New cybersecurity obligations: Are you an essential service provider?

As of 1 January 2025, an amendment to Act No. 69/2018 Coll. on Cyber Security ("the Act") came into force, which implemented the NIS 2 Directive into our legal order.

In our previous article, we have already briefly informed you about the NIS 2 Directive and its purpose. Today, we will take a closer look at what specific obligations the Act brings and whether the new cybersecurity rules may apply to your company.

What areas are regulated?

Do you operate in the energy, transport, finance, healthcare, water or waste management, manufacturing (including medical devices or electronic equipment) or other sectors listed in Annex 1 and Annex 2 of the Act (the "Affected Sectors")? If so, you should pay close attention. The new cybersecurity legislation brings important obligations for companies in these sectors. Key sectors, from energy to machinery manufacturing, are regulated and the implications for your business could be substantial.

What is at stake?

Under the new legislation, some businesses may fall under the definition of a so-called Essential Service Operator or Critical Essential Service Operator. If your company qualifies as one of these entities, you will need to comply with a number of new obligations. Among the most important of these are the obligation to:

• adopt, comply with and implement security measures under the Act based on the risk analysis performed;
• adopt requirements for the detection and resolution of cyber security incidents;
• have a cybersecurity manager; and many others.

One of the innovations introduced by the NIS 2 Directive and the Act is the principle of self-identification of essential service operators. This means that each company must self-assess whether it meets the criteria and whether the new rules apply to it.

Are you an essential service operator?

The new cybersecurity rules don't apply to everyone, but if you are in the manufacturing or service business, you should check the following criteria to assess whether you are an essential service operator:

• Sector of activity - the business must operate in one of the Affected Areas as set out in Annex 1 or 2 of the Act;
• Size of the enterprise - the enterprise must meet at least the minimum thresholds for a medium-sized enterprise (according to Commission Recommendation 2003/361/EC), which are between 50 and 250 employees and also an annual turnover of between EUR 10 and 50 million or a total annual balance sheet of EUR 43 million.

When assessing whether you meet the above criteria, it is important to consider a number of specifics:

• The number of employees also includes seconded and temporary workers or owner-managers.
• If your company belongs to a group of linked or partner enterprises, the number of employees, turnover or balance sheet figures are aggregated for the whole group. This can significantly affect the outcome of the assessment.

Some companies may be regulated by the Act regardless of their size. For example, if you provide a service the disruption of which could have a significant impact on public order, safety or public health, or you are a critical entity for a particular sector because of your particular national or regional importance, the rules apply to you regardless of the size of your business.

What if you meet these criteria?

If you qualify as an essential service provider, you are required to notify the National Security Authority (Národný bezpečnostný úrad) within 60 days of the date you begin providing services, or 60 days after the effective date of the Act. The deadline for notifying the Authority will therefore expire on March 3, 2025.

The Authority will then, after prior consultation with the relevant central authority, decide whether or not to include the company in the register of basic service providers.

The rights and obligations of an essential service operator shall thereafter accrue to the company only on the date specified in the notification of registration in the register of essential service operators, but not earlier than the thirtieth day following the date of such registration.

What if you don't file a notice with the Authority?

If you fail to notify that you qualify as a basic service operator, you could be fined between EUR 300 and 500,000.

Failure to comply with legal requirements in the field of cyber security can also lead to loss of customers and deterioration of trust of business partners, not to mention reputational risk.

If you are unsure whether your company is one of the essential service providers, contact us. We'd be happy to help.

In addition, we also offer:

• Comprehensive cybersecurity legal advice;
• Audit and review of contractual documentation with suppliers and suggest appropriate measures;
• Training for members of the statutory body or selected employees on legal requirements;
• Assistance with inspections and representation during proceedings before the NBÚ, including compliance with notification obligations and setting up internal processes.