To begin my reflection, let me commit something that is generally discouraged—namely, quoting myself. Or more precisely, quoting my own motto: "Cyber and information security is not a matter of laws; it is a matter of self-preservation." I arrived at this motto at a time when I was hearing the arguments "I/we are not concerned with cyber and information security because I/we do not fall under the Cybersecurity Act.

In 2012, the first Cybersecurity Strategy of the Czech Republic was approved. In January 2015, the Cybersecurity Act—the first of its kind in the EU—came into force. In 2016, the first European Directive on Network and Information Security (NIS 1) was based on its principles. Currently, fewer than 400 entities fall under the valid Cybersecurity Act (Act No. 181/2014 Coll.). But what about the rest? For them, we must rely on their instinct for self-preservation—on the belief among organizational leaders that they want to remain operational, avoid liability for negligence, and so on. However, the growing number of successful cyberattacks on various organizations suggests that something is wrong. Relying on an internalized instinct for self-preservation is proving to be a road to disaster because many organizational leaders are unaware of the full scope of their responsibility for cybersecurity.

Simply put, where the instinct for self-preservation fails, legislation must step in. If it worked, there would be no need for legal intervention. And this is one of the motivations why the NIS2 directive had to be created - a piece of legislation often compared to the GDPR, despite fundamental differences. The GDPR applies directly without requiring national implementation, whereas NIS2 must be transposed into national law by EU member states.. The ensuing frenzy around NIS2 has generated a bunch of "precision experts" who claim that NIS2 is coming and suggestively ask if you are ready and that they will help you get there, otherwise you will pay a fine of 250 million CZK. It's all about "scare and invoice."

However, the NIS2 directive has been in force since January 2023, so nothing new is coming. If anything is coming, it is the new Cybersecurity Act with implementing regulations. Its mandatory effective date was October 2024, but we missed it - for objective reasons, it should be noted. The optimistic deadline of 1 July 2025 for the Act's entry into force will probably also be missed. However, what is crucial is the fact that many more entities will fall under it - at least 6 000, and some estimates even speak of ten to twelve thousand. If the aforementioned instinct for self-preservation worked, then (with exaggeration) we wouldn't even need this new law. There is another point that I have realised in my career. Since cyber and information security affects everyone - from children, parents, grandparents, households, businesses, government institutions to states, unions, etc. - it can be likened to civil defense in cyberspace.

In the current complex security situation, this fact needs to be made ever more acutely aware. There are studies which say that there is a link between the level of cyber and information security provision and the prevention of war. It is not difficult to imagine a scenario in which a cyber attack is carried out on, for example, a chemical plant, where this attack causes an explosion, or on hospitals, which will be paralysed, or on state institutions, which are supposed to coordinate the solution and reassure the population, or on the fire brigade and other forces that should be involved in dealing with the situation.

The chaos thus created is much easier for enemy troops to enter. The example of Georgia is alarming in this respect, and it is worth asking whether this is not how tests are conducted in the style of "Now let's see where you are, where your weaknesses are..." etc. If the level of cybersecurity is high, attackers are likely to get their teeth knocked out in a given test and have to look for other ways. So that's why the civil defense. But there are many more aspects - preparedness of the population and all institutions in terms of awareness, training, etc.

Any significant cyber attack should therefore be assessed, among other things, in terms of a possible test of preparedness, and so I ask myself a question that should also be asked by the relevant institutions dealing with cyber security: were not the recent cyber attacks on the integrated rescue system such a test?

Ing. Aleš Špidla 

Aleš Špidla is the Cybersecurity Manager at the Prague 5 Municipal District Office and collaborates on various cybersecurity projects. He is the President Emeritus of the Czech Institute of Information Security Managers, a guarantor and lecturer of the MBA program “Management and Cybersecurity,” and a co-guarantor and lecturer of the LL.M. program “Information Protection” at CEVRO University. He also serves as the statutory director of the university's Research Centre for the Development of Information Competences. A passionate advocate for cybersecurity, he frequently speaks at conferences, appears in media, and publishes articles on the subject.