz.

Author: Oldřich Příklenk