First EU Cybersecurity law adopted in the Czech Republic (April 2015)

Early this year the Czech Republic adopted the first comprehensive country-wide law on cybersecurity, which will impact deliveries of significant ICT solutions to selected public authorities and private companies. The legislation applies to on–premise as well as to cloud solutions. If the latest Commissions’ proposal of the EU Cybersecurity Directive is approved, similar cybersecurity laws will need to be adopted in all EU Member States within a year and a half.

Main impact of the legislation in relation to engaging IT suppliers

The main purpose of the legislation is to ensure implementation of detailed information security policies. The legislation applies to a defined scope of entities operating IT infrastructure, which is deemed critical for the Czech state. This includes in particular large public authorities and telecom operators. The requires these entities to introduce organizational and technical measures and maintain documentation thereof, detect and report cybersecurity incidents, and carry out reactive and protective measures requested by the National Security Agency. Even stricter cybersecurity requirements apply to a smaller group of entities, who must implement detailed security policies, covering the minimum statutory scope of security areas. The legislation also contains rules related to supplier selection. In brief, before entering into a contract, the concerned entities must conduct a risk assessment, include security provisions in the contract and conclude a service level agreement setting out the description and the levels of the adopted security measures, as well as mutual contractual responsibility for the implementation and monitoring of security measures. Moreover, risk assessment must be repeated regularly in order to ensure continuously satisfactory level of security.

Rules for conducting a risk assessment

The legislation prescribes detailed rules for conducting a risk assessment. Concerned entities must consider a number of threats and vulnerabilities, the minimum scope of which is prescribed in the legislation. Firstly, it is required to evaluate potential threats, vulnerabilities and their impacts as low, medium, high or critical on the basis of the prescribed statutory criteria. Based on the outcome of this evaluation, security risk must be assessed as low, medium, high or critical on the basis of statutory criteria. Depending on the risk assessment outcome, additional measures to mitigate or remove the risks may need to be taken.

As illustrated by this brief overview, new cybersecurity legislation is very complex and the concerned entities may find it difficult to ensure compliance with all its requirements, especially when engaging an IT provider. IT provider’s capability to assist their customers in meeting these legislative requirements in relation to their products is thus likely to become a crucial competitive advantage.