MEASURES

In addition to the security measures to be implemented by the obliged persons themselves, the Cybersecurity Act also contains tools that the NCIB can use to respond to threats or incidents in cyberspace. These are called measures in the current wording of the Act.

The current Act on Cyber Security contains three types of measures - warning, reactive and protective measures.

With the warning, the NUKIB warns regulated entities that there is a threat that they must consider in their risk analyses. Simply put, the NUKIB is telling entities that they should focus on a particular hazard that is more imminent than usual at the time. An example of this would be a situation where the NUKIB has identified based on its monitoring that a campaign of ransomware attacks targeting hospitals is coming and has alerted them to this danger.

By reactive and protective measures, the NUKIB directly sets out specific steps that regulated persons affected by the reactive or protective measure must take to enhance cyber security. The main difference between the two is that while a reactive measure represents an effort to prevent an imminent incident (attack), a protective measure is issued following an incident that has already been resolved so that it is not repeated by other regulated persons.

An instrument that the current Act on Cyber Security does not yet contain is the instrument mentioned in Article 32(4) of NIS2, where it requires Member States to have the power to draw attention to the fact that regulated organisations (essential and important entities) are in breach of the obligations arising from the Directive.

STATE OF CYBER EMERGENCY

The Act on Cyber Security contains a special type of state of emergency that the NUKIB is supposed to declare in the event that it is unable to manage threats in cyberspace through its standard procedures. It is called a state of cyber emergency. It allows NUKIB to access some of the information normally collected only by the National CERT, use nationwide radio and television broadcast, and expands the range of powers towards some of the regulated entities.

The draft Act on Cyber Security also introduces some changes or new tools in the abovementioned national cybersecurity regulation. Thus, the following text describes these changes, in particular the measures (now countermeasures), state of cyber emergency and a new institute - the Assessment Mechanism for Supply Chain Security.

COUNTERMEASURES

The countermeasures reflect the original regulation of measures in the current Act on Cyber Security. In principle, from the point of view of practical application, there will not be a fundamental change to these institutes; the changes and new parameters are described in this article.

ALERT

Most of the content of the alert provision of the proposal was originally part of the warning provision. The name of this institution and its regulation reflects the requirement of Article 32(4) of the NIS2 Directive and serves as a tool primarily aimed at informing the public. The alert should be noted at least by the regulated entities, and more preferably by the whole professional public, and when appropriate, considered within their information security management system. Formally, however, the alert is not connected to any specific enforcement process and is rather informative.

WARNING

The alert continues to draw attention to a specific threat, but now it can also draw attention to a vulnerability as an input into the risk analyses of the affected regulated entities. The warning has always been published on the official notice board, but now there is also an option not to publish it in justified cases and only to send it to the regulated persons concerned. Unlike the reactive countermeasure, the warning only applies to regulated service providers under the higher obligations regime.

REACTIVE COUNTERMEASURE

The proposal includes merging of reactive and protective measures into one institute - reactive countermeasure, which should be newly issued in similar cases as the existing reactive and protective measures. The procedural requirements are then merged into a single procedure, which allows the NUKIB to impose variable measures to prevent, avert or mitigate an incident in the form of a decision for one specific regulated entity or in the form of a general measure binding a wider defined range of regulated entities or all of them. Reactive countermeasures may be imposed on the provider of a regulated service under both the higher and lower obligation regimes.

STATE OF CYBER EMERGENCY

The state of cyber emergency has undergone some changes in the proposal mainly based on the experience gained with the application of the current Act on Cyber Security. The proposed changes are thus in the interest of its greater practical usability in the event of a threat to the Czech Republic. The state of cyber emergency in its measures replicates the characteristics that are usual for states of emergency used in crisis management.

At a time of a declared state of cyber emergency, the Director of the NUKIB has measures at his disposal that can reverse a situation that significantly threatens the Czech Republic. These tools include: providing NUKIB property (physical assets) for use by others (e.g. providing a probe to monitor traffic on the network under attack), requesting the provision of human resources and physical assets, ordering persons outside the scope of regulated entities to implement measures to deal with the incident, ordering regulated entities to be on standby within their capabilities, making a non-public telecommunications network available for use by NUKIB, or prohibiting the use of technical assets threatened by the incident (also outside the circle of regulated entities).

ASSESSMENT MECHANISM FOR SUPPLY CHAIN SECURITY

By its resolution of 21 June 2022, the Security Council of the State instructed the NUKIB to prepare a draft law to increase the security of supply chains of the strategic infrastructure of the state in the field of information and communication technologies (ICT). The issuance of the resolution itself was preceded by a number of impulses from the domestic and EU level, such as the proclamation of the Programme Statement of the Government or the task of the Action Plan of the National Cyber Security Strategy, which mandates the development of a draft framework for an assessment of the risk profile of suppliers with the possibility of limiting high-risk suppliers.

The reason for the creation of the Assessment Mechanism for Supply Chain Security, which the above-mentioned resolution instructed the NUKIB to design, is primarily due to the strategic threats emanating from the supply chain and the risks arising therefrom. Although the standard features of ICT products can be familiarised, the security of these products cannot be effectively verified by technical means alone due to their high complexity. The trustworthiness of the supplier is an important factor in this respect, as the supplier has the ability to compromise the security of its products and services. The purpose of the proposed regulation is thus, inter alia, to identify high-risk suppliers by means of a proportionate assessment mechanism.

SUPPLIER RISK ASSESSMENT

According to the proposed legislation, the NUKIB conducts supplier assessment in cooperation with ministries, intelligence services and other state authorities with relevant information for assessing the supplier's credibility. However, the process is based on elementary information on suppliers provided by individual providers of strategically important services. This information, in combination with information from the NUKIB and cooperating authorities, is subjected to an assessment based on the supplier credibility criteria.