Before implementing security measures (as well as before fulfilling other obligations arising from the Cybersecurity Act), it is necessary to determine the scope of cybersecurity management in the organisation (scope of ISMS). Scoping is an absolutely necessary step in the whole legal framework of cybersecurity. Scoping also includes maintaining documented records of the identification and designation of relevant organizational parts and assets.

Experience shows that although it is necessary to address cyber security throughout the whole organisation, or at least in the part of the organisation that provides the regulated service, in order to comprehensively protect the regulated service, this is generally not the case. The proposal therefore comes with an explicit scoping requirement and a presumption that if a provider of a regulated service fails to take this step at all or there is no documented record of it, the scope is the provider's regulated service and the relevant supporting assets are all supporting assets related to the provision of the regulated service.

Once the scope has been determined, it is possible to start considering safety measures. Thanks to the two-speed cybersecurity approach, the proposal introduces two separate and mutually independent sets of rules (security measures) based on the regime of the regulated service provider. These rules are set out in separate decrees and, for ease of reference, the names of the decrees themselves correspond to this.

The provider of a regulated service under the higher obligations regime shall implement the security measures specified in the content of the draft Decree on the security measures of the provider of a regulated service under the higher obligations regime.

The security measures set out for the regime of higher obligations are based on the existing regulation - the content of Decree No. 82/2018 Coll., on Cyber Security. This regulation has been tested in practice and used for many years, so only minor changes and clarifications has been made in the new draft decree.

For organisations that are newly regulated service providers and have not yet implemented security measures, it can be summarised that the principle of implementing security measures is to lead the organisation to map its environment, identify what us necessary to ensure the provision of its regulated service, assess the risks to the service and put in place appropriate measures to reduce those risks to an acceptable level.

More specific is the proposed decree for regulated service providers under the regime of lower obligations.

The provider of a regulated service under the regime of lower obligations shall implement the security measures specified in the content of the draft Decree on the security measures of the provider of a regulated service under the regime of lower obligations.

The aim of the new draft Decree on security measures for regulated service providers under the regime of lower obligations is to impose rules on these organisations that would be simpler, less demanding and would not require more than the necessary level of analysis. However, the limit to the simplification of this regulation is the content of Articles 20 and 21 of the NIS2 Directive (see above), which had to be met, and therefore this Decree also sets out some security measures in such a way that it resembles the decree for the higher regime of obligations. However, the NUKIB has sought to minimalize such provisions.

One key piece of information should also be mentioned at this point. It will not escape the attention of the careful reader that the content of the proposal and the draft decree on security measures for providers of a regulated service under the regime of lower obligations seemingly lacks risk management for providers under the regime of lower obligations. The NIS2 Directive does not specify exactly how the risks to these entities should be determined.

For this reason, in the context of two-speed cybersecurity and to relieve regulated service providers under the lower obligations regime, the draft new law on cybersecurity meets the NIS2 Directive's requirement that "Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the security risks they face (...)”, in the way that the measures to address the risks arising for organisations under the lower obligations regime are spread across the provisions on the implementation of security measures and also the NUKIB has already assessed the risks arising for these organisations in a general way when determining the content of the relevant draft Decree.

One of the aforementioned security measures in the context of the NIS2 Directive is the handling of cyber security incidents and the obligation to report them.

1. General information about the future national regulation
2. Who is affected by the new obligations
3. Differentiation of regulated entities
4. Obligation to implement security measures
5. Incidents and how to report them
6. Registration and communication with NUKIB
7. Methods of ensuring compliance
8. Sanctions and enforcement measures
9. National and international cooperation
10. Other national regulation specifics
11. How to prepare for the new legislation
12. Financial aspects of the new Act on Cyber Security