New Decree on Cyber Security

By Pavel Hejl, Vojtech Chloupek


On 28 May 2018, the new Decree on Cyber Security became effective.

The Decree on Cyber Security No. 82/2018 Coll. ("Decree") repeals and replaces the current legislation enshrined in the Decree No. 314/2014 Coll., on Cyber Security. 

Following the transposition of the Directive 2016/1148 concerning measures for a high common level of security of network and information systems across the European Union, and the Act No. 205/2017 Coll. on Cyber Security, which was amended last year, the National Cyber and Information Security Agency issued the Decree, which also implements the above mentioned Act on Cyber Security. 

The Decree is also in response to the current state of cyber security in the Czech Republic.

Why is the new Decree significant?

The Decree carries on from the repealed Decree No. 314/2014 Coll., but changes the order of succession of some sections, eliminates duplication in the text, and clarifies the differences between the obligations of Critical Information Infrastructure (CII) and those of Significant Information Systems (SIS).

The Decree also introduces new annexes which set out in more detail certain definitions, roles and obligations of obligated persons, i.a.,:

  • Asset assessment rules (impact of intrusion of information security on individual assets)
  • Risk assessment rules (impact, threat and vulnerability assessment)
  • Overview of vulnerabilities and threats
  • Rules for data erasure and technical media disposal methods
  • Content rules regarding contracts concluded with significant suppliers of obligated persons
  • Requirements for individual security roles within the Cyber Security Committee and their competencies:
  • Cyber Security Manager
  • Cyber Security Architect
  • Cyber Security Auditor