An amendment to the Cybersecurity Act was promulgated in the Collection of Laws on Friday, 14 July 2017. The amendment significantly extends the categories of persons that are to be bound by the Cybersecurity Act, imposing numerous new obligations on them. The amendment enters into force and effect as of 1 August 2017.
Outline of changes
In the first place, the amendment implements Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union. The most significant new features introduced by the amendment to the Cybersecurity Act can be divided into several categories, the most important being the following:
- new obligations of administrators and operators of essential service information systems and operators of essential services,
- implementing new obligations of digital service providers,
- new obligations of public authorities with respect to entering into IT contracts, and
- setting up the National Authority for Cybernetic and Information Security (the “Authority”) based in Brno, to act as the central administrative authority for cybersecurity and selected areas of the protection of classified information.
Essential service means services the provision of which is dependent on electronic communication networks and/or information systems, disruption of which could have a significant impact on societal and economic activities in any of the sectors the legislators consider as critical (such as energy, transport, banking, chemical industry). The Authority will identify, by 9 November 2018 at the latest, operators of essential services who will have to comply with the stricter security measures imposed either by the Cybersecurity Act or by the Authority. Persons that will not be identified by the Authority will be subject to less stringent rules.
Closely related to essential services are information systems governed by the Act, on which the essential services may be dependent. The Cybersecurity Act henceforth imposes new obligations related to cybersecurity on administrators and operators of those information systems and operators of essential services, such as an obligation to implement security measures and a notification obligation in the event of a cybersecurity incident.
Digital service providers
An important new feature entails the introduction of obligations for digital service providers; digital service is understood to mean an information society service entailing the operation of an online marketplace, online search engine, and cloud computing services. The Act applies to digital service providers who are legal entities and are not micro- and small enterprises (i.e., who have more than 50 employees and annual turnover in excess of EUR 10 million). Digital service providers will be obliged to appoint a representative in the Czech Republic if they provide their service here (unless they have a representative in the EU); implement security measures as envisaged by the Act; report pre-defined major cybersecurity incidents to CZ.NIC and to the Authority; keep a record of such incidents; and, should the Authority so decide, inform the public about the cybersecurity incident and its impacts. Digital service providers will be liable to a fine of up to CZK 1 million.
Based on the amendment, public authorities will, in addition to their existing obligations, have the obligation to ensure in their contracts with providers of cloud computing digital services that the security rules set by the Authority will actually be complied with. The Act also stipulates the mandatory requisites for such contracts, and the general rules to apply to the security measures implemented by the contracts with providers of cloud computing digital services. In general, the Act has made more stringent the requirements concerning the solicitation and selection of information system providers, as well as the requirements concerning the contractual documentation relating to specific systems and services.
All contracts that are non-compliant with the requirements set out by the Cybersecurity Act have to be made compliant with the new requirements of the Act by 1 August 2018; for many players, and for public authorities in particular, this may necessitate modification of existing contracts, or execution of new contracts.
Last but not least, the Authority will be set up with powers to issue general security standards, make specific recommendations or decisions, and issue measures of generic nature with a view to increasing cybersecurity on the part of individual stakeholders and service providers. In addition, the Authority is one of the mandatory points to which cybersecurity incidents will be reported. The Authority will also be authorised to impose penalties for failure to comply with obligations under the Act, up to CZK 5 million.