5. Incidents and how to report them

In addition to implementing security measures, another important obligation of a regulated service provider is to report and manage cyber security incidents. Security measures can never completely prevent an incident from occurring (yet this does not diminish the importance of implementing them, as it significantly reduces the possibility of an incident occurring).

Article 6(6) of the NIS2 Directive defines the term "incident" as “an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems”

Incident management (the Directive uses the term 'incident handling' in Article 6(8)) is one of the basic security measures. Despite the fact that an organisation does everything possible to prevent incidents, incidents can still occur. In such a case, the organisation must not only be able to deal with it, but the NIS2 Directive also requires in its Article 23 that certain incidents must be reported to a designated CERT (in Czech Republic it is the Government CERT within NUKIB).

Proposal of National Regulation

The proposed regulation of reporting cyber security incidents is philosophically based on the existing regulation of the reporting process under Act No. 181/2014 Coll., on Cyber Security. Under this regulation, regulated entities are obliged to report all cybersecurity incidents without exception and without delay upon detection. The idea behind this model is that even an incident that is insignificant for an organisation may be important in the context of the Czech Republic as a whole and indicative of the current situation.

This model has in principle been preserved for the incident reporting process by a regulated service provider under the higher duty regime.

As part of the principle of two-speed cybersecurity, the NUKIB has decided to simplify the above model in the case of regulated service providers in the lower obligations regime and to require reporting only of those cybersecurity incidents that they assess as significant. In this case, the determination of the significance of the incident is to be made by the regulated service provider based on the criteria in the Decree on the security measures of the regulated service provider under the regime of lower obligations.

In both cases, only those cybersecurity incidents that originate in cyberspace would be reported under the proposed law.

The new law describes in detail the stages of reporting a cyber security incident. These stages are based on the content of Article 23 of the NIS2 Directive.

It is important to note, however, that these stages, in line with the content of the NIS2 Directive, are intended to apply only to significant incidents (with significant impact). In order to avoid overburdening providers of regulated services under the higher obligation regime, who are required to report all cybersecurity incidents originating in cyberspace, as opposed to providers under the lower obligations regime, the proposal requires the NUKIB to promptly inform the provider whether the it classifies the reported incident as significant. If not, the provider of the regulated service under the higher obligations regime has fulfilled its obligation by the initial notification and is not subject to the subsequent stages.

To learn more about the obligation to report cybersecurity incidents, see the contents of the proposed Act of Cyber Security.

The following topic is mostly devoted to how these reports will work in practice.

Continue by clicking on the blue arrow on the right side or select one of the other topics in the index below.

Topic index

NIS2-EN: 05 - Incidents and how to report them

05 - Incidents and how to report them

5. Incidents and how to report them