12. Financial aspects
of the new Act on Cyber Security

---

The change of the Act on Cyber Security related to the new NIS2 Directive will entail the costs necessary to ensure cybersecurity in the scope and quality required by the proposal and the NIS2. The fact that in the aggregate of the entire national economy the costs of compliance will be not insignificant is mainly due to the increase in the number of entities that will be affected by the new regulation due to the requirements of the NIS2 Directive.

PROCEDURE FOR ESTIMATING FINANCIAL COSTS WITHIN AN ORGANISATION

The approach to financial planning, and in particular the need for planning in advance, varies from one organisation to another. However, there is no doubt that financial planning to secure the resources to meet future obligations under the proposed Act on Cyber Security should be addressed as early as possible.

It is necessary to provide the relevant units (dealing with financial planning) within the organisation with information on the resources that will need to be spent on cybersecurity so that they can be budgeted for and the requirements of the Act on Cyber Security can be met in a timely manner. This is true whether the organisation is budgeting in the public sphere and thus applying costs within its budget chapter, or whether it is budgeting in the private sphere and financial planning within the organisation or larger entity.

Since at least an outline of the amount that the organisation will have to spend is necessary for financial planning, it is advisable to proceed in such a way that this amount is as close as possible to reality, i.e. to consider which security measures from the relevant regulation are missing in the organisation and to estimate their financial requirements.

GENERAL PLANNING STEPS REGARDING SECURITY COSTS IN AN ORGANISATION:

1. Identify the need within your organisation
2. Apply this need appropriately within the budgeting process
3. Appropriately allocate costs over time in the budget

In cooperation with the Ministry of the Interior, the NUKIB has created a methodological tool to determine the costs necessary for the introduction of obligations imposed on entities in connection with the introduction of security measures under the draft Act on Cyber Security. The ability to use this tool has been verified through a trial completion by the contacted organisations.

Unfortunately, the tool is available only in Czech language.

COSTS OF IMPLEMENTING NIS2

The main shortcoming of the financial impact analysis on regulated entities is the fact that the distribution of cybersecurity costs is not universal and there is a complete information asymmetry in the direction from the entities themselves to the regulatory body - the NUKIB (i.e. only the regulated organisation itself is able to identify its own costs of implementing and maintaining an adequate level of cybersecurity). It is therefore not possible to precisely determine the amount of the financial impact in advance from the position of the central authority (all previous requests to quantify the costs have always resulted in estimates with low predictive value).

The distribution of cybersecurity costs cannot be considered generally due to the large number of unknown and variable indicators, including:

• the current state of cybersecurity in individual organisations,

• the different target state of each organisation related to the importance of its activities and the need to ensure its functioning,

• wide variability in the scope of cybersecurity measures, which can be quite different from one organisation to another,

• identification of what is the cost of implementing cybersecurity measures and what is the cost of routine operation of information and communication technologies at a given entity (these sets are very intertwined),

• compliance with the current wording of the Act on Cyber Security,

• the exact final number of regulated entities is unknown,

• the variability of costs over time with regards to macroeconomic issues as well as to the evolution of technology and many other indicators.

These indicators are linked to the information security management systems, both under the current version of the law and from generally accepted cybersecurity standards.

THE COSTS OF TRANSPOSING THE NIS2 DIRECTIVE CAN BE DIVIDED INTO THREE CATEGORIES:

• Cost of security measures implemented by public administration

• Cost of security measures implemented by private companies

• Cost of the NUKIB activities

The costs of the NUKIB's activities and the costs of the public administration's security measures are a cost to public budgets.

The following financial estimate is primarily relevant for the costs in public budgets. It is based on the cost calculations made in relation to the state budget and is specifically based on the methodologies presented in:

• Draft Amendments to the Cybersecurity Act from 2017 (only in Czech),

• Draft Amendments to the Decree on Important Information Systems from 2019 (only in Czech),

• ENISA: NIS Investments Report 2021,

• ENISA: NIS Investments Report 2022.

These documents lead to an indicative calculation of the cost of the introduction and subsequent implementation of security measures, which ranges between 800 000 CZK and 1 500 000 CZK (34 000 – 64 000 EUR) in relation to one secured system (while the service as a whole may be provided by several individual information systems).

Changes in the approach to regulation introduced by the NIS2 Directive and the variables mentioned above (especially the already mentioned different state of current security in regulated organisations, the differentiation of obligations imposed on these entities, as well as the aggregation of several security measures for multiple systems within an organisation) may then influence these values. In particular, the number of individual systems in each particular organisation will be an important variable. This will then determine the overall requirement on public budgets.

Continue by clicking on the blue arrow on the right side or select one of the other topics in the index below.

Topic index

1. General information about the future national regulation
2. Who is affected by the new obligations
3. Differentiation of regulated entities
4. Obligation to implement security measures
5. Incidents and how to report them
6. Registration and communication with NUKIB
7. Methods of ensuring compliance
8. Sanctions and enforcement measures
9. National and international cooperation
10. Other national regulation specifics
11. How to prepare for the new legislation
12. Financial aspects of the new Act on Cyber Security