3. Differentiation of regulated entities

Thanks to the previous topic, we already have an idea of who will be regulated under the NIS2 directive or the new Act on Cyber Security. However, the following question is how to actually implement the regulation?

Currently, obliged persons are divided by the Act on Cyber Security into a number of categories. These categories have their own specificities and differences. The NIS2 Directive introduces two new categories in which a regulated entity may be located. The first category is called 'essential entities', and these obliged persons are intended to be the most significant and protected by the regulation. The second category of the obliged persons are the "important entities". The differences between them are due to the different levels of risks that should be considered when implementing cybersecurity risk measures and the varying ways of monitoring compliance with the regulatory requirements.

Proposal of National Regulation

Correct determination of the regime of the regulated service provider is very important for the organisation.

The proposal provides for two regimes - a higher obligation regime and a lower obligation regime. These regimes reflect the new principle of 'two-speed cybersecurity', which aims to relieve smaller organisations from the strict rules. Therefore, organisations in the higher obligation regime have stricter rules than those in the lower duty regime.

A single organisation (defined by an entity identification number) can be only under one regime at any given time.

If an organization fulfils the criteria for a single regulated service it will seamlessly identify its regime using the criteria for that particular regulated service based on the Decree on the Regulated Services.

How to read the Annex to the draft Decree on Regulated Services if the criteria for a single regulated service are met?

regulovaná služba

As we know from the example in the previous topic, Company X is a water company. Therefore, in its case, we were primarily interested in sector 10 Water Management in the draft Decree on Regulated Services. In our analysis, we found that Company X is a medium-sized company, but it also supplies drinking water to more than 50 000 inhabitants. This information leads us to two conclusions:

• Company X meets the size criterion of a medium-sized enterprise and therefore the draft Decree states that its regulated service provider regime will be a lower obligation regime.

• At the same time, however, Company X fulfils the criterion of supplying drinking water to at least 50 000 inhabitants, and therefore the draft Decree states that its regime as a provider of a regulated service will be a regime of higher obligations (although it is not a large undertaking in terms of size, it already has a greater impact on the population of the Czech Republic).

However, as Company X cannot be under two different regimes, the draft Decree on regulated services states that "In the event that a regulated service provider fulfils both the criteria of a regulated service provider corresponding to the regime of higher and lower obligations in relation to one regulated service, the regime of the regulated service provider for that regulated service shall be the regime of higher obligations". The regime of Company X is therefore the higher obligation regime.

But how to proceed when an organization meets the criteria for multiple regulated services?

The procedure is very similar in this case, but you need to do it for each of these services and then add one additional step. Because the Act on Cyber Security assumes that an organization has only one regulated service provider regime at any given time, it provides that if an organization achieves a higher obligation regime for at least one regulated service, that regime applies to all regulated services in the organization.

Therefore, Company X, in addition to the regulated service Operation of Water Supply in Sector 10 Water Management, also provides the service Production of Electricity in Sector 2 Energy - Electricity. It does not meet any criteria for this second service other than the size criterion of a medium-sized enterprise, which would suggest a regime of lower obligations for this service. However, as the regimes do not apply to individual services, but to the provider as a whole, the rules set out above will result in Company X as a whole being subject to the higher obligations regime, and the company will fulfil its obligations accordingly with regards to its regulated services of Operation of Water Supply and Production of Electricity.

The purpose of the above rules is to ensure that the organisation adopts uniform rules related to its cyber security. The principle of two-speed cybersecurity, mentioned above, leads to the fact that the occurrence of both regimes in one organization would be inappropriate and very difficult to apply.

It is now clear that different rules may apply to different organisations based on the proposed regulation. An important step in understanding what specific requirements will be placed on a given organisation is to identify the regulated service provider schemes. The following topics are focused on these specific requirements.

Continue by clicking on the blue arrow on the right-hand side or select one of the other topics in the index below.

Topic index
  1. General information about the future national regulation
  2. Who is affected by the new obligations
  3. Differentiation of regulated entities
  4. Obligation to implement security measures
  5. Incidents and how to report them
  6. Registration and communication with NUKIB
  7. Methods of ensuring compliance
  8. Sanctions and enforcement measures
  9. National and international cooperation
  10. Other national regulation specifics
  11. How to prepare for the new legislation
  12. Financial aspects of the new Act on Cyber Security