The Czech Republic amended its Cyber Security Act, effective this month. Currently, the Cyber Security Act imposes minimum reasonable cybersecurity requirements, but only for critical infrastructure companies, such as companies in the energy, transportation, water management, and banking sectors. The amendment expands the scope of the Cyber Security Act to include additional industries, namely financial, digital, health services, chemical infrastructures, and digital services providers. In addition to expanding the scope of the Act’s coverage, the amendment also increases the maximum fines from 100,000 Czech koruna to 5 million Czech koruna, and establishes a National Bureau for Cyber and Information Security.

This amendment is in response to a July 2016 EU directive on network and information security (NIS Directive) designed to ensure a high common level of network and information security across the EU. Among other things, the NIS Directive requires member states to establish a competent cybersecurity authority, prepare for cooperation amongst member states, and establish a culture of security across vital economic sectors. The amendments to the Cyber Security Act bring the Czech Republic into compliance with the NIS Directive’s requirements by expanding the scope of the Act to cover all of the required sectors under the NIS Directive.

TIP: This amendment serves as a reminder of the increasing global concern amongst regulators regarding cybersecurity. This is especially true in the EU, where it requires EU member states to incorporate the Directive into their respective laws by May 2018. Upon full implementation of the NIS Directive, EU regulators will have greater authority to regulate the cybersecurity provisions of companies in key sectors in their own countries as well as greater communication and cooperation with other regulators throughout the EU.