Management Responsibility in Cybersecurity – Lessons Learned and Challenges of New Legislation

This paper focuses on the practical experiences gained regarding the responsibility of an organization’s management for ensuring cybersecurity, as derived from the current legal framework, including relevant case law and oversight activities of the National Cyber and Information Security Agency (NÚKIB).

Furthermore, it discusses the changes introduced by the new legislative framework. The NIS 2 Directive significantly shifts the responsibility for ensuring cybersecurity within organizations to senior management. These obligations include defining security policies and objectives, ensuring the allocation of resources for implementation, and appointing key security roles responsible for information and cybersecurity within the organization. Additionally, company management will be required to undergo cybersecurity training and take an active role in reviewing and approving relevant security documentation to shape the organization's cybersecurity strategy.

However, NIS 2 is not the only new piece of legislation addressing cybersecurity. Other legal regulations, such as the DORA Regulation, the CER Directive, and the CRA Regulation, must also be considered.

The new Cybersecurity Act does not explicitly define senior management or its responsibilities. Instead, the definition and a detailed description of its duties are included in the draft implementing decree on security measures for regulated service providers subject to higher obligations.

This paper will primarily focus on the interpretation challenges of management responsibilities under NIS 2 and the new Cybersecurity Act, along with their practical application—for example, in multinational corporate groups or the public sector. The distribution of responsibilities among company executives within the information security management system will also be explained.

Finally, the paper will outline sanctions for non-compliance with the new legislation, including potential bans on holding executive positions. Under the new Cybersecurity Act, NÚKIB will have the authority to impose fines of up to 2% of the net global annual turnover of a company or group of companies. Given the direct responsibility of senior management, failure to exercise due diligence could, in extreme cases, result in liability for damages caused to the organization.

Barbora Vlachová 

Barbora Vlachová works at PORTOS Law Firm, where she leads a legal team specializing in IT law, cybersecurity, and data protection. She also serves as a lecturer at the Police Academy of the Czech Republic and the University of Economics and Management.

She is a regular contributor to legal publications and is the author of a commentary on the Electronic Communications Act as well as a co-author of commentaries on the Cybersecurity Act and the Data Processing Act. In addition, she frequently speaks at professional conferences and seminars.

Barbora is an active member of the IT and GDPR Section of the Czech Bar Association and serves as an arbitrator at the Arbitration Court of the Czech Chamber of Commerce and the Agrarian Chamber of the Czech Republic. She is also actively involved in the Czech branch of AFCEA (Armed Forces Communications & Electronics Association).

In recognition of her contributions to the field, she was awarded the title of Lawyer of the Year 2023 in the IT Law category.