Key obligations
A positive aspect of the new Cybersecurity Act is that it assigns obligations to organizations based on their classification within a specific regime, rather than the service they provide. There are two regimes – higher and lower. Entities in the higher regime have more obligations, while those in the lower regime have fewer.
If a company provides multiple regulated services, only one regime will apply to the entire organization.
To illustrate the differences between the lower and higher regimes, let’s look at security role requirements. Companies in the higher regime must have designated roles such asa cybersecurity manager, cybersecurity architect, asset guarantor, and cybersecurity auditor..
In the lower regime, this requirement does not apply. Instead, organizations only need to appoint a person responsible for cyber security. This person will be responsible for managing and developing cybersecurity and communicating with top management.
Unsure if you provide a regulated service?
Other obligations include:
Responsibilities for top management
Asset and risk management
Business continuity management
Ensuring physical security
Access rights and permissions management
Security policy and documentation management
Cryptographic algorithms
Detection and response to cybersecurity incidents
Supplier management (higher regime)
The full list of security measures can be found in the draft law. For a more detailed overview of the obligations under the new cybersecurity legislation, check out our previous article.
What transportation services are regulated?
Aviation (regulated services no. 12)
Aviation includes nine regulated services:
- Air transport operations
- Airport operations
- Operation of auxiliary airport facilities
- Air traffic control service in Czech airspace
- Security screening of cargo or mail
- Cargo or mail dispatch service
- Onboard supply service
- Ground handling services
- Air navigation services
To qualify as a regulated service, additional criteria must be met (typically size-related, but others may apply). For example, an air transport company must comply with the Civil Aviation Act. If it is a large enterprise (or has transported at least 500,000 passengers per year on average over the past three years), it will fall under the higher regime. A medium-sized enterprise would fall under the lower regime.
Rail transport (regulated services no. 13)
The railway sector includes eight regulated services:
- Train route setting
- National railway operations
- Regional railway operations
- Publicly accessible siding operations
- Rail transport on national railways
- Rail transport on regional railways
- Rail transport on publicly accessible sidings
- Service facility operations
These regulated services apply to companies under the Railway Act that meet size criteria. Large enterprises fall under the higher regime, while medium-sized ones fall under the lower regime.
Water transport (regulated services no. 14)
Water transport includes three regulated services:
- Maritime transport operations
- Port authority operations or operations of port infrastructure
- Vessel traffic service (VTS) operations
These services follow EU regulations. If the criteria are met, the same regime classification applies as in rail transport – large enterprises in the higher regime, medium enterprises in the lower.
Cybersecurity in transportation and logistics is about to change – the new Cybersecurity Act (nZKB) introduces new obligations for selected regulated sectors. While we are still awaiting the final approval of the law, it is wise to start preparing now. So, what can you expect from these changes if you operate in this field? We have summarized the key obligations and potential impacts for you.
Road transport (regulated services no. 15)
Road transport includes two regulated services:
- Traffic control operations
- Intelligent transportation system operations
The same principle applies as with previous sectors. The company must perform activities under the relevant law (in this case, the Road Transport Act) and meet size requirements. Large enterprises fall under the higher regime, and medium ones under the lower.
Not listed under transportation services?
The draft decree on regulated services includes additional sectors related to transportation – logistics and manufacturing. Specifically, this covers the postal and courier services sector (no. 20). If a company meets the conditions for this regulated service, it will fall under the lower regime.
Or does your company manufacture something for the transportation sector (regulated services No. 7)? This category includes the production of motor vehicles (excluding motorcycles), trailers, and semi-trailers, as well as other means of transportation, such as railway locomotives or shipbuilding.
Postal and courier services (regulated services no. 20)
One regulated service:
- Postal and courier service provision
Manufacturing
Dvě regulované služby související s dopravou:
- Manufacturing of motor vehicles (excluding motorcycles), trailers, and semi-trailers
- Manufacturing of other transportation equipment and infrastructure (e.g., railway locomotives, shipbuilding)
