For the better part of two decades, background screening in European organisations occupied an ambiguous middle ground. It was widely understood to be good practice. It was recommended in ISO 27001 and various sector-specific codes of conduct. It was common in financial services and aviation, where regulators had long imposed personnel integrity requirements. But for the broad majority of European employers, including those operating critical infrastructure, it was optional.
That changed with the NIS2 Directive. And in the Czech Republic, it changed again with the updated Zákon o kybernetické bezpečnosti - the national cybersecurity law implementing NIS2 with specific domestic provisions. Background screening has moved, in a relatively short period, from a discretionary HR decision to a legal obligation with enforcement consequences.
What NIS2 actually requires
NIS2 - officially Directive (EU) 2022/2555 - entered force in January 2023 and required member state transposition by October 2024. Its scope is broader than its predecessor, NIS1, covering a significantly expanded set of sectors and entities. Essential entities include energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, and public administration. Important entities extend to postal services, waste management, manufacturing of critical products, food production, and digital providers.
The Directive requires entities in these categories to implement appropriate technical and organisational measures to manage cybersecurity risks. Article 21 specifies that these measures must include policies on human resources security, access control, and asset management. Recital 89 makes explicit that human resources security policies should include measures to address the risks posed by employees and contractors.
This is not ambiguous language. It is a direct statement that personnel security - the systematic assessment of the trustworthiness of people with access to critical systems and data - is a required element of NIS2 compliance. Supervisory authorities in member states are empowered to inspect, require evidence of, and sanction failures in this area.
The Czech ZKI: a more specific standard
The Czech Republic's implementation of NIS2 through the updated cybersecurity act introduces obligations that are, in some respects, more specific than the Directive itself. The ZKI applies to a substantial number of Czech entities, including those operating critical infrastructure under the parallel Critical Infrastructure Act and those identified by the National Cyber and Information Security Agency (NUKIB) as regulated entities.
Under the ZKI framework, regulated entities must implement personnel security measures that include, among other things, the verification of employee and contractor reliability before granting access to sensitive systems. The law does not prescribe a specific screening methodology, but it is clear that relying on a self-declared CV is insufficient. Entities are expected to demonstrate, in the event of an audit, that they took proportionate steps to verify the backgrounds of those with access to critical systems.
NUKIB has published guidance indicating that criminal record checks, identity verification, and employment history verification are among the appropriate measures for personnel with privileged access. The deadline for full compliance passed in 2024, meaning that regulated entities that have not yet established screening processes are already in breach.
Who is affected, and the scale of exposure
The number of Czech entities subject to ZKI obligations runs into the thousands when critical infrastructure operators, essential service providers, and important entities are counted together. In Germany, the NIS2UmsuCG - the national implementation legislation - imposes similar obligations across an even larger industrial base, given Germany's scale and its concentration of critical manufacturing, energy, and financial services.
For Poland, NIS2 transposition has created obligations for entities across the energy, transport, and digital infrastructure sectors, with enforcement authority vested in the national cybersecurity regulator. Across the CEE region as a whole, the combined effect of NIS2 and its national implementations is a significant shift in the legal baseline for personnel security.
The enforcement consequences are substantial. NIS2 mandates minimum fines for essential entities of at least 10 million euros or 2% of global annual turnover, whichever is higher. For important entities, the minimum is 7 million euros or 1.4% of turnover. These are not symbolic penalties. They are calibrated to be financially meaningful even for large organisations.
The gap between obligation and practice
Despite the clarity of the obligation and the scale of the consequences, many European organisations subject to NIS2 have not yet implemented systematic screening processes. The reasons vary. Some organisations are in the process of mapping their compliance obligations and have not yet reached the personnel security workstream. Others have concluded, incorrectly, that their existing pre-employment reference checking satisfies the requirement. Others still are waiting to see whether enforcement authorities prioritise this area.
The experience from GDPR enforcement offers a relevant parallel. When GDPR came into force in 2018, many organisations adopted a wait-and-see approach, betting that enforcement would be slow and that procedural compliance was sufficient to avoid sanction. Enforcement was initially slow. But it accelerated. The fines issued since 2020 have been substantial, and the pattern of enforcement has followed a clear trajectory: early action against the most visible failures, followed by increasingly systematic scrutiny of organisational practices.
NIS2 enforcement is following a similar pattern. NUKIB and its counterparts in Germany and Poland have begun supervisory inspections of regulated entities, and personnel security practices are within scope.
What a compliant screening programme looks like
A compliant personnel security programme under NIS2 and ZKI does not need to be elaborate. It needs to be proportionate, documented, and consistently applied.
For employees and contractors with access to sensitive systems or data, the minimum defensible standard includes identity verification, criminal record checks appropriate to the individual's country of residence and nationality, and verification of the employment or engagement history they have represented to the organisation. For roles with privileged access - system administrators, security personnel, those with access to personal data at scale - enhanced checks including adverse media screening and, where relevant, financial probity checks are appropriate.
Critically, the programme must be documented. An organisation that has conducted screening but cannot demonstrate what it did, when, and for whom, is in a weak position relative to a regulator seeking evidence of compliance. The screening process should generate records that can be produced on request.
Finally, the programme must extend to contractors, temporary staff, and agency workers, not just permanent employees. NIS2 and ZKI do not distinguish by employment type. If an individual has access to regulated systems, they should be within scope of your screening programme regardless of how they are engaged.
The window for proactive compliance
Organisations that have not yet implemented structured screening can still approach this proactively rather than reactively. Establishing a screening programme now, with clear documentation of what is covered, at what standard, and how results are recorded and acted upon, creates a defensible position against regulatory scrutiny.
The alternative - waiting until an inspection reveals a gap - is a significantly less attractive option. Supervisory authorities are not only empowered to impose fines: they can require remediation within tight timeframes, impose operational restrictions, and publicise enforcement actions in ways that create reputational as well as financial consequences.
Background screening is no longer a nice-to-have. In regulated sectors across Europe, it is the law.
