2. Who is affected by the new obligations

Proposal of National Regulation

The existing regulation of cyber security in the Czech Republic was designed for a relatively narrow group of several hundred of the most important and significant organisations with a large impact on the whole society. The NIS2 Directive brings a new perspective and the need for the Czech Republic to adapt to these changes.

The interconnectedness of the functioning of society as a whole and the organisations within it is so great that there is virtually no sector where information systems do not play a significant role. For this reason, the NIS2 Directive no longer focuses on specific systems important for society but requires securing of everything necessary for the provision of the services needed for society to function.

Such services are listed in the Annexes of NIS2 Directive, where they form the basis for understanding who is and who is not regulated by the Directive.

A glance at Annexes I and II of the Directive shows that cybersecurity is to be ensured, for example, in relation to the production of electricity, the provision of healthcare, the provision of electronic communications services, but also in connection with 60 other services categorised into 18 sectors. You can get a better idea in this graphical representation.

Does this mean that everyone who provides such a service is obliged to comply with the NIS2 Directive? Not exactly.

The previous version of the Act on Cyber Security determined the regulated persons under Section 3. Through a series of different amendments, this provision had reached a state where an organization with multiple systems could theoretically appear in up to thirteen different categories, which not only made the law difficult to understand and navigate but was ultimately overly complex and impractical.

The proposal of the new Act on Cyber Security therefore aims to simplify the approach to obliged persons as much as possible, and the fact that they have to comply with the requirements of the NIS Directive2 helps this effort. Therefore, a single type of obliged person is introduced, the so-called "regulated service provider".

The provider of the regulated service, its identification and its obligations are dealt with in Title II of the proposal. A regulated service provider is anyone who provides at least one regulated service, i.e. a service the disruption of which could have a significant impact on the provision of important social or economic activities, the criteria for which are to be found in the Decree on Regulated Services.

The new Act on Cyber Security has dual criteria for determining a regulated service:

  • criteria for identifying the regulated service and

  • criteria for designation the regulated service.

The criteria for identifying a regulated service can be found in the Annex to the Decree on Regulated Services and the criteria for designation of a regulated service can be found directly in one of the provisions of the proposal.

The difference between these criteria is purely practical. In the case of the identification criteria given in the Annex, the proposal provides for the so-called self-identification - the organisation itself assesses the fulfilment of the identification criteria and, if it fulfils them, registers itself with the NUKIB.

In the case of the designation criteria listed in the relevant provision, the proposal provides for a process whereby the NUKIB, in the context of an administrative procedure with an organisation, will assess whether or not these criteria have been met.

For detailed information on who is affected by the new obligations, see the draft Decree on Regulated Services. The Annex to this Decree contains a complete list of the newly regulated sectors and services.

How to read the Annex to the Decree on Regulated Services?

regulated service

To better explain let us take a look on Company X, which is a water company. Since Sector 10. Water Management is also mentioned in the Decree on Regulated Services, the company might wonder whether it is a provider of a regulated service.

By the nature of its activities, this company operates a water supply system and fulfils the definition of a water supply system operator pursuant to Section 2(5) of Act No 274/2001 Coll., on water supply and sewage. This satisfies the first prerequisite - that the company performs one of the services referred to in the Decree. At the same time, it also fulfils the first defining character - it is a water supply operator under the relevant sectoral law. However, not all water supply operators are covered by the Act on Cyber Security in the case of service 10.1. It is necessary that Company X also fulfils the second condition - it must be either a medium-sized enterprise, a large enterprise or supply drinking water to at least 50 000 inhabitants (regardless of its size). Only in this case it would fulfil all the identification criteria in the Annex to the Decree and would have to report to the NUKIB.

NUKIB will cooperate with sectoral regulators and will search for information on regulated service providers and will alert these organisations to the need for registration, but this activity does not replace the organisation's obligation to register itself if it meets the identification criteria.

Once the criteria have been met, registration is required. The purpose of the registration, as regulated by the new draft Act on Cyber Security, is to inform the NUKIB that the organisation meets the relevant criteria. The bill sets deadlines by which registration must be completed. The first deadline is 90 days after the organization objectively meets the criteria (within 90 days after the bill is effective, or at any time in the future if the organization begins to provide any of the services that are regulated or exceeds the relevant criteria). The second (subjective) deadline is 30 days from the day the organization finds out that it meets the criteria (this deadline applies within the 90 days mentioned above).

Registration is followed by enrolment in the register of regulated service providers. The NUKIB will notify the organisation of the registration via a data mailbox or other means in accordance with the Administrative Procedure Code, and only upon delivery of this confirmation will the statutory deadlines for compliance with obligations (e.g. for the implementation of security measures) begin to run for the regulated service provider.

All these deadlines are illustrated in the following diagram:

diagram - deadlines

Last but not least, it should be noted that in addition to providers of regulated services (which are the subject of these pages), the bill also applies in certain obligations to so-called significant suppliers or entities providing domain name registration services.

We now know that the NIS2 Directive is a very broad regulation and that the draft future criteria can be found in the proposal itself and also in the Decree on Regulated Services. But does this mean that all organisations will have the same obligations? No, because the NIS2 Directive introduces two categories in Article 3 (the so-called "essential entities" and "important entities" categories) and the proposal reflects this concept into the form of the so called regimes of regulated service provider.

This differentiation is described in more detail in the following topic Differentiation of the obligated organisations.

Continue by clicking on the blue arrow on the right-hand side or select one of the other topics in the index below.

Topic index
  1. General information about the future national regulation
  2. Who is affected by the new obligations
  3. Differentiation of regulated entities
  4. Obligation to implement security measures
  5. Incidents and how to report them
  6. Registration and communication with NUKIB
  7. Methods of ensuring compliance
  8. Sanctions and enforcement measures
  9. National and international cooperation
  10. Other national regulation specifics
  11. How to prepare for the new legislation
  12. Financial aspects of the new Act on Cyber Security