Czech Republic – NIS2 implementation

The Czech Republic has finally implemented the NIS2 cybersecurity requirements into national law through the Cybersecurity Act (the Act). We summarise the key requirements for the communications sector below.

What does the Act mean for communication providers and other companies?

Beyond the well understood NIS2 cybersecurity implications – i.e., broader scope of the regime and tougher sanctions – the Cybersecurity Act adds a few of its own twists. Many of these have been introduced quite intentionally, as it was the local cybersecurity regulator (the NUKIB) that prepared the implementing legislation on behalf of the Czech government, leveraging its experience gained while overseeing the previous EU NIS1 regime.

Key additions include clearer Information Security Management System (ISMS) scoping rules, expanded incident reporting, a detailed security controls catalogue, and new powers to limit or even forbid insecure supply chain products / vendors.  That said, the Cybersecurity Act is not perfect. The "main establishment" concept for digital infrastructure providers could have been handled better.

ISMS scope

The Act recognises that an enterprise could be engaged in different business activities with different levels of overlap.

Should the activities of an enterprise be fully independent in the sense that these do not share any primary and supporting assets, a fully separated non-regulated service could fall outside the scope of the ISMS definition. The enterprise will however need to document reasoning behind the separation of assets that pertain only to non-regulated services.

It should also be noted that should the regulated entity qualify as an essential entity for NIS2 purposes with respect to one regulated service, it will need to apply the essential entity requirements to all its regulated services, irrespective of whether those latter ones would otherwise only lead to the entity’s status as an important entity.

Expanded incident reporting

Unlike the mandated reporting of significant incidents under the NIS2 directive, essential entities will have to report all, and not just significant incidents to the Czech regulator NUKIB, if these pertain to the regulated ISMS scope, has some kind of cyber origin and if intentional conduct (from inside the organisation or an external threat actor) of any sort cannot be ruled out. The element of significance will only be relevant for important entities.

On the other hand, there is good news for electronic communication service providers as they will no longer be subject to the cyber incident reporting obligations under the previous telecoms regime. The incident reporting in this context  will be limited to non-cyber incidents (i.e., network outages).

Detailed security controls

In relation to security controls, essential entities will be obliged to adopt an overall security policy and continuously maintain a risk management / governance framework which will need to include a documented risk treatment plan in relation to each identified risk. There are 25 potential domains of security controls for essential entities to consider. Many of the security controls contain detailed requirements (e.g. set minimum password lengths for three different user roles and many additional password policy requirements).

Essential entities will also be required to appoint several cybersecurity roles, most notably a cybersecurity manager, cybersecurity architect and a segregated role of a cybersecurity auditor.

Supply chain resilience – The Czech government can limit insecure supply chain products / vendors

The Czech authorities will also gain powers to strengthen supply chain resilience and limit insecure supply chain products / vendors.  This goes beyond the scope of the NIS2 directive. In essence, the Czech government will be able to adopt secondary legislation to constrain certain products or vendors with respect to entities of strategic importance. This competence could be a concern for electronic communication network operators, as it could prevent them from using network infrastructure elements and equipment from suppliers from countries deemed adversarial to the Czech Republic. Nevertheless, this competence may also affect other products if deemed vulnerable.

The "main establishment" puzzle

A further aspect of concern is the implementation of the “main establishment” criteria for registration of digital infrastructure providers. Despite the Cybersecurity Act containing references to the European Commission’s Implementing Regulation for digital infrastructure service providers, the Cybersecurity Act is strangely silent on some aspects that relate to the single jurisdiction rule (one-stop-shop principle). So, there is a risk that digital infrastructure service provides (e.g. cloud computing service providers and managed service providers) could be subject not only to the jurisdiction of the country of its main cybersecurity establishment, but also be subject to the Czech jurisdiction.

What are the next steps and what does the adoption of the act mean in practice?

The Cybersecurity Act now awaits official publication. If this happens in July, the Act will become effective on October 1. If the publication takes place in August, the effectivity date will fall on November 1.

Meanwhile, we expect the NUKIB to adopt secondary legislation swiftly, and this will contain more detail on the obligations set out in the Cybersecurity Act (e.g. a complete list of regulated services and that detailed security controls catalogue).

As for the next steps, companies will have 60 days from the Act effective date to self-assess and register with the NUKIB. Once the registration is confirmed by NUKIB, a transitional period of one year will start running for companies before they are obliged to fully comply with security controls or incident reporting obligations.

For more information, please contact Jan Kuklinca and Tomas Kolouch.