NIS2 Directive Set to Become Law in Czechia and Sweden: A GRC Game-Changer

The European Union's updated cybersecurity framework, the NIS2 Directive (Directive (EU) 2022/2555), is rapidly being transposed into national law across member states, with Czechia and Sweden actively progressing towards its full implementation. This crucial directive aims to significantly bolster the EU's collective cybersecurity posture, introducing broader scope, stricter requirements, and enhanced enforcement mechanisms. For organisations operating in Czechia and Sweden, understanding the implications for their Governance, Risk, and Compliance (GRC) frameworks is paramount.

Key Dates and Progress

Czechia:

• Legislation Approved: The Czech Republic's new Cybersecurity Act, which incorporates the requirements of NIS2, was approved by the Parliament and signed by the President on June 26, 2025.

• Compliance Deadline: Regulated entities will have a transition period of one year from the date of their registration to establish a comprehensive cybersecurity management system and meet incident reporting obligations.

  
  

Sweden:

• Report Published: The Swedish government published its partial report on the implementation of NIS2 and CER (Critical Entities Resilience) in March 2024, followed by a final report in September 2024.

• Bill Submission: The Swedish Government is preparing a bill to be adopted by the Swedish Parliament (Riksdagen), with the intention for the bill proposal to be issued during the spring of 2025.

• Expected Entry into Force: The new act is expected to take effect in Sweden by summer 2025 at the earliest, though some reports suggest July 1, 2026, as the official entry into force for the new Cyber Security Act that will transpose NIS2.

• Registration and Compliance Deadlines: For Essential Entities, a deadline of December 31, 2026, for compliance, and for Important Entities, March 31, 2027. Registration is expected to be required by September 30, 2026.

What NIS2 Means for GRC in Czechia and Sweden

The NIS2 Directive introduces significant changes that will profoundly impact GRC functions within affected organisations in both countries. Here's a breakdown of the key implications:

1. Expanded Scope and Classification:

• Increased Number of Entities: NIS2 significantly expands the range of sectors and entities falling under its purview. In Czechia, the number of affected companies is expected to rise from approximately 400 to 6,000. Sweden anticipates a jump from around 900 to 6,000–8,000 entities.

• Essential vs. Important Entities: Organisations will be categorised as either "Essential" or "Important" entities based on their size and the criticality of their services. While both categories must adhere to the same security measures, Essential entities will face stricter proactive supervision, while Important entities will be monitored reactively following incidents.

• Sectors Affected: The directive covers a wide array of sectors, including energy, transport, banking, financial market infrastructures, healthcare, digital infrastructure, drinking water, wastewater, postal and courier services, waste management, chemicals, food production, manufacturing (e.g., medical devices, electronics, machinery, motor vehicles), and digital providers (e.g., online marketplaces, search engines, social media platforms). Public administration is also subject to the requirements.

2. Enhanced Risk Management and Security Measures:

• Mandatory Risk Assessments: Organisations will be required to conduct systematic and periodic risk assessments of their network and information systems.

• Comprehensive Security Measures: NIS2 mandates the implementation of a comprehensive set of technical, operational, and organisational security measures. These include:

  • Incident management and response.

  • Supply chain security, including assessing the security of direct suppliers.

  • Network and information system security.

  • Access control and data encryption.

  • Vulnerability handling and disclosure.

  • Cybersecurity training and basic cyber hygiene.

  • Policies and procedures for the use of cryptography.

  • Asset management.

  • Business continuity, disaster recovery, and crisis management plans.

  • Use of multi-factor authentication and secure communication channels where appropriate.

• Focus on All-Hazards Approach: Entities must be prepared to address a wide range of threats, from cyberattacks to physical disruptions.

  
  

3. Stricter Incident Reporting Obligations:

• Timely Notifications: NIS2 sets specific deadlines for reporting security incidents that have a significant impact on service provision or recipients. This includes:

  • An "early warning" within 24 hours.

  • An updated report within 72 hours.

  • A final report within one month.

• Public Disclosure: In some cases, organisations may also have a duty to inform users about serious cybersecurity incidents that could affect them.

  
  

4. Increased Corporate Accountability and Governance:

• Management Responsibility: NIS2 places greater emphasis on the direct responsibility of senior management for cybersecurity. Management bodies are required to approve the entity's cybersecurity measures, oversee their implementation, and undergo relevant cybersecurity training.

• Potential Penalties for Management: Breaches of the directive can result in penalties not only for the organisation but also for individual management members, including potential liability and temporary bans from management roles. This elevates cybersecurity from a technical concern to a boardroom priority.

  
  

5. Robust Supervision and Enforcement:

• Competent Authorities: National competent authorities (e.g., NÚKIB in Czechia, MSB in Sweden) will have enhanced powers for supervision and enforcement.

• Significant Penalties: Non-compliance can lead to substantial financial penalties, similar to GDPR. For Essential entities, fines can reach up to €10 million or 2% of total annual global turnover, whichever is higher. For Important entities, fines can be up to €7 million or 1.4% of global annual turnover.

• Other Sanctions: Authorities can also impose non-monetary sanctions, such as compliance orders, mandatory security audits, and even temporary bans on providing services.

Recommendations for GRC Professionals:

Organisations in Czechia and Sweden should not delay in preparing for NIS2 compliance. Key actions for GRC teams include:

• Determine Scope and Classification: Immediately assess whether your organisation falls under NIS2 and whether it will be classified as "Essential" or "Important."

• Conduct a Gap Analysis: Compare existing cybersecurity controls and GRC frameworks against the comprehensive requirements of NIS2. Identify areas needing improvement.

• Develop and Implement Policies and Procedures: Update or create new policies and procedures for risk management, incident response, business continuity, and supply chain security.

• Strengthen Supply Chain Security: Pay close attention to cybersecurity risks within the supply chain, as organisations will be responsible for their direct suppliers.

• Enhance Incident Response Capabilities: Establish robust incident detection, analysis, and reporting mechanisms to meet the strict notification timelines.

• Ensure Management Engagement and Training: Involve senior management in cybersecurity strategy, secure their approval for measures, and provide necessary training.

• Invest in Technology: Leverage GRC tools and cybersecurity solutions that can assist in managing compliance, automating processes, and providing real-time visibility into security posture.

• Prepare for Audits: Be ready for potential audits and inspections by national authorities.

  
  

By proactively addressing the requirements of the NIS2 Directive, organisations in Czechia and Sweden can not only ensure compliance and avoid penalties but also significantly enhance their overall cyber resilience in an increasingly complex threat landscape.