- Silvia Klofáč Štefániová
One of the main obligations under the Cybersecurity Act is the implementation of security measures within the scope defined by the implementing decree – either under the regime of higher or lower obligations. Let’s take a closer look at what these measures actually entail and what is the difference between the two obligation regimes.
The relationship between the Cybersecurity Act and the NIS2 Directive
The NIS2 Directive created two categories of regulated service entities: essential entities (essential subject) and important entities (important subject). These categories differ in the requirements that organizations must meet.
In the Czech legal system, NIS2 has been transposed into the new Cybersecurity Act and its implementing decrees. Unlike NIS2, the Czech Cybersecurity Act approaches categorization slightly differently and introduces a single category – a regulated service provider operating under two regimes . It distinguishes between the regime of higher obligations, which corresponds in scope to the essential entity category under NIS2, and the regime of lower obligations, which reflects the important entity category.
If you are a regulated service provider, the scope of measures you must implement depends on which regime applies to you.
Do you fall under the new Act?
Security measures in the regime of higher obligations
The Cybersecurity Act divides security measures into two groups: Organizational measures (14) and Technical measures (11). The Decree on security measures for regulated service providers in the regime of higher obligations specifies their detailed content.
Organisational measures
(§ 3–16 of the Decree on security measures for regulated service providers in the regime of higher obligations)
Information security management system (§ 3)
Security must not function randomly. The purpose of this measure is to define what you are protecting and why. This includes setting objectives, rules, processes, and regular system evaluation. When something changes (technology, supplier, business model), the system must be able to adapt.
Requirements for top management (§ 4)
Top management sets direction and priorities and bears responsibility. It approves key cybersecurity decisions and ensures that measures make operational and business sense. It must also undergo regular training to make informed decisions and assign security roles.
Establishment of security roles (§ 5)
In the higher regime, several roles must be appointed to ensure clear accountability in cybersecurity. Each role has defined authorities, responsibilities, and substitution arrangements so that the system does not depend on a single individual.
Management of security policy and documentation (§ 6)
You should have clear rules proportionate to your size and operational reality. The goal is not to produce extensive documentation, but to create a clear framework that people understand. Keep your documents up to date and aligned with how you actually operate.
Asset management (§ 7)
What is essential for your operations? Data, systems, employees, services? To protect assets, you must first identify them. Maintain an inventory, assess confidentiality, integrity, and availability, and assign asset owners.
Risk management (§ 8)
Risks must be consciously identified and managed. This provides insight into threats and potential impacts. Based on that, decisions are made on how to address each risk. Not all risks require technical solutions; sometimes a process change or management decision is sufficient.
Supplier management (§ 9)
Human resources security (§ 10)
Cybersecurity begins with people. This measure systematically develops security awareness across the organization. Having a clear plan that defines who is trained, when, and to what extent is essential. Employees must understand their obligations, the risks they face, and the applicable rules – including proper password practices and how to respond to incidents.
Change Management (§ 11)
Any significant change (new system, cloud solution, supplier, process) must also be assessed from a cybersecurity perspective to prevent introducing unnecessary disruption or hidden risks.
Acquisition, development and maintenance (§ 12)
Cybersecurity must be considered during selection and design of solutions, not only after deployment. Plan for updates, support, and end-of-life to avoid unsupported technologies becoming vulnerabilities.
Access management (§ 13)
The purpose of this measure is to ensure that everyone has access only to what they genuinely need. It also includes the obligation to review access rights regularly, revoke them when roles change or employment ends, and prevent so-called “temporary” privileges from becoming permanent.
Handling cybersecurity events and Incidents (§ 14)
Do you know what to do when something happens? The decree addresses this as well and requires obligated entities to have defined procedures, prepared contact points, and the ability to report and handle incidents properly. The objective is not to assign blame, but to limit the impact of the incident and restore normal operations as quickly as possible.
Business continuity management (§ 15)
Cybersecurity audit (§ 16)
Regularly verify the state of cybersecurity and compliance with the Act, the decree, and internal rules. This is typically done at defined intervals or after significant changes. Audit findings feed back into risk management, training, and corrective actions.
Technical measures
(§ 17–27 of the Decree on security measures for regulated service providers in the regime of higher obligations)
Physical security (§ 17)
In addition to data and your digital environment, you must also protect the physical premises and equipment where critical systems operate or sensitive data is stored. Access controls should reflect the importance of the specific location or technology and ensure that only those who genuinely need access are able to obtain it.
Security of communication networks (§ 18)
Protect networks against unauthorized access and incident propagation. Monitor traffic and segment critical infrastructure components.
Identity management and authentication (§ 19)
Each user and system must have a unique identity. Your responsibility is to ensure that authentication methods correspond to risk levels.
Access rights and privilege management (§ 20)
This measure builds on identity management and aims to ensure that you monitor the permissions assigned to users and systems and review them on a regular basis.
Detection of cybersecurity events (§ 21)
Pay attention to suspicious activity. Do not wait until someone reports a problem. The purpose of this measure is to have effective tools or processes in place that alert you to potential issues in a timely manner.
Event logging (§ 22)
Store relevant events from your information systems so that you can review them when needed. The goal is not to collect data for its own sake, but to ensure that in the event of an issue, you can determine what happened, when it happened, and where it occurred.
Evaluation of cybersecurity events (§ 23)
Evaluate recorded events to determine whether they reflect normal operations or indicate a security issue. Why? So that you can respond in a timely and proportionate manner – not only when it is already too late.
Application security (§ 24)
The objective of this measure is to protect the applications that support your operations and data. Ensure secure configuration, regular updates, and protection against misuse throughout their entire lifecycle.
Cryptographic algorithms (§ 25)
This technical measure focuses on protecting sensitive data through encryption where appropriate. Use up-to-date and secure algorithms, and manage cryptographic keys properly to ensure that protection works effectively in practice.
Ensuring availability of the regulated service (§ 26)
The purpose of this measure is to maintain operations and minimize the impact on the business and its customers. How? By proactively managing capacity, backups, and resilience so that the regulated service continues to function even in the event of disruptions.
Security of industrial, control and similar specific technical assets (§ 27)
This measure focuses on protecting industrial and control systems, taking into account their technical constraints and operational significance. Do not apply standard IT security measures blindly; instead, tailor the protection to the operational reality of these systems.
We have analyzed and explained individual measures in more detail on the Zákony pro lidi portal, directly linked to the decree on security measures in the regime of higher obligations.
Security roles in the higher regime
Let us take a closer look at the measure concerning security roles. Organizations operating under the higher regime are required to appoint a cyber security manager, cyber security architect, and cyber security auditor and to assign an asset guardian to defined assets. The organization’s top management is responsible for designating these individuals. Each of these security roles must meet the requirements set out in the decree. You can read more detailed information about security roles here.
Cyber security manager
The cyber security manager is responsible for ensuring that the information security management system operates in accordance with established rules. The role requires appropriate qualifications and at least three years of professional experience in information security management.
The cyber security manager reports to top management on the state of cybersecurity and may not perform any other security role simultaneously.
Cyber security architect
The cyber security architect is responsible for ensuring the design and implementation of security measures. This role also requires specific professional knowledge and relevant experience.
Cyber security auditor
The cyber security auditor is responsible for conducting cybersecurity audits, possesses the required expertise and professional experience, and performs audits independently and impartially.
As with the cyber security manager, the decree explicitly states that the auditor may not perform any other security role.
The asset guardian
The asset guardian is a security role responsible for ensuring the development, proper use, and protection of the assigned asset.
Security measures in the regime of lower obligations
For regulated service providers operating under the regime of lower obligations, the Act combines organizational and technical measures into a single framework. The decree on security measures for regulated service providers in the regime of lower obligations sets out a total of 11 security measures representing a basic level of cybersecurity– an essential minimum that no regulated service provider can operate without. Their content largely overlaps with the measures required under the higher regime; therefore, only a list is provided below without further elaboration.
- Minimum cybersecurity management system (§ 3)
- Requirements for top management (§ 4)
- Human resources security (§ 5)
- Business continuity management (§ 6)
- Access management (§ 7)
- Identity and privilege management (§ 8)
- Detection and logging of cybersecurity events (§ 9)
- Cybersecurity incident handling (§ 10)
- Application security (§ 12)
- Cryptographic algorithms (§ 13)
Bezpečnostní role v nižším režimu
If we compare the scope of security role requirements, the lower regime only requires to designate a single person responsible for cybersecurity. This person is accountable for managing and developing cybersecurity within the organization and also for communicating with top management.
The role may be assigned to a person who completes the professional training specified by the decree or demonstrates the required professional competence. It may also be performed by an existing employee, for example the person responsible for IT operations.
Specific obligations in the digital infrastructure and services sector
The Cybersecurity Act includes special provisions for regulated service providers operating in digital infrastructure and digital services. This refers to a regulated service provider that provides one of the following regulated services:
- domain name translation system,
- trust services within the meaning of directly applicable European Union law,
- top-level domain registry management and operation services,
- cloud computing services,
- data centre services,
- content delivery network services,
- online marketplace services,
- internet search engine services within the meaning of directly applicable European Union law,
- social network services,
- managed services and
- managed security services.
Organizations providing these services must implement security measures covering at least: risk management, security policy and documentation management, incident handling, business continuity management, supplier management, secure acquisition and development, application security, human resources security, cryptographic algorithms, access management, and identity management.
Details are set out in the European Commission implementing regulation under NIS2, which takes precedence over Czech law. This represents a tightening of security requirements for all providers of the above-listed regulated services, with the extent of the tightening determined by the specific wording of the regulation. Importantly, the stricter requirements apply only to the particular services covered by the regulation. Other regulated services provided by the organization that are not governed by this regulation continue to be subject to the regime applicable to regulated service providers under the Cybersecurity Act and its implementing decrees.
