Suppliers of regulated service providers

NIS2 v Česku, zlom v kyberbezpečnosti dorazí letos
The draft on Cybersecurity Act transposes the NIS2 Directive into the Czech Republic and does not forget about the regulation of suppliers of regulated services. Suppliers are classified as so-called supporting assets, which support the functioning of primary assets (the most important assets for the company's activities).
Significant supplier

The Cybersecurity Act defines significant suppliers, as those suppliers that enter a contractual relationship with a regulated service provider that is significant from an information security perspective. The organization must inform the supplier it has identified as significant in writing and in a demonstrable manner.

Significant suppliers are then subject to special obligations. For example, in the case of the transfer of information and data from a significant supplier, the NÚKIB may, under specific conditions in the event of a cyber incident, impose an obligation on that supplier to transfer information and data related to the operation of assets used to provide the regulated service to the provider of the regulated service under the regime of higher obligations. This obligation shall apply if the supplier does not hand over the information or data voluntarily.

Suppliers in the regime of higher obligations

In the context of cybersecurity, it is important to properly identify and manage all a company's suppliers whose services and products may impact information and data security. For example, if a supplier provides cloud services for data storage and processing, then that supplier should be considered a supporting asset, and appropriate measures should be taken to ensure the security of that data.

Supplier management is an organizational measure for companies in the higher duty regime, which is reflected (like other security measures) in the content of the organization’s security policy and documentation.

The obligations are differentiated under the Decree on the regime of higher obligations according to whether they apply to all the organization’s suppliers or only to significant suppliers. 

As part of the supplier management policy, an organization will need to set out, for example:

The Decree sets out the mandatory elements of the content of the contract concluded with major suppliers. These include the obligation to include in contracts provisions on information security, on authorization to use data, on control and audit of the supplier (or customer audit rules), among others.

Managing and controlling compliance with obligations arising from supplier relationships should then be one of the key activities of the Cybersecurity Manager. You can read more on security roles here.

Suppliers in the regime of lower obligations

A provider of regulated services in the regime of lower obligations does not have explicit security measures relating to suppliers, as is the case in the higher regime. However, this does not mean that the company does not have to address its suppliers in any way.

Cybersecurity safeguards include an obligation to ensure that contracts with suppliers cover the relevant areas listed in the Annex to the Decree on the regime of lower obligations.

Contracts with suppliers must include:

The Annex to the Decree then also recommends that organizations require suppliers to include other unenumerated items when entering contracts that consider the specific requirements arising from the provision of security related to the regulated service.

However, this is not all, the organization must also ensure that its suppliers report unusual behavior of managed technical assets and any suspected vulnerabilities. This obligation is hidden in another security measure referred to as cyber security incident handling or vulnerability management.

Are you under the new legislation?

To save you work, we have developed an app where you can check for free whether or not you are likely to fall under the new regulation by answering simple questions. You will also find out what you may need to comply with and what the next steps you should take in this regard should be.
NÚKIB and suppliers of regulated service providers

The draft on Cybersecurity Act also deals with the so-called supply chain security vetting mechanismIt establishes the authority of the National Cyber and Information Security Agency (NÚKIB) to collect and evaluate information and data associated with an institution or person that involves a potential threat to the security of the Czech Republic, internal security or public order, for the purpose of screening risks associated with suppliers.

The aim of this mechanism is to enable the country to identify threats in a timely manner. Contractors expected to have the greatest impact on providers of strategically important services should be screened first.

As part of this mechanism, the NÚKIB also has the power to limit the risks associated with a supplier, whereby it can issue a general measure setting conditions or prohibiting the use of a 'security-relevant supplier in a critical part of the specified scope'. This should only apply to those security-relevant supplies and in parts that are considered critical and have an impact on the internal or public order or security of the Czech Republic.

Get ready

We can help you with practical preparation of your company for the new cybersecurity legislation.

More articles

Plans such as BCP, DRP, or risk management plans ensure cybersecurity and help maintain business continuity. What should they include?
Listen to the podcast with Katka Hůtová, who will guide you through the upcoming changes according to the new cybersecurity law.
Crisis communication during a cyber-attack should be swift, transparent and consistent to minimize damage and maintain the trust of all stakeholders. How to do it?

Newsletter

Do you want to be sure that your company is protected from cyber threats and at the same time comply with the applicable legislation? Sign up for the newsletter and get practical advice from our legal consultants.

By clicking submit, you consent to the processing of your personal data for marketing purposes.