{"id":4523,"date":"2026-05-05T16:56:55","date_gmt":"2026-05-05T14:56:55","guid":{"rendered":"https:\/\/www.cybreg.cz\/digital-services-under-eu-scrutiny\/"},"modified":"2026-05-05T22:16:32","modified_gmt":"2026-05-05T20:16:32","slug":"digital-services-under-eu-scrutiny","status":"publish","type":"post","link":"https:\/\/www.cybreg.cz\/en\/digital-services-under-eu-scrutiny\/","title":{"rendered":"Digital services under EU scrutiny"},"content":{"rendered":"\n<h2 class=\"wp-block-heading has-text-align-left\">Digital Services Regulation: a&nbsp;<strong>regulation that is often forgotten<\/strong><\/h2>\n\n<p>Recently, there has been virtually no talk of anything other than the <a href=\"https:\/\/www.cybreg.cz\/en\/nis2\/\">NIS2<\/a> directive and the new law on cyber security. Companies are intensively discussing whether they will fall under the new regulation, under what regime and what obligations will arise for them.   <\/p>\n\n<p>What is less well known is that another, very specific regulation applies to selected digital service providers &#8211; the Digital Services Regulation (Commission (EU) 2024\/2690).<\/p>\n\n<p>This implementing regulation is essential for the organisations concerned. Not only is it effective from 2024, but for selected entities it extends the general requirements of NIS2 and goes into much greater detail in the area of cyber security. It is certainly not worth ignoring.  <\/p>\n\n<h2 class=\"wp-block-heading\"><strong>What is the difference between the NIS2, ZKB and this regulation?<\/strong><\/h2>\n\n<p>Simply put:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>NIS2 sets a&nbsp;single framework of obligations for cyber security in the EU;<\/li>\n\n\n\n<li>The ZKB transposes these rules into Czech law and determines exactly how they will work in the Czech Republic.<\/li>\n\n\n\n<li>For selected digital services, the DSA Implementing Regulation dictates specific technical details on how organisations should implement security in practice.<\/li>\n<\/ul>\n\n<p>The most important difference is that the Regulation is directly applicable in all EU countries and does not wait for any national implementation.<\/p>\n\n<p>This means that if you fall under it, you deal directly with European regulation. This is mainly due to the cross-border nature of digital services, where different rules in different countries would not make sense. <\/p>\n\n<h2 class=\"wp-block-heading\"><strong>Who is he hitting?<\/strong><\/h2>\n\n<p>The Implementing Regulation (EU) 2024\/2690 specifies precisely the selected categories of digital infrastructure and digital service providers. Typically, these are: <\/p>\n\n<ul class=\"wp-block-list\">\n<li>cloud computing (IaaS, SaaS, PaaS);<\/li>\n\n\n\n<li>data centres;<\/li>\n\n\n\n<li>content delivery network (CDN);<\/li>\n\n\n\n<li>Managed Services and Managed Security Services (MSP and MSSP);<\/li>\n\n\n\n<li>Providers of internet search engines and online marketplaces;<\/li>\n\n\n\n<li>trust-building services.<\/li>\n<\/ul>\n\n<h3 class=\"wp-block-heading\"><strong>Interesting scenarios from practice<\/strong><\/h3>\n\n<p>Regulation often affects companies that do not sell any IT services publicly. Holding structures are a&nbsp;typical example: <\/p>\n\n<ul class=\"wp-block-list\">\n<li><strong>Internal IT company in the holding:<\/strong> If you provide IT or cloud services to other subsidiaries in the group, the legislation may view you as a&nbsp;commercial outsourced provider.<\/li>\n\n\n\n<li><strong>Shared Services:<\/strong> do you run identity management, infrastructure or security for multiple companies within a&nbsp;group? Then focus. <\/li>\n\n\n\n<li><strong>Internal SOC or security team:<\/strong> if your security team acts as a&nbsp;dedicated service to the rest of the group, you may fall under regulated security services (MSSP).<\/li>\n<\/ul>\n\n<h2 class=\"wp-block-heading\"><strong>What obligations does regulation bring?<\/strong><\/h2>\n\n<p>The Regulation does not introduce completely new principles, but expands and describes in detail what NIS2 only mentions in general terms.<\/p>\n\n<p>These are mainly:<\/p>\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.cybreg.cz\/en\/nis2\/#rizeni-rizik\" data-type=\"link\" data-id=\"https:\/\/www.cybreg.cz\/nis2\/#rizeni-rizik\">cyber risk management<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.cybreg.cz\/en\/nis2\/#sprava-bezpecnostnich-politik\">security policies and governance<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.cybreg.cz\/en\/nis2\/#rizeni-incidentu\" data-type=\"link\" data-id=\"https:\/\/www.cybreg.cz\/nis2\/#rizeni-incidentu\">incident management<\/a><\/li>\n\n\n\n<li>ensuring business continuity<\/li>\n\n\n\n<li><a href=\"https:\/\/www.cybreg.cz\/en\/nis2\/#automatizovane-audity-dodavatelu\" data-type=\"link\" data-id=\"https:\/\/www.cybreg.cz\/nis2\/#automatizovane-audity-dodavatelu\">security of suppliers<\/a><\/li>\n<\/ul>\n\n<h2 class=\"wp-block-heading\"><strong>What about the concurrence with the ZKB?<\/strong><\/h2>\n\n<p>Here comes one of the most important practical moments.<\/p>\n\n<p>If you provide a&nbsp;digital service:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>Security measures and incident reporting are directly governed by this EU Regulation;<\/li>\n\n\n\n<li>other obligations remain according to the ZKB.<\/li>\n<\/ul>\n\n<h3 class=\"wp-block-heading\"><strong>What if you do both?<\/strong><\/h3>\n\n<p>If you operate a&nbsp;cloud (digital service) and also provide another service regulated under the BCR (e.g. critical infrastructure), you must combine the rules. For the digital part the European regulation applies, for the rest the Czech law applies. If both services share the same infrastructure, the <strong>stricter or more specific requirement always applies<\/strong>.  <\/p>\n\n<h2 class=\"wp-block-heading\"><strong>Deadlines and what to tackle now<\/strong><\/h2>\n\n<p>As it is a&nbsp;European regulation, it has entered into force regardless of whether we have already approved the new Czech law on cyber security. No Czech legislation is pending. <\/p>\n\n<h3 class=\"wp-block-heading\"><strong>Practically, this means<\/strong><\/h3>\n\n<p>If you suspect you fall into this category, your plan of action for the next few days should be:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>Legal analysis: determine whether your services (including those internal to the holding company) are covered by the regulation;<\/li>\n\n\n\n<li>Gap analysis: compare existing measures with the specific requirements of the regulation and identify inconsistencies;<\/li>\n\n\n\n<li>Implementation of changes: set up processes to comply with both the European Regulation and the ZKB.<\/li>\n<\/ul>\n\n<h2 class=\"wp-block-heading\"><strong>Summary<\/strong><\/h2>\n\n<p>Implementing Regulation 2024\/2690 is a&nbsp;subtle but crucial piece of legislation. It applies directly, without exceptions, and is uncompromisingly aimed at IT and digital services (including in-house). <\/p>\n\n<h2 class=\"wp-block-heading\"><strong>Not sure if this applies to you?<\/strong><\/h2>\n\n<p>You don&#8217;t know if you fall under regulation?<\/p>\n\n<p>Not sure how to combine the ZKB and the European Regulation?<\/p>\n\n<p>Do you want to be clear about what you need to do?<\/p>\n\n<p>We will help you with gap analysis and implementation of measures.<\/p>\n\n<p><a href=\"https:\/\/calendly.com\/sykorait-petr-sykora\/cybreg\" target=\"_blank\" rel=\"noopener\">Contact us<\/a><\/p>\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Digital Services Regulation: a&nbsp;regulation that is often forgotten Recently, there has been virtually no talk of anything other than the NIS2 directive and the new law on cyber security. Companies are intensively discussing whether they will fall under the new regulation, under what regime and what obligations will arise for them. What is less well [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":4512,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[55],"tags":[66],"class_list":["post-4523","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-homepage"],"_links":{"self":[{"href":"https:\/\/www.cybreg.cz\/en\/wp-json\/wp\/v2\/posts\/4523","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybreg.cz\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybreg.cz\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybreg.cz\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybreg.cz\/en\/wp-json\/wp\/v2\/comments?post=4523"}],"version-history":[{"count":1,"href":"https:\/\/www.cybreg.cz\/en\/wp-json\/wp\/v2\/posts\/4523\/revisions"}],"predecessor-version":[{"id":4524,"href":"https:\/\/www.cybreg.cz\/en\/wp-json\/wp\/v2\/posts\/4523\/revisions\/4524"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cybreg.cz\/en\/wp-json\/wp\/v2\/media\/4512"}],"wp:attachment":[{"href":"https:\/\/www.cybreg.cz\/en\/wp-json\/wp\/v2\/media?parent=4523"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybreg.cz\/en\/wp-json\/wp\/v2\/categories?post=4523"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybreg.cz\/en\/wp-json\/wp\/v2\/tags?post=4523"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}