Probably one of the most significant regulations expected in 2025 is NIS 2. The new cybersecurity rules will bring many changes. The biggest one will be the number of entities that will be affected by the new regulation. The estimate is that there will be impacted more than 6,000. If you don't know if you are among the affected entities or just want to learn about cybersecurity and its current state, you've come to the right place.
For the purposes of this article, we refer to all forthcoming regulations as NIS 2 (however, obligations for individual entities will arise from the forthcoming Cybersecurity Act and implementing decrees).
The original plan to implement the rulesby 18 October 2024 has not been met. The new cybersecurity rules are now expected to be adopted sometime in mid-2025. This provides some time for preparation as well as for clarifying certain problematic passages contained in NIS 2. Let's take a look at them.
Are you confused about the NIS 2 questions? We will be happy to guide you through the whole issue. Get in touch.
NIS 2 is an EU Directive - means that the rules must first be transposed into national legal system and regulations by individual Member States. Without this happening, the rules are not binding on companies. And it is in this way that NIS 2 will also be incorporated into the new Cybersecurity Act and its implementing decrees.
💡The law will affect regulated service providers who must meet these two criteria simultaneously:
We often encounter misinterpretations such as We have more than 50 employees and we are a so-called medium-sized enterprise, so we must comply with NIS 2." However, this is not automatically true. In order to fall under the new regulation, you must also provide one of the regulated services (see the service criterion above). Even if you have, 3,000 employees but your company is in the business of sewing underwear, you will not fall under NIS 2 because you have not met the service criterion.
To be really sure if you belong to the regulated services, simply fill in our interactive form, which will give you a preliminary assessment of whether you need to be concerned about your new obligations.👇
I want to find out if NIS 2 affects me
The Regulated Services Ordinance, which outlines the services covered by NIS 2, contains several areas, as mentioned above.
The most relevant point for IT professionals is certainly point 16 of the annex to this decree. It defines all digital infrastructure services. You will find out that NIS 2 will cover, among other things, Internet services providers, DNS translation services, exchange node service providers, domain registry operations and others. And you will also find, that NIS 2 cover cloud computing services.
And this is where we see asignificant issue . The concept of cloud computing is nowhere clearly defined. For example, the 'popular portal' Wikipedia characterises it as the provision of services or programmes by servers accessible from the Internet, with users being able to access them remotely, e.g. via a web browser or e-mail.
And NIS 2 is similarly vague about cloud computing: "Cloud computing service models include, but are not limited to, infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS), and network as a service (NaaS)."
This ambiguity leads to a fundamental issue. The definition is simply unclear, vague and inconsistent.
This means that virtually any SaaS tool could fall under the category of cloud computing services.Remember when we mentioned at the beginning of this article that NIS 2 would impact6000+ entities? So imagine that every medium-sized enterprise that provides a cloud computing-based service will fall into this category. At that point, the number of obligated entities would be many times higher.
What can we do for you in the field of cyber security?
If you are wondering what to do about it, we must ask for your patience. We are waiting for a clear interpretation from the EU. It is therefore not even appropriate to blame the Czech National Office for Cyber and Information Security, which has done an excellent job in drafting the regulations. The concept of cloud computing has only been taken from NIS 2, so there is practically nothing the local regulatory authority can do about it. We ourselves are curious to see the clarifying definition.
But companies need not panic. We believe that the scope should primarily target entities with their own server infrastructure, for example.
Whatever the outcome, there is still plenty of time, and as medium-sized businesses will fall into a regime of lower obligations, setting up the essentials will not be so difficult.
Do you know that NIS 2 will affect you? Check out this article to find out how you can prepare now.