- Kateřina Kubíková
- David Polách
The draft on Cybersecurity Act transposes the NIS2 Directive into the Czech Republic and does not forget about the regulation of suppliers of regulated services. Suppliers are classified as so-called supporting assets, which support the functioning of primary assets (the most important assets for the company's activities).
Significant supplier
The Cybersecurity Act defines significant suppliers, as those suppliers that enter a contractual relationship with a regulated service provider that is significant from an information security perspective. The organization must inform the supplier it has identified as significant in writing and in a demonstrable manner.
Significant suppliers are then subject to special obligations. For example, in the case of the transfer of information and data from a significant supplier, the NÚKIB may, under specific conditions in the event of a cyber incident, impose an obligation on that supplier to transfer information and data related to the operation of assets used to provide the regulated service to the provider of the regulated service under the regime of higher obligations. This obligation shall apply if the supplier does not hand over the information or data voluntarily.
Suppliers in the regime of higher obligations
In the context of cybersecurity, it is important to properly identify and manage all a company's suppliers whose services and products may impact information and data security. For example, if a supplier provides cloud services for data storage and processing, then that supplier should be considered a supporting asset, and appropriate measures should be taken to ensure the security of that data.
Supplier management is an organizational measure for companies in the higher duty regime, which is reflected (like other security measures) in the content of the organization’s security policy and documentation.
The obligations are differentiated under the Decree on the regime of higher obligations according to whether they apply to all the organization’s suppliers or only to significant suppliers.
As part of the supplier management policy, an organization will need to set out, for example:
- rules and principles for the selection of suppliers,
- rules for assessing risks related to suppliers,
- rules for identifying significant suppliers,
- rules for the implementation of security controls,
- rules for keeping records of contact details of suppliers responsible for system and technical support,
- contract elements considering the relevant supplier requirements arising from security policies and security documentation.
The Decree sets out the mandatory elements of the content of the contract concluded with major suppliers. These include the obligation to include in contracts provisions on information security, on authorization to use data, on control and audit of the supplier (or customer audit rules), among others.
Managing and controlling compliance with obligations arising from supplier relationships should then be one of the key activities of the Cybersecurity Manager. You can read more on security roles here.
Suppliers in the regime of lower obligations
A provider of regulated services in the regime of lower obligations does not have explicit security measures relating to suppliers, as is the case in the higher regime. However, this does not mean that the company does not have to address its suppliers in any way.
Cybersecurity safeguards include an obligation to ensure that contracts with suppliers cover the relevant areas listed in the Annex to the Decree on the regime of lower obligations.
Contracts with suppliers must include:
- provisions on the possibility of auditing the supplier,
- provisions on penalties for breach of contractual obligations,
- provisions governing the obligation to comply with the supplier rules with which the relevant staff of the supplier have been demonstrably familiar or, for example, the elements of a service level agreement.
The Annex to the Decree then also recommends that organizations require suppliers to include other unenumerated items when entering contracts that consider the specific requirements arising from the provision of security related to the regulated service.
However, this is not all, the organization must also ensure that its suppliers report unusual behavior of managed technical assets and any suspected vulnerabilities. This obligation is hidden in another security measure referred to as cyber security incident handling or vulnerability management.
Are you under the new legislation?
NÚKIB and suppliers of regulated service providers
The draft on Cybersecurity Act also deals with the so-called supply chain security vetting mechanismIt establishes the authority of the National Cyber and Information Security Agency (NÚKIB) to collect and evaluate information and data associated with an institution or person that involves a potential threat to the security of the Czech Republic, internal security or public order, for the purpose of screening risks associated with suppliers.
The aim of this mechanism is to enable the country to identify threats in a timely manner. Contractors expected to have the greatest impact on providers of strategically important services should be screened first.
As part of this mechanism, the NÚKIB also has the power to limit the risks associated with a supplier, whereby it can issue a general measure setting conditions or prohibiting the use of a 'security-relevant supplier in a critical part of the specified scope'. This should only apply to those security-relevant supplies and in parts that are considered critical and have an impact on the internal or public order or security of the Czech Republic.
