Compliance Measures
Companies falling under the regulation are mandated to adhere to several sets of measures. The first set encompasses organizational and operational measures, ensuring a baseline of cybersecurity, defining security roles, establishing incident-handling processes, maintaining documentation, and managing suppliers and access. The second set involves technical measures, such as using cryptographic algorithms and ensuring service availability. The extent of obligations depends on whether the entity falls under a lower or higher obligations regime, as defined by the law.
Penalties
Companies failing to comply with the stipulated obligations may face substantial penalties, including fines of up to EUR 10 million or 2% of the net worldwide annual turnover.
Moreover, managers, including executive directors or Board of Directors members, bear the direct accountability of closely overseeing the implementation, given the CSA's proposal of personal liability. The National Cyber and Information Security Agency (NÚKIB) may conduct cybersecurity inspections, potentially resulting in the prohibition of individuals from exercising management positions. According to the CSA and NIS2 Directive, top management must regularly undergo cybersecurity training.
Implementation and Expert Engagement
Implementing the CSA necessitates a meticulous evaluation of regulatory applicability, definition of specific obligations, and execution of required measures. A recommended approach is to involve a team of legal and IT experts for effective implementation, covering aspects like supplier management, corporate governance, risk analysis, documentation modification, process management, incident reporting, and training.
Author: Jaroslav Tajbr, Partner Eversheds Sutherland
26th June 2024
19th September 2024