- Kateřina Kubíková
- David Polách
The new cybersecurity regulation (according to NIS2) is officially in the legislative process as of 19 June 2023. The adoption of the law is planned for the second half of 2024 and according to the current draft, the obligations will have to be met within approximately one year of its entry into force.
The aim of the proposed amendment is to transpose the NIS2 directive into Czech law. However, this is not the first cybersecurity regulation in the Czech Republic.
The submission of the law to the legislative process was preceded by the publication of the draft by the National Office for Cyber Security (in Czech NÚKIB) in January 2023, when it allowed the public to review the law and make suggestions and comments on it on its own initiative. The final document containing the settlement of these suggestions and comments was then over 1000 pages long. This is a testimony to the above-standard efforts that the NÚKIB has devoted to the preparation of the new legislation.
What has cybersecurity legislation looked like so far?
The Czech Republic was one of the first countries in Europe to adopt a Cybersecurity Act in 2014, which was gradually supplemented by other implementing legislation. The most significant for practice is the decree on cybersecurity, which introduced the obligation to implement organisational and technical measures (e.g. training of employees in cybersecurity and setting access permissions).
This legal regulation serves as the basis on which the new legislation will be built, as cybersecurity security measures and their implementation form the largest part of it.
Therefore, in the Czech Republic, compared to other European countries, we are not building cybersecurity regulation from scratch.
Legal regulation of cybersecurity after the implementation of NIS2
The upcoming cybersecurity regulation is made up of a set of new laws. These are:
- New Cybersecurity Act (according to the NIS2 Directive)
- Decree on regulated services
- Decree on the security measures of a provider of a regulated service under the regime of higher obligations
- Decree on security measures of a provider of a regulated service under the regime of reduced obligations
- Decree on the NÚKIB Portal and requirements for selected acts
- Decree on non-negotiable functions of a specified scope
For organisations considering whether they will be affected by the new regulation, the first four provisions above are the most important. This is because they can help you determine whether you fall under the new cybersecurity regulation, what specific obligations you need to meet and what security measures you need to put in place.
To save you work, we have developed an app where you can check for free whether or not you are likely to fall under the new regulation by answering simple questions. You will also find out what you may need to comply with and what the next steps you should take in this regard should be.
Are you under the new legislation?
What new regulations will govern cybersecurity?
Law on cybersecurity
The Law on Cybersecurity is the main piece of legislation of the new regulation. It explains the basic concepts, sets out the general conditions for who will have to comply with the new obligations and thus be considered a provider of a regulated service, defines the basic obligations of these organisations, discusses the rights and obligations of the National Office for Cyber and Information Security (in Czech NÚKIB) and sets out the conditions for corrective measures and the imposition of sanctions.
The topics in question are regulated in the law only in general terms - this is because the law provides only a skeleton. Obligations are detailed in the individual ordinances.
Decree on regulated services
It determines which services are so important according to the NIS2 that they must address cybersecurity and the criteria for an entity to be considered a provider of this regulated service. This implies the need for the entity to comply with the obligations arising from the Decrees.
The Decree sets out a total of 22 regulated services. These include public administration, energy and transport organisations (whether by rail, air, water or road), chemical and manufacturing industries, digital infrastructure and services organisations and healthcare organisations.
In determining an organisation's scheme of duties, 2 criteria are considered - personnel and financial. This is based on the division of businesses under European law into micro, small, medium and large. For our purposes, the most relevant are the medium and large enterprises, which simply include enterprises that have at least 50 employees and a turnover of more than €10 million for a medium enterprise, or at least 250 employees and a turnover of more than €50 million for a large enterprise.
This decree also defines which enterprise is small, medium, large, etc. However, we do not see the definition directly in the decree, as it explains this by reference to the EU regulation. The size of the enterprise is important in determining whether an organisation will fall under the higher or lower obligation regime.
Decree on security measures of a provider of a regulated service under the higher obligations
In particular, it regulates security measures. Since there are quite a lot of them (25), they are divided into 2 groups for clarity and because of their diversity - organizational and technical.
Organisational arrangements include, for example, senior management responsibilities, asset management and supplier management. Technical measures include, for example, the security of communication networks, application security and the use of cryptographic means.
The decree also contains a number of annexes, which are useful at least to be inspired by when creating internal documentation of the company. These include, for example, scales for assessing the availability, confidentiality and integrity of the organisation's assets, practical tools for conducting risk analysis, a list of typical vulnerabilities and threats, or a list of education or experience requirements for persons who should hold security roles in the organisation (cybersecurity architect, cybersecurity manager, etc.).
Decree on security measures for regulated service providers under lower obligations
Compared to the previous decree, this one contains significantly fewer safety measures - 11 in total. The lower regime is less stringent than the higher one and the requirements it imposes on obliged entities are thus more lenient, for example, instead of having several security roles, companies are to designate a person responsible for cyber security.
Decree on the NÚKIB Portal and requirements for selected acts and Decree on non-negotiable functions of a specified scope
The Decree on the NÚKIB Portal regulates access to the NÚKIB portal and the method of reporting cyber security incidents. The second decree describes the non-negotiable functions of a specified scope for the regulated service of providing a public communications network and the regulated service of providing a publicly available electronic communications service.
