Draft new law on cyber security Volume 1 – Subjects
The Chamber of Deputies should soon begin debating the draft law on cyber security, which implements the EU Directive on measures to ensure a high common level of cyber security in the Union (NIS 2) into our legal system. The law is expected to come into force on 1 January 2025. What obligations will result from this law and who will be subject to them?
Will I be affected by the obligations under this law?
The best way to answer this question would be to look at the National Cyber and Information Security Authority’s (NCIS) decree on regulated services (which is also currently in the draft stage), which will include in its annex a list of regulated services and the criteria that the provider must meet. Two questions will therefore need to be answered:
- Do I provide any of the listed services?
- Do I meet the criteria set out in the decree?
If the answer to both questions is yes, then you are a regulated service provider and will be subject to obligations under the relevant regime.
Special subjects
The law will also distinguish special entities to which certain special obligations will apply. These will include entities providing domain registration services and providers of strategically important services, i.e. services whose disruption could have a serious impact on the security of the Czech Republic or internal order. Strategically important services are determined by the NUCIB by decree.
Furthermore, providers under Section 5 will always be subject to a higher obligation regime, they will be:
- regulated service providers who meet the two criteria described above and who
- are the only provider of this service in the Czech Republic,
- provide a service, the disruption of which could have a significant impact on the security of the Czech Republic, internal order or life and health,
- provide a service, the disruption of which could create significant systemic risks,
- are essential for a specific sector because of their specific importance at regional or national level;
- service provider, the disruption of which may cause a serious interference in the lives of more than 125 000 persons, through a threat to the security of the Czech Republic, internal order, life and health, property value or the environment;
- of the service provider, the disruption of which may cause a serious interference with the ability to provide another regulated service of the provider under the regime of higher obligations;
- critical infrastructure entities.
Two modes of obligation
The Act will work with two regimes of obligations – a higher obligation regime and a lower obligation regime. You can also find out which one you will fall into in the Decree on regulated services, as the criteria are always divided into two parts according to the regimes. As the name of this institute implies, the regimes will differ primarily in the level of obligations.
Example from the Decree on Regulated Services:
In the next part we will discuss the obligations that the law will impose on providers.
This article is for informational purposes only and does not constitute legal advice or guidance for any particular case.
If you would like more information in this regard, please do not hesitate to contact us.