The European NIS2 Directive, the DORA Regulation, and the New Cybersecurity Act

Cybersecurity has become one of the key issues of our time. Cybercrime is rapidly increasing and is now often described as the third-largest economy in the world. By 2025, damages caused by cyberattacks are expected to reach USD 10.5 trillion, exceeding the annual losses caused by natural disasters. As a result, around 50% of companies in the Czech market are currently considered uninsurable against cyber risks. As the digital landscape evolves quickly, maintaining the digital competitiveness of Europe has become essential.

 

In response to these developments, the European Union introduced the NIS2 Directive, which strengthens the protection of the digital environment. The directive expands and tightens rules for organizations providing essential services—from healthcare and transportation to energy. Its goal is to ensure that European countries are better prepared to defend against cyberattacks and respond effectively to emerging threats.

 

The Czech Republic is implementing this directive through a new Cybersecurity Act, which fully incorporates the European rules into the national legal framework. Unlike previous legislation, which primarily applied to large corporations and government institutions, the new law will also cover smaller companies that play an important role in the functioning of the state. The number of affected entities is expected to increase from roughly 400 today to between 6,000 and 10,000 organizations in the Czech Republic alone. This broader scope is largely due to the requirement for companies to determine whether they fall under the regulation themselves—failure to do so may result in strict penalties. Moreover, the directive will affect not only directly regulated companies but also their supplier and partner networks.

 

The new rules introduce several major changes. Organizations will need to strengthen the protection of their networks and data, report cybersecurity incidents, and more thoroughly assess the risks associated with their suppliers. Companies that fail to implement adequate security measures may face significant penalties—up to EUR 10 million or 2% of annual global turnover, whichever is higher.

 

The new law has already been approved by the government and is awaiting final legislative approval. If everything proceeds as planned, it should come into effect in the summer of 2025. For companies, this means preparation should begin as soon as possible. Success will depend not only on implementing technical safeguards but also on training employees and establishing clear cybersecurity policies and procedures.

 

At the same time, European lawmakers have introduced the DORA Regulation, which complements and partially modifies the NIS2 framework by focusing specifically on the financial sector—including banks, insurance companies, insurance intermediaries, and cloud service providers for financial institutions.

Unlike the NIS2 Directive, DORA is a regulation, meaning it is directly applicable in all EU member states without requiring national legislation. Its objective is to ensure the resilience of financial institutions against cyber threats by imposing strict requirements for risk management, IT resilience testing, and incident reporting.

 

Together, the NIS2 Directive, the DORA Regulation, and the new Cybersecurity Act represent an important step toward a safer digital environment. While they introduce stricter rules, their primary goal is to protect businesses, institutions, and citizens from the growing threat of cyberattacks.

Would you like to ensure that cyber risks do not catch your company unprepared? Contact us—we will be happy to help assess your current level of cybersecurity and design the right insurance program for your organization.