Czech draft Law on Cyber Security
October 31, 2013
October 31, 2013
The National Security Authority of the Czech Republic (NSA CZ) has been authorized as the national cyber security authority in October 2011. The NSA CZ was hereby obliged to establish fully functional National Cyber Security Center fulfilling the duties of Governmental CERT (Cyber Emergency Response Team) as well as present draft of cyber security legislation.
The Strategy of Cyber Security for 2011 – 2015 stipulates the protection of information systems necessary for proper functioning of the state as basic goal. Such information systems include both governmental and self administration systems as well as so called critical information infrastructure. While the protection of information systems of government and self administration could be provided for by government regulations, the operators of critical information infrastructure are mostly private entities. Since obligations to the private entities may be imposed only by the law, a new legislation is needed – the Law on Cyber Security.
The Law is being drafted since 2011. The legislative intent of the law has been approved by the Government in May 2012. Currently, the draft law itself is being discussed by the Legislative Council of the Government after passing wide public consultations and should enter into force at the beginning of 2015.
The draft Law should present cost effective solution not infringing into the rights of private entities in an excessive manner. Hereby, teh Czech cyberspace is divided into two areas of competence. The first is critical information infrastructure, governmental and public administration networks supervised by the NSA CZ and the second being the National CERT providing assistance and protection to the rest of cyberspace on voluntary basis. National CERT should be operated by a private entity on the basis of public law contract with the NSA CZ (public-private-partnership). Currently, the role of the National CERT is performed by the CSIRT.CZ, a subsidiary of the CZ.NIC Association operating the registry of the national top level domain .cz.
The law stipulates that the operator shall be responsible for the protection of his/her own information systems. The NSA CZ shall only issue implementing regulations laying down basic obligations. Such implementing regulations should be based on internationally established standards such as ISO 27000. Therefore the compliance should not be a major problem for companies already being certified according to those standards.
The volume of obligations shall differ according to the importance of their information systems. The operators of critical information infrastructure shall first of all report all cyber security incidents to the NSA CZ and for the purpose of incident reporting establish permanent communication channel with the NSA CZ. They should also implement all the prescribed security standards as well as counter-measures. Almost the same set of obligations shall apply to the operators of governmental IT systems necessary for the proper functioning of the state. On the other hand – the other private entities (not falling into critical information infrastructure) should be obliged only in case of cyber emergency, i.e. large-scale attack endangering the Czech Republic.
The adoption of the Law on Cyber Security is also necessary to reach compliance with the legislation of the EU. The European Commission has presented draft Directive on Network and Information Security in February 2013 (NIS Directive). This Directive should implement similar set of measures as the Czech Law on Cyber Security which should serve as its transposition to the national legislation. The differences between the NIS Directive and the Law consist mainly in the scope of application. The current draft of NIS Directive intends to govern also such entities as operators of social networks, webmail and e-commerce services etc. The Czech Republic is currently actively trying to negotiate limitation of its scope of application to keep it as much not infringing into the rights of private entities as possible.
The draft Law on Cyber Security as presented to the Government may be downloaded here: