8. Sanctions and enforcement measures


Sanctions and enforcement measures are not new in cybersecurity regulation. The Act on Cyber Security has had them in its text from its very beginning. The content of the NIS2 Directive, and thus future regulation, will not differ so much in general principles from the current regulation, but it will nevertheless bring several innovations.

Proposal of National Regulation

The proposed Act on Cyber Security contains all the supervision and enforcement powers that the competent authorities must have under the NIS2 Directive, many of which are already enshrined in the current text of the Act. In addition to the audits mentioned in the previous topic and the follow-up corrective measures, there are the so-called countermeasures, which include the possibility of issuing an alert, warning or reactive measure. However, these countermeasures do not serve primarily as punitive measures.

Typical sanctions are fines that can be imposed in connection with the commission of offences related to individual legal obligations. The amounts of fines are largely based on the requirements of the NIS2 Directive or roughly corresponds to the amounts set out in the NIS2 Directive. Similar amounts of fines are also included in the data protection legislation, and there is no reason to deviate significantly from this practice. The central principle remains that the sanctions imposed should always be effective, proportionate and dissuasive, taking into account the circumstances of each individual case. Only upper limits are set for sanctions and the principle that sanctions must not be devastating for the organisation must be uphold. There are no lower limits on sanctions.

In addition to the standard sanctioning instruments, which are fines, the proposed Act on Cyber Security also includes other administrative penalties, including suspension of certification and suspension of exercising managerial functions, in line with the NIS2 Directive. However, these can only be applied in the case of regulated service providers under the higher obligations regime. Information on the suspension of certification or on the decision to temporarily prohibit an exercising of managerial function is published by the NUKIB on its website.

Suspension of certification may occur if the NUKIB imposes an obligation on the provider of a regulated service to remedy deficiencies identified during an inspection (corrective measure) and the provider fails to comply with this obligation. If the regulated organisation holds a European Cyber Security Certificate or other certificate or certification related to the cyber security of the regulated service, it may be suspended until the deficiencies identified during the inspection are corrected, but at least for 6 months.

The most significant sanction is the suspension of a natural person from the performance of his/her management function; this can only be decided by a court on the proposal of the NUKIB. Such a suspension may be proposed by the NUKIB if a member of the statutory body of a legal person, the head of a branch, a proxy or an entrepreneurial natural person has repeatedly or seriously breached his or her duties in the exercise of his or her management function, with the result that a decision of the NUKIB requiring the provider of a regulated service under the higher obligations regime to remedy deficiencies identified during an inspection has not been properly implemented. Simply put, these are situations where the senior management of a regulated organisation will consistently avoid fulfilling its legal obligations under the proposed Act on Cyber Security and its implementing decrees. This suspension lasts similarly to the suspension of certification until the identified deficiencies are corrected, but not less than 6 months.

To learn more about the new amounts of fines and other penalties, see the proposal of the Act on Cyber Security.

The following topic focuses on the area of cooperation - both national and international.

Continue by clicking on the blue arrow on the right side or select one of the other topics in the index below.

Topic index
  1. General information about the future national regulation
  2. Who is affected by the new obligations
  3. Differentiation of regulated entities
  4. Obligation to implement security measures
  5. Incidents and how to report them
  6. Registration and communication with NUKIB
  7. Methods of ensuring compliance
  8. Sanctions and enforcement measures
  9. National and international cooperation
  10. Other national regulation specifics
  11. How to prepare for the new legislation
  12. Financial aspects of the new Act on Cyber Security