Obligations related to the new draft law on cybersecurity
In the previous installment of this series, we discussed which entities will be affected by the new Cybersecurity Act. So what will the obligations be?
Registration of a regulated service
If you have determined that you will be an entity under the upcoming new Cybersecurity Act, the first obligation you need to fulfill is registration. To register a regulated service, you must within 60 days after the conditions for registration have been met (if already met before the law comes into force, this will be 60 days after the law comes into force). Registration will be done through the NUCIB Portal. The Authority will then deliver the registration decision to the provider – this moment is important in terms of calculating the deadlines for fulfilling further obligations.
Obligations of the provider of a regulated service
Within 30 days from receipt of the registration decision, contact details (ID number, natural persons authorised to act for the provider in cybersecurity matters) and additional data (information on the ownership structure of the provider, technical data relating to the regulated service and information on its geographical spread and cross-border provision) must be reported to the NUCIB.
Another obligation will be to determine the scope of cybersecurity management, i.e. to determine the assets related to the provision of the regulated service. There is no deadline here, but it is advisable to do this as soon as possible – because if the scope is not set, all the assets of the undertaking are assumed to be within it.
Security measures
Up to 1 year after receipt of the registration decision, security measures must be in place, these will vary according to the regime of obligations. The law will list only the areas of security measures (e.g. asset management, risk management, human resources security). The specific obligations will then be set by the NUCIB by means of decrees for the respective regimes, which can be used as a kind of check-list. For example, there will be obligations to conduct various training courses, to set certain conditions for secure passwords, etc.
Cyber security incident reporting and management
Within the same period, i.e. at the latest within 1 year from the delivery of the registration decision, the provider will be obliged to report and manage cyber security incidents. We will address these obligations in the next installment of this series.
Sanctions
Failure to comply with the obligations will result in fines for the provider under the higher obligations regime up to 250 million. CZK 250 million , for providers under the lower obligation regime up to the amount of 175 miles. CZK .
If you would like more information in this regard, please do not hesitate to contact us.
This article is for informational purposes only and does not constitute legal advice or guidance for any particular case.