Security roles and their roll-out according to the new Cyber Security Act

NIS2 v Česku, zlom v kyberbezpečnosti dorazí letos
With the new Cyber Security Act, companies will have to deal with the mandatory roll-out of new security roles. What are these roles and what will their responsibilities be?
Security roles in the higher and lower regime

The new Cyber Security Act is due to be effective at the beginning of next year 2025 and companies and organisations that will be regulated under the regime of higher regime will have to roll-out these roles: cybersecurity manager, cybersecurity architect, cybersecurity auditor and assetes guarantors. Senior management will have to designate these individuals. This is specified for the regime of higher obligation in draft Section 14(1)(a)(3) of the Cyber Security Actct. The obligation is an organisational measure. The security roles will then be further detailed in the Decree on security measures of the regulated service provider in the regime of higher obligation. 

If your company self-identifies, that it meets the criteria of the regime of lower obligation it must have a so-called cybersecurity officer and asset guarantors. This is based on the definition of security roles and for the regime of lower obligation in draft section 14(2)(a), (c) and (e) of the Cyber Security Act d also on the Decree on security measures of a regulated service provider in the lower regime. Under the lower regime, the asset guarantor is not explicitly mentioned as a mandatory security role. However, in the context of asset management, it is indispensable and therefore companies should not forget about it even in this regime.

Each of these security roles must meet the requirements set out in the Decree and it is recommended that the Annex to the Decree, which further elaborates on these roles, is followed. It is up to the discretion of each company whether to implement the roles internally or to outsource the roles, as it may well be that there is no one in the company who meets the criteria. In any case, it is recommended that the persons in charge of the role fulfil the criteria that will be set out in the annexes to the decrees to the new Cybersecurity Act. Read more about the individual roles below.

We offer role outsourcing

Looking for a reliable partner to protect your digital assets? We specialise in outsourcing the following key roles: cybersecurity manager, cybersecurity architect and cybersecurity auditor.
Cyber Security Manager

According to the new cyber law, the cyber security manager is a critical security role. It is a person who will beresponsible for compliance with the rules of the information securitysharingis trained for this activityand demonstrates professional competence by work experience(at least 1 year) or by studying at university. 

Its task is to be responsible for the overall state of cyber security. The person should have a good overview of the company and a comprehensive knowledge of not only the ICT area but also the overall operations in order to support business continuity (BCP, DRP). Furthermore, he/she should be able to manage risks and interpret the results of risk management towards the top management.  

A cyber security manager manager may not be delegated roles responsible for the operation of the regulated service or be responsible for the operation of the company's information and communication system. And the necessary authority, accountability and budget must be in place to properly perform this role.

In general, we can summarize that the cyber security manager:

In practice, you can imagine the role of cyber security manager in change management.

The first stage of the process is to create a change request. The object of this phase is to define the detailed scope of services and/or other resources that are the content of the request. Subsequently, the cyber security manager, in collaboration with the cyber security architect or asset sponsor and the initiator of the request, will review the potential impact of the change on the information and cyber security of the organisation. Thus, the cyber security manager plays a key role in change management, as well as in the decision to perform penetration testing of significant changes. Or even in the development of a significant change testing plan, where the cyber security manager works with the sponsor of the asset affected by the change or with the vendor.

Cyber Security Architect

The design and implementation of security measures is the task of the cybersecurity architect. The architectis responsible for the design of the secure architecture of the regulated service (e.g. from infrastructure to application-level security) and its implementation in practice. There may be multiple architects in an organisation who specialise in different areas. 

The cybersecurity architect should have experience in security measures and should also have at least one year of experience in the field. At the same time, the architect cannot be the person responsible for the operation of the company's information and communication systems. 

The role of the cyber security architect has in particular the following rights and obligations:

Cyber Security Auditor

The cyber security auditor is responsible for conducting cybersecurity audits. Their role is to assess the compliance of implemented security measures with requirements, provide independent feedback on the effectiveness of the information security system, and prepare conclusions and documentation of results.

The auditor must be familiar with the relevant legislation, processes and internal audit proceduresof the company. To perform this role it is required to demonstrate competence and have a minimum of one year's experience. The cyber security auditor must not be assigned to roles responsible for the operation of a regulated service or be responsible for the operation of information and communication systems. 

The role of the cyber security auditor is separate from other security roles and is not compatible with roles responsible for the operation of information systems. Cybersecurity Auditor:

The Asset Guardian

The guardian assets ensure that a company's assets are protectedagainst various threats such as cyber-attacks, phishing, loss, theft or damage to assets or physical security breaches, in particular by defining security requirements.

This security role is responsible for ensuring the development, use and security of the asset. The Asset Guarantor typically works with other company departments such as IT, legal and management to ensure effective asset protection and compliance with relevant regulatory requirements. 

The guardian asset cannot be outsourced. Ideally, this role should be delegated to an internal person who is "in charge" of the company's assets. A company typically has multiple assets and therefore multiple guarantors. This is because asset guarantors are determined based on their job title and the process and expertise of the asset. For asset management purposes, the asset guarantor must be able to evaluate the asset on the basis of the potential impacts.

The Asset Guardian

Tthe Person Responsible for Cyber Security

In the regime of lower obligation the role of cyber security manager, cyber security architect or cyber security auditor is not available. However, companies are required to pick a person responsible for cyber security. This role is found within the companies' obligation under the minimum cybersecurity assurance regime, it is not a separate obligation as in the case of the higher regime.

This role must complete training without undue delay, which will have both theoretical and practical components and must demonstrate competence in cyber security.

The person responsible for cyber security maintains current security policies, carries out information security control activities and provides methodological guidance, and is thus responsible for the implementation of security measures. This role then, among other things, submits the security awareness development plan to the company's management for approval. This plan is then evaluated.

Get ready

We can help you with practical preparation of your company for the new cybersecurity legislation.

More articles

Plans such as BCP, DRP, or risk management plans ensure cybersecurity and help maintain business continuity. What should they include?
Listen to the podcast with Katka Hůtová, who will guide you through the upcoming changes according to the new cybersecurity law.
Crisis communication during a cyber-attack should be swift, transparent and consistent to minimize damage and maintain the trust of all stakeholders. How to do it?

Newsletter

Do you want to be sure that your company is protected from cyber threats and at the same time comply with the applicable legislation? Sign up for the newsletter and get practical advice from our legal consultants.

By clicking submit, you consent to the processing of your personal data for marketing purposes.