NIS2 News 2025: Key Changes That May Affect Your Business – Prepare Early!

Even though the deadline for transposing the NIS2 directive passed in October 2024, the new cyber security bill is still waiting for approval at the Chamber of Deputies. It is currently expected to enter into force in mid-2025. The regulation significantly expands the range of companies that will be required to manage their cyber security. The aims of NIS2 are to strengthen the protection of services that are critical for the state and its citizens and to increase the responsibility of organisations for cyber resilience.

What changes will NIS2 bring in 2025?

The European Commission has initiated proceedings against the 23 Member States which have not yet transposed the NIS2 Directive into their national legislation, including the Czech Republic. These countries have received a formal appeal to finish the transposition process under the threat of financial penalties.

Ambiguity in Legislative Requirements

Since the Cybersecurity Act, which is to implement NIS2 in the Czech Republic, has not yet been approved, enterprises have only limited information on what specifically will be required of them.

Implementation Deadlines

Once the law is passed, the entities that are regulated will have only two months to report their regulated services to the National Cyber and Information Security Agency (NÚKIB). This means that even before the law comes into force, businesses should at least know whether it applies to them and which category they are in.

Preparing for the New Legislation

Knowing whether your business will be affected is really the bare minimum. Companies should not wait and start preparing today. A GAP analysis, risk assessment, a review of security measures and employee training are key steps that will help minimise cyber risks and ensure compliance with legislative obligations.

Obligation to Report Cyber Incidents within 24 Hours

One of the key changes that will come into force in 2025 is the obligation to report significant cyber security incidents to NÚKIB within 24 hours of their discovery. This means that companies will have to improve their detection capabilities and ensure that they:

• have a clearly defined internal methodology for assessing incidents (including severity of impact);
• have a security team that is able to assess and escalate incidents early;
• are able to report on the incident in a timely manner and provide evidence.

For this reason, companies should update their incident response plans and regularly train employees to ensure they know how to respond correctly in the event of a cyber attack.

Management Responsibility

An important new provision introduces direct responsibility of company management for cyber security. This means that senior management will bear more responsibility for cyber security than before. The responsibility will not lie just with the company itself, but with the top management.

Supply Chain Under Scrutiny

The NIS2 requires companies to check their suppliers and partners more rigorously. This means:

• conducting audits and due diligence of suppliers;
• concluding contracts with suppliers that define security requirements clearly;
• third-party monitoring from a cybersecurity perspective.

How to prepare for NIS2?

Many companies have still not started preparing for the new regulation, even though the new law is expected to come into force in mid-2025. If NIS2 applies to you, we recommend the following steps:

• Identify the category to which you will belong under the new regulation
• Perform a GAP analysis of the difference between your current state and the new requirements
• Create an action plan for the implementation of preventive measures and for cyber risk management
• Provide staff training in cyber security
• Improve detection and monitoring tools, including SIEM and log management
• Outsource cyber security to experts if the company does not have its own in-house team

At RSM, we will be happy to help you with the whole preparation process – from GAP analysis through the design and implementation of security measures to setting up internal policies and employee training.

Don’t wait for the law to be approved – prepare early and minimise your risk!