If organisations want to avoid mistakes, it is essential to take a systematic and responsible approach to the implementation of the amendment, with an emphasis on regular evaluation of security measures, training of employees, and cooperation with cybersecurity experts. What is best practice?
Allocating adequate resources, engaging management, working with external experts to enhance their cyber resilience is important to effectively navigate the complexities of complying with the requirements of ZoKB and the transposed NIS 2 Directive.
Amendment to Act No. 69/2018 Coll. on Cyber Security, effective from 1 January 2025, introduces changes resulting from the transposition of the NIS 2 Directive. The fundamental change is the transition from the regulation of services to the regulation of entire entities or sectors in order to increase their cyber resilience. The amendment also repeals and replaces a number of implementing regulations, including Decree 164/2018 Coll. and 165/2018 Coll. Pending the entry into force of the new decree on security measures (provisionally 1. 7. 2025), Decree 362/2018 Coll. remains in force.
Under NIS 2, cybersecurity no longer applies to a specific service, but to an entire entity or sector. The law thus focuses on protecting the core activities of the entity. Entities subject to regulation are now defined according to Annexes 1 and 2 of the Act, based on NACE codes, with Annex 1 referring to high criticality sectors (Essential), Annex 2 to other critical sectors (Important). The main criterion for classification as a regulated entity is the size of the organisation – more than 50 employees and a turnover of more than EUR 10 million. However, some entities may be regulated without meeting this condition.
The amendment introduces the obligation to implement enhanced security measures, including network monitoring, vulnerability management, and early reporting of incidents and threats. Not to be forgotten is the criminal liability of the statutory officer, who is obliged to inform himself about the state of cybersecurity. The audit process is set up in such a way that the statutory officer is directly involved: he must sign the audit report and the statement of opinion, including the plan for implementing the measures, and although he may have the documents drafted by someone else, it is up to him to verify them.
By sending the final report to the NSA, which includes his signature, he confirms his knowledge and consent. He is also responsible for selecting a competent cyber security manager, although the practical responsibility for incident management and communication with the NSA rests with the manager, the criminal responsibility remains with the statutory officer.
We have identified ourselves, now what?
If you have already established that you are one of the entities covered by the Act – i.e. you are a provider of Essential or Important services, or you fall into another category defined by the Act, then you are facing a series of steps that require a professional yet pragmatic approach.
At the outset, it is important to understand that the whole process does not start with an audit. The audit is only one of the later steps. The first real step a company should take is the initial analysis. It is professionally called GAP analysis, or gap analysis. Its purpose is to find out where your organization is today in cybersecurity and what it lacks to meet the requirements of the law.
You can also do the GAP analysis yourself if you have people who can read and interpret the law and the relevant methodologies. In principle, it is very similar to an audit – it asks the same questions, looks at the same areas. For example, it assesses whether you have technical measures in place, such as security monitoring, hardening of systems, or systems to manage privileged accounts. The existence of security policies, directives and organisational arrangements is also assessed.
The result of this analysis is a picture of where you are – for example, you will find that you have covered 40% of the requirements of the law, but in some areas you are at the very beginning. This is where the next key step comes in: planning.
Planning security measures
Based on the identified gaps, you need to develop a proposal for the implementation of security measures – a roadmap that takes into account your realistic capabilities, resources and priorities. Not all measures require high costs. Some are purely organisational and procedural, others require investment in technology or external services. That’s why it’s important to set out what you want and can do in one, two or three years. Importantly, neither the law nor the auditor requires you to comply with everything immediately, so it’s not about being 100 percent compliant right from the start. It is much more important that you have a plan, that you are working to improve and that you can demonstrate progress.
Part of this planning includes the development of a cyber security strategy. This is a document that is not just a formality. On the contrary, the strategy should be approved by the organization’s leadership and should clearly identify what your security goals are, how you plan to achieve them, and how you will evaluate their achievement. For an auditor or an audit body, such as the NSA, the existence of a strategy is a clear signal that the organisation is taking a systematic and management-conscious approach to security.
However, it is not enough to plan “from the table” to ensure that the measures chosen are truly appropriate. A company must start from analyses that reveal what it really needs. This is where two key analyses come in: business impact analysis (BIA) and risk analysis, which aim to determine which processes are most important to the company, what disruptions it can (or cannot) afford, what threats and weaknesses it faces, and what their impact would be.
How would this work in practice?
Imagine a company that runs cloud services. In the BIA, it determines that its core process is the provision of the cloud. It then asks itself the question: How long can we afford to have this process not working? A week? A day? The answer is: Not a minute. Based on that answer, the company knows that it must have monitoring in place to identify the outage immediately, it must have technology and people ready to restore service on short notice, it must have backup systems and crisis scenarios in place.
These requirements then logically lead to security measures – from technical (e.g. network redundancy, backups), through organizational (on-call teams, internal processes), to investment (licenses, SOC services, etc.).
The outputs of these analyses are not only the basis for decision-making – they are also documents requested by the auditor or the NSA during an audit. These documents prove that your actions are not random, but based on an assessment of the risks and real needs of your business.
Finally, the whole process is concluded with an audit – either internal or external. The audit will examine how you have your cybersecurity system set up, how well you are executing your plan and strategy, and what is left to be done. The results of the audit serve as both feedback and evidence that the business is working to improve its resilience.
Alignment with ZoKB is not a one-off project, but a long-term process. It’s not a quick “get it done” exercise, it’s about an organisation systematically building a security culture that protects its most valuable assets: data, services, infrastructure and client trust. With a good plan, realistic goals and expert guidance, even a seemingly complex law can become a tool to strengthen your business.
