Back to the home page

Legal Newsletter February 2023

New cybersecurity regulation in the EU

The NIS2 Directive expands the range of obliged persons in the field of cybersecurity, tightens requirements for reporting security incidents, introduces management accountability and increases penalties for non-compliance.

The extension of the circle of obliged persons, which according to the NACIB's estimates should expand more than tenfold in the Czech Republic, is essential, especially for selected IT service providers, manufacturing companies, postal and courier services or organisations operating in the field of research. Gas and electricity traders will also be newly considered as obliged persons. In practice, these should be mainly medium-sized businesses.

While today the obliged persons are classified into 4 categories, the Directive envisages a division into two groups - basic and important entities with a different regime, where presumably all entities will fulfil the listed obligations, but the difference will be in the scope of the obligations.

The obliged entities under the Directive will be, with exceptions, only organisations reaching at least the size of a medium-sized enterprise within the meaning of the European Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises, i.e., with at least 50 employees and a turnover of EUR 10 million (alternatively to the minimum turnover it is sufficient to meet the criterion of EUR 10 million balance sheet total).

For existing obliged persons, the NIS2 Directive rather clarifies and complements existing obligations. Specific deadlines for reporting security incidents are added. From the point of view of the management of obliged persons, the responsibility for approving and supervising the application of the rules of the security programmes is essential. The obligation for managers to undergo appropriate training is also introduced.  The NCIB should even be given the possibility to temporarily prohibit a person who violates cybersecurity obligations from performing a management function. In general, there is a huge increase in the amount of fines (from CZK 5 million to EUR 240 million).

The Directive is expected to be transposed into the Czech legal system around mid-2024.


On the invalidity of agreements on unpaid leave in the event of obstacles at work

A number of employers have dealt with the situation of not having work for employees during the coronavirus pandemic by entering into unpaid leave agreements. This was particularly the case for those businesses that were prevented by the pandemic from opening operations or providing services. However, the Supreme Court of the Czech Republic declared this practice illegal.

The case considered by the Supreme Court involved a dispute between an employee, a tour driver, and his employer, who had reached an agreement to resolve a situation where travel was severely restricted and the employee was therefore unable to work.

The Supreme Court commented on the case that an employer may generally grant an employee unpaid leave, particularly in situations not regulated by law, in accordance with the principle that what is not prohibited is permitted. However, this is not the case where there are obstacles to work on the employer's side and the agreement effectively deprives the employee of the wage compensation to which he is legally entitled. In this situation, the employer cannot validly agree with the employee on unpaid leave.

Employers who grant unpaid leave to employees must therefore be advised to be cautious in future and, if possible, not to do so at a time when there are or could be objective obstacles to work on their side. The agreement to grant unpaid leave should be in writing and ideally state the reason why the leave is being granted, to minimise the risk of the agreement being seen to circumvent the law.


Will preventive restructuring save companies in trouble?

The objective of the preventive restructuring is to avert the company's bankruptcy while maintaining the operation of the business plant. Companies that have already entered bankruptcy will no longer be affected by this option.

Recovery is to be achieved by the entrepreneur in particular by negotiating with creditors over a restructuring plan. This should provide creditors with a better chance of satisfying claims or even preserving existing contracts in return for providing certain relief than a possible bankruptcy and subsequent insolvency proceedings.

Precautionary restructuring will take two forms - public and private. In the case of public, an invitation to creditors to register their claims that the company will have to settle in the restructuring will be published in the restructuring register. In the case of a private restructuring, the restructuring plan will then be approved only by the creditors concerned (i.e., those whose rights will be affected by the plan) by at least a three-quarters majority. For unaffected creditors, the restructuring will not change anything. The advantage of a private restructuring will certainly be the elimination of the negative publicity associated with insolvency proceedings.

Unlike insolvency proceedings, which are inherently adversarial, restructuring is to a greater extent a consensual process. The question is whether companies will take advantage of the new institution. We believe that this option for dealing with impending bankruptcy could be a more acceptable solution for company management than negotiating concessions with individual creditors, which may carry the risk of being challenged on the grounds of favouritism or short-changing the creditor if bankruptcy is not averted. However, we will have to wait a few more months to see the impact of the new law before it is passed.