go to the original language article
Prague – Large domestic companies have called on Prime Minister Petr Fiala (ODS) to halt the legislative process of approving the cyber security law. The law, drafted by the National Cyber and Information Security Agency (NÚKIB), aims to align with the European NIS2 directive, demand its impact on businesses be quantified, and exclude the supply chain security screening mechanism. The proposal has passed the Government Legislative Council and the cabinet is expected to address it in the coming weeks. This is according to a letter obtained by ČTK and statements from the Association of Mobile Network Operators (APMS), one of the five organizations that signed the letter. Cabinet spokeswoman Lucie Ješátková told ČTK that it is necessary to proceed in a way that strengthens the cyber security and resilience of the Czech Republic.
The letter was signed by the Czech Chamber of Commerce, the Association of Mobile Network Operators, the ICT Union, the Committee of the Independent ICT Industry, and the Czech Association of Electronic Communications. According to APMS President Jiří Grund, it is not possible to adopt a legal norm without first quantifying the financial impact on companies and authorities. According to the association’s estimate, these costs will be in the tens of billions of crowns. “The Regulatory Impact Assessment (RIA) prepared by NÚKIB does not provide a sufficient basis for qualified decision-making by legislators on the draft law. The RIA was conducted only formally, with a high probability ex post. The office probably first wrote the law and then performed the impact assessment; rather than first conducting analyses, then evaluating their impacts, and finally choosing the one that brings the most benefits at the lowest costs,” Grund told ČTK. A cabinet spokeswoman told ČTK that many meetings on the topic had taken place and that many of the comments from business associations had already been accommodated. According to her, Fiala will respond to the letter in the standard way.
According to APMS’s opposing review, the report primarily does not contain a concrete overview of the entities that will become regulated service providers under the new law and thus will have to bring their systems and processes into compliance with this law, which will incur costs. The report also does not contain an estimate of these costs and an aggregate cost estimate, at least in some range, or the costs for individual regulated sectors, to assess the impact on the business environment, social impacts, and impacts on consumers. The report completely lacks an evaluation of the impact on small and medium-sized enterprises.
The original goal of the new law was to transpose the European NIS2 cyber security standard into Czech law. According to professional organizations, unlike other countries that simply translated the regulation, the Czech Republic went significantly beyond its scope and additionally included a supplier screening mechanism for which NÚKIB would have the main say. The Czech Republic has until October to adopt NIS2, but NÚKIB has already indicated that it will likely miss that deadline.
According to a survey by the NIS2READY alliance, only 28 percent of organizations have started implementing security measures according to NIS2. Only one in seven is fully prepared. The private companies surveyed expect expenditures in the millions, and a third of them are considering using subsidies.