- Kateřina Kubíková
- David Polách
The new law on cyber security is due to be effective at the beginning of next year 2025, and it enshrines in Czech law the obligations and rules required by the NIS Directive2.
In order to answer the question of whether it faces new obligations, an organisation needs to know whether it is a provider of a regulated service. The law specifies that in most cases an organisation must identify itself and then register with the National Cyber and Information Security Authority (NÚKIB).
Who is the provider of the regulated service?
The Draft of the Act says that a regulated service provider is a body or person providing one or more regulated services. This relatively general definition often raises more questions than it answers. In general, therefore, a regulated service provider is an organisation that meets certain criteria, most commonly the size of undertaking criterion and carries out an activity that is designated as a regulated service.
The Size Criterion of the organisation is based on a recommendation from the European Commission. To determine size, it is sufficient if either the number of employees or the financial indicator is met. The number of employees of an organisation includes not only the employees of the organisation under assessment but also, to a certain extent, the employees of so-called linked or partner enterprises. For example, a subsidiary in which the organisation has a 100 % shareholding is a related undertaking and all employees are added to the size of the organisation under assessment. An organisation is then a large enterprise if it has at least 250 employees, a medium-sized enterprise if it has between 50 and 249 employees, a small enterprise between 10 and 50 employees and a micro-enterprise below 10.
However, size is not the only criterion. An organisation can become a regulated service provider even if it provides a regulated service that imposes conditions other than the size just mentioned!
What are regulated services?
The Cybersecurity Act states that a regulated service is a service the disruption of which could have a significant impact on the security of important societal or economic activities and for the provision of which assets are used.
The Decree on Regulated Services then lists 22 areas of regulated services - from energy to the space industry. It then lists specific regulated services in each area, of which there are more than 100 in total. These are supposed to be the most important services that need increased protection in the area of cyber security. These include, for example, electricity generation, airport operations, the provision of a public communications network, the provision of cloud computing services or the provision of healthcare.
If the criteria are met, the organisation will be a regulated service provider under the regime of higher or lower obligations. To help you self-determine, you can use our web application urci.se to find out for free if you are likely to be affected by NIS2 through the Cybersecurity Act and, if so, under which regime (note: please be aware that the Urči.se app considers only the Czech draft of the Cyber Security Act).
However, the Act also provides for several exceptions, where the National Cyber Security Authority (NÚKIB) may determine by its decision that the provider is a regulated service provider without fulfilling the above criteria. For example, if the organisation carries out an activity the disruption of which may cause a serious interference with life affecting more than 125,000 persons, in particular a threat to life, health, property, internal or public order, security or the environment
Are you under the new legislation?
I'll probably be a regulated service provider, what next?
The provider of a regulated service must report to the NÚKIB itself that it has fulfilled the criteria for identification of a regulated service. What now?
1) Registration
Under the Act, you now have 30 days to register through the NÚKIB portal - this period starts from the moment you find out that you provide a regulated service. The Cybersecurity Act envisages an effective date of 18 October 2024, but whether it will make it through Parliament by then is now uncertain.
What if I don't find out that I am providing a regulated service? The Draft of the Act also provides for this and sets a time limit of 90 days, starting from the moment when the criteria are actually met. The registration period will end with whichever expires first. This is particularly applicable when an organization begins to provide a regulated service in the future, and is not simply linked to the effective date of the new cyber law.
For example, if you start providing a regulated service at the beginning of the month, but you don't yet know that you are a regulated service provider, the 90-day registration period begins. If you do not actually find out that you are providing a regulated service until 2 days before the end of that period, the 30 days will no longer run out because the period will expire on whichever day expires first, the 90th day. Similarly, if you know that you are a provider at the beginning of the month at the same time you are providing a regulated service, the time for registration will expire on the 30th day.
What if I don't register? The law makes this an offence, and the provider of a regulated service will face a penalty. This is behaviour that demonstrates that an organisation is avoiding its cyber security obligations, and so can carry the highest possible fines. The levels of fines are based directly on the NIS2 Directive and are up to 250 milion CZK or up to 2% of net worldwide annual turnover (whichever is higher) for organisations subject to the higher regime and up to 175 milion CZK or 1.4% of net worldwide annual turnover (again, whichever is higher) for organisations in the lower regime.
2) Entry in the register of regulated service providers
After the registration of a regulated service by an organisation, the NÚKIB automatically enters it into the register of regulated service providers and notifies the organisation of this entry. The obligations arising from the law towards the registered services must then be fulfilled by the organisation from the moment of delivery of the notification of the registration of the regulated service. However, security measures such as the establishment of security roles in a higher regime will occur at a later date (more on this below).
3) Data reporting
Within 30 days of receiving written notice of registration, the organization must complete the contact and additional information required by the Act.
4) Compliance with security measures and incident reporting
The establishment and implementation of security measures for each regulated service and the obligation to report cybersecurity incidents must begin within 1 year of the date of delivery of written notice of the service's registration. .
Once the new Cybersecurity Act comes into force, organisations will then have to prepare mandatory documentation and appoint security roles according to the duty regime into which they fall.