1. General information about
the future national regulation

Proposal of National Regulation


KEY REGULATORY CHANGES

NIS2 directive introduced changes to the existing regulatory framework so significant that NUKIB has decided to propose an entirely new cybersecurity regulation.

The basis of this new regulation is a completely new Act on Cyber Security.

The new proposal of Act on Cyber Security is based on the wording of the existing Act No.181/2014 Coll., on Cyber Security, also meets the minimum requirements set out in the NIS2 Directive and reflects the experience and knowledge that the NUKIB has gathered during its existence. The new draft also aims to simplify some institutes and make the regulation more user-friendly for its addressees.

The draft of the Act on Cyber Security combines the existing fragmented regulation of several types of obliged persons into one - the so-called regulated service provider (regulated in Part One, Title I and Title II).

A regulated service provider must meet the criteria set forth in the proposed Decree on Regulated Services, where it will identify, through self-identification process, the service or services for which it is regulated. Subsequently, it must self-report (register) to the NUKIB and is enrolled into the register (in exceptional cases, it is registered directly by the NUKIB and enrolled into the register).

The proposed law then assigns a so-called regime of obligations to the provider of the regulated service on the basis of the services provided. There are two regimes: a higher obligation regime and a lower obligation regime. Each regulated service provider will ultimately fall under only one regime that will determine how it will fulfil its obligations.

The obligations of the provider of the regulated service are:

  • to report contact and other details in addition to the registration itself - related to the proposed Decree on the NUKIB Portal,

  • determine the scope of information security management system (direct impact on the following obligations),

  • introduce and implement security measures - related to the proposed Decree on security measures for regulated service providers under the regime of higher obligations or the proposed Decree on security measures for regulated service providers under the regime of lower obligations,

  • report cyber security incidents,

  • inform customers about incidents and threats,

  • implement countermeasures,

  • ensure the availability of strategically important services from the territory of the Czech Republic and test the ability to ensure this availability - related to the Decree on regulated services, which sets out criteria for identifying strategically important services,

  • fulfil the obligations of the supply chain security management mechanism in the case of selected regulated service providers under the regime of higher obligations - related to the Decree on Regulated Services, the Decree on Essential Functions and the Decree on Criteria of the Trustworthiness of Suppliers,

  • to be subjected to an audit.

The second, very specific, type of obliged person is the entity providing the domain name registration service – the obligations related to domain name registration services arising from the NIS Directive2 apply to it (regulated in Part One, Title III). At the same time, if it meets the criteria set out in the proposed Decree on Regulated Services for identification as a regulated service provider, it will also be subject to other obligations depending on the regulatory regime.

The bill also describes other tools for ensuring cyber security. These include an exemption from the right to information and a new regulation of the state of cyber emergency (Title IV).

Title V regulates the institutions involved in cybersecurity - the NUKIB itself (and the position of the Government CERT), the operator of the National CERT (and the position of the National CERT) and the existing Permanent Commission for the Overseeing of NUKIB's Activities. In addition, it regulates the relevant tools - primarily the registries maintained by the NUKIB and the NUKIB Portal.

Penalties have also been changed - both the amount of fines have been changed and new fines and other penalties have been added (regulated in Title VI).

The common and transitional provisions (Part Two, Title I and Title II) are then a summary of a number of other supporting provisions, especially on the interaction with other public authorities.

Changes will also be required to certain other laws - the Electronic Communications Act, the Public Administration Information Systems Act and the Conflict-of-Interest Act, which is done through the accompanying draft law that contains purely legislative and technical amendments to the aforementioned regulations.

The new law will abolish the entire system of existing legislation governing cybersecurity and everything will have to be set up anew (Part Six).

Continue by clicking on the blue arrow on the right side or select one of the other topics in the index below.

Topic index
  1. General information about the future national regulation
  2. Who is affected by the new obligations
  3. Differentiation of regulated entities
  4. Obligation to implement security measures
  5. Incidents and how to report them
  6. Registration and communication with NUKIB
  7. Methods of ensuring compliance
  8. Sanctions and enforcement measures
  9. National and international cooperation
  10. Other national regulation specifics
  11. How to prepare for the new legislation
  12. Financial aspects of the new Act on Cyber Security