In the European Union, the long-overdue Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures to ensure a high common level of cybersecurity across the Union and amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (hereinafter as the “NIS2 Directive”) has been adopted, which brings many changes in the area of cybersecurity provision in member states.
We have already informed you in general terms about the purpose of the NIS2 Directive, obliged entities, security measures, incidents and controls in our article The upcoming directive on cybersecurity and the most important changes to the legislation.
In the Czech Republic, a new Cybersecurity Act and related decrees are currently being drafted. The draft Cybersecurity Act is based on the wording of the existing Act No. 181/2014 Coll., on Cybersecurity, and aims to implement the changes under the NIS2 Directive into the Czech legal order by 17 October 2024 at the latest. On 25 January 2023, the National Cyber and Information Security Agency (hereinafter as the “NCISA”) issued a draft of the new Cybersecurity Act and related draft regulations for public comment and discussion. The standard legislative process is expected to commence during 2023.
In this article, we will focus on the forthcoming draft of the new Cybersecurity Act, with particular reference to the food industry.
Providers of regulated services
Under the draft act, obligated persons are regulated service providers that meet the criteria set out in the proposed decree on regulated services. The process of identifying regulated service providers will usually take the form of self-identification and, where appropriate, subsequent registration with the NCISA, which will enter the provider in the register.
Regulated service providers are those who provide at least one regulated service. The draft act provides for:
- criteria for the identification of the regulated service (found in the annex to the draft regulation on regulated services) – these criteria serve to self-identify the organisation, and
- criteria for determining the regulated service (found in the provisions of the regulation on regulated services) – on the basis of these criteria, the NCISA will assess in an administrative procedure with the organisation whether these criteria have been met.
Like the NIS2 Directive, which divides mandatory entities into essential and important ones, the draft Cybersecurity Act works with two regimes. There is a regime of higher obligations and a regime of lower obligations. However, it is the case that a single organisation will only ever have one regulated service provider regime in all circumstances – so if it fulfils the criteria for multiple regulated services under different regimes, only the higher obligation regime will always apply.
Food industry and regulated services
According to the NIS2 Directive and also according to the draft regulation on regulated services, the food industry is one of the regulated sectors.
The food industry includes regulated services related to (i) food production, (ii) food processing and (iii) food distribution. Providers of these services will be obliged to be compulsory operators if they are a food business under a directly applicable European Union regulation and meet the condition of being a large or medium-sized enterprise (i.e. having more than 50 employees and a turnover or balance sheet total of up to EUR 10 million).
The term food business enterprise is defined in Article 3(2) of Regulation (EC) No 178/2002 of the European Parliament and of the Council of 28 January 2002 laying down the general principles and requirements of food law, establishing the European Food Safety Authority and laying down procedures in matters of food safety as a public or private undertaking, whether profit-making or not, which carries out activities relating to any stage of the production, processing and distribution of food.
Food business enterprises who, as regulated service providers, fall within the above definition will be required to inform the NCISA that they meet the criteria and to register. The first deadline for registration is 90 days after the criteria have been met (or the act has come into force), the second deadline is 30 days after the organisation has been found to meet the criteria.
Responsibilities of regulated service providers
In particular, food businesses, as well as other regulated service providers, will have the following obligations under the draft Cybersecurity Act:
- register with NCISA and report contact and other data,
- determine the scope of the cybersecurity governance, if the organization does not take this step the entire organization is considered the scope of the governance,
- implement security measures, according to the set of rules set out in the draft Cybersecurity Act, depending on whether the organisation falls within the lower or higher duty regime; in general, the principles of security measures include (i) guiding the organisation to map the environment, (ii) identifying what is necessary to ensure the operation of the regulated service being performed, (iii) assessing the risks, and (iv) putting in place reasonable measures to reduce the risks,
- report cyber security incidents, and in the case of the lower obligation regime, only those that the organisation assesses to be significant,
- inform customers about incidents and threats, and
- implement countermeasures.
As food service providers will be subject to the regime of reduced obligations, as they are important entities according to the NIS2 Directive, their obligations will be set out in detail in the draft regulation on safety measures for regulated service providers under the regime of reduced obligations.
In the event of an inspection, regulated service providers will also be obliged to submit to an inspection by an inspector.
Sanctions and coercive measures
Enforcement measures include inspections by the NCISA and inspectors and any subsequent corrective action, which may include issuing a warning, caution or reactive measure.
Fines are introduced as a sanction and will be imposed in the event of offences related to legal obligations. The level of fines set out in the draft Cybersecurity Act is based on the NIS2 Directive so that the fines are effective, proportionate and dissuasive.
In the case of regulated service providers under the enhanced obligations regime, other administrative penalties may also be imposed, such as suspension of certification or suspension of management functions.
Conclusion
The NIS2 Directive and the Cybersecurity Act aim to ensure a high level of cybersecurity. In the Czech Republic, the changes are expected to come into effect with the entry into force of the yet-to-be drafted Cybersecurity Act in the second half of 2024.
Although the first draft of the act has already been prepared by the NCISA, it can be expected that there will be further changes to the act during the legislative process, which we will inform you about.
Should you have any questions about the NIS2 Directive or the draft Cybersecurity Act, we are fully at your disposal.
Mgr. Kateřina Roučková, junior lawyer – rouckova@plegal.cz
Mgr. Jakub Málek, managing partner – malek@plegal.cz
21. 03. 2023