- Kateřina Kubíková
- David Polách
The NIS2 Directive created two categories of regulated service entities. These are essential subject and important subject. These in turn differ in the requirements that organisations must meet.
In the Czech legal system, NIS2 will be transposed into the new Cyber Security Act and its implementing decrees. Draft of the Cybersecurity Act takes a slightly different approach and introduces a single entity - a regulated service provider with two regimes. There is a regime of higher obligations, which corresponds to the essential subject according to the NIS2, and a regime of lower obligations, which reflects the category of important subject.
If the organisation is a regulated service provider, the obligations it will have to fulfil depend on the regime it is classified under. You can read more about the Czech legislation based on NIS2 here.
Security measures in the regime of higher obligations
The Draft of the Act divides security measures into two groups. Organizational measures (14) and technical measures (11). The Decree on Regulated Services under then specifies the specific content of these obligations.
Organisational measures
- information security management system
- requirements for top management
- determination of security roles
- management of security policy and security documentation
- asset management
- risk management
- supplier management
- human resources security
- change management
- acquisition, development and maintenance
- access control
- managing cyber security events and incidents
- business continuity management and
- conducting cyber security audits
Technical measures
- physical security
- security of communication networks
- Identity management and verification
- access rights and permissions management
- detection of cyber security events
- recording of events
- evaluation of cyber security events
- application security
- cryptographic algorithms
- ensuring the availability of the regulated service
- security of industrial, control and similar specific technical assets
Newly, organisations in the senior regime will need to have individuals in security roles: a cybersecurity manager, a cybersecurity architect, an asset sponsor and a cybersecurity auditor.
To get an idea of the content of the measures, let's take a closer look at the security role measures, for example. Newly, organisations in the regime of higher obligations will need to have individuals holding the roles of cybersecurity manager, cybersecurity architect, asset sponsor and cybersecurity auditor. The senior management of the organisation is required to designate these individuals. Each of these security roles should meet the requirements set out in the Decree on Regulated Services and it is recommended that the Annex to the Decree, which further elaborates on the roles, is also followed.
-
Cyber Security Manager
A cyber security manager is a person who will be responsible for compliance with the rules of the information security management system, is trained for this activity and demonstrates professional competence through work experience or university studies. He/she will be responsible for keeping senior management informed. At the same time, this role must not be delegated to other roles responsible for the operation of the regulated service. -
Cyber Security Architect
Cyber Security Architect is responsible for ensuring the design of the implementation of security measures and must also have certain expertise and experience. -
Guardian Assets
The Asset Guardian is a security role that is responsible for ensuring the development, use and security of an asset. -
Cyber Security Auditor
Cyber Security Auditor is then responsible for conducting the cyber security audit, has expertise and experience, conducts the audit impartially and is explicitly stated not to have any other security role.
Security measures in the regime of lower obligations
For providers of regulated services under the regime of lower obligations, the law does not list organisational and technical measures separately, but they are listed together. Thus, there are a total of 13 security measures listed in the new draft of Cybersecurity Act, whereas in the current version of the draft decree in the subordinate obligations regime only 11 are listed. It is likely that we will only know what all the obligations for the regime of lower obligations (or even the regime of higher obligations) will be once the new legislation has been approved by the Czech Parliament.
Security measures in the regime of lower obligations:
- minimum cyber security assurance system
- requirements for top management
- asset management
- risk management
- human resources security
- business continuity management
- access control
- Identity management and permissions
- detection and recording of cyber security events
- dealing with cyber security incidents
- security of communication networks
- application security
- cryptographic algorithms
Unlike the security roles discussed above in the regime of higher obligations, they are not found in the lower one in this way. However, under the security measure of ensuring cyber security, there is an obligation to designate a person responsible for cyber security. This person will be responsible for managing and developing cybersecurity and communicating with senior management for organisations in the lower regime.
This role may be assigned to a person who has received the professional training specified in the Decree on Regulated Services or has demonstrated professional competence for this activity. This role may already be performed by an existing member of staff, for example the person responsible for IT operations. This example nicely illustrates that the lower regime is indeed more lenient than the regime of higher obligations.
Are you under the new legislation?
Specific obligations in the digital infrastructure and services sector
The Cybersecurity Act, as presented to the Legislative Council of the Government in April 2024, comes with a special provision for regulated service providers in the digital infrastructure and services sector. This refers to a regulated service provider that is a provider of a regulated service:
- domain name translation system,
- trust services within the meaning of directly applicable European Union law,
- top-level domain registry management and operation services,
- cloud computing services,
- data centre services,
- content delivery network services,
- online marketplace services,
- internet search engine services within the meaning of directly applicable European Union law,
- social network services,
- managed services and
- managed security services.
Organisations providing any of these services will need to establish and implement security measures in relation to these services that include, as a minimum: risk management, security policy and documentation management, cyber security incident management, business continuity management, vendor management, secure acquisition, development and maintenance, application security, human resource security, cryptographic algorithms, access control, and identity management and authentication.
The details are yet to be determined by the European Commission and these requirements will take precedence over the obligations set out in Czech law. This is a tightening of security measures for all providers of any of the above regulated services and the degree of tightening will depend on the wording of the European Commission's implementing regulation. It may be slightly encouraging that this tightening is to apply to regulated service providers only to specific regulated services. Other regulated services that may be provided by that organisation and not covered by the Commission's implementing regulation will be governed by the regulated service provider regime, and thus by the Cybersecurity Act and its decrees.
