New cybersecurity law to include 6,000 entities in critical infrastructure
A recent seminar entitled "The NIS2 Directive and what to do for it", which took place in the Chamber of Deputies of the Parliament of the Czech Republic, drew attention to possible complications in connection with the implementation of the new European standard on cyber security. Among other things, the seminar also drew attention to the expected problems that this document will cause in our country. It is undoubtedly about the necessary definition of stricter rules for the security of critical infrastructure companies. For the Czech Republic, this means, for example, the expansion of critical infrastructure entities from the current four hundred to six thousand organisations. The Czech Republic should be able to adopt this European-wide standard by October this year. NIS2 (Network and Information Security 2) is an EU-wide directive on cyber security, i.e. the security of information systems, computer networks, applications, software and information. It aims to make organisations more resilient to cyber attacks. It is also a segment that the Czech Army is focusing on as part of its capability development.
Representatives of eGOVERNMENT NETWORK NEWS, a community website focused on the state administration, helped to organize the seminar under the auspices of MPs Marek Novák and Robert Králíček. The main speakers were representatives of NUCIB, DIA, CTU, Bankovní identita s.r.o. and the Critical Infrastructure Development and Support Agency, z.s. The NIS2 directive is not the only document that is intended to help increase the resilience of a certain part of the entities. Another directive that should be implemented in the Czech legislation is the so-called CER (Critical Entities Resilience). This is a directive aimed at increasing the resilience of entities in Member States that are key to maintaining the most important societal functions or economic activities in the following sectors: energy, transport, banking, infrastructure, financial market, health, drinking water, wastewater.
As Marek Novák, MP, told CZ DEFENCE, given the need for huge changes in the entities concerned, it is necessary to talk as much as possible about the forthcoming implementation of the Directive and to seek procedures that will not paralyse the Czech Republic. According to Novák, the adoption of the forthcoming law on cyber security is also important not only for the domestic security of cyberspace, but also for the credibility of the Czech Republic vis-à-vis other European states. Given that this new law should affect, for example, municipalities, the question is whether there will be the financial means to do so. Another issue is that representatives of all 6 000 entities should learn about their new role and responsibilities in a timely manner. That is also why we are organising this seminar," explained MEP Marek Novák.
The NIS2 Directive is undoubtedly a ground-breaking document that responds to both current threats and the needs of individual European countries. It is all a question of readiness of the concerned entities within the Czech Republic. We asked Robert Králíček MP the following questions about the above:
What is the state of adoption of NIS2 and what impact will it have on companies in the Czech Republic?
The new law on cyber security is an implementation of NIS2 and is currently under consideration by the Legislative Council of the Government. In terms of the scope of regulated entities, the intervention will certainly be large, as the number of entities is being expanded to approximately 6,000. The impact for organisations already actively addressing cyber security may not be as significant. Firms that are not involved in this area will be significantly impacted. It is to be appreciated that, also thanks to this law, awareness and information about cybersecurity is increasing, but one has to wonder whether companies will be able to cope with the obligations arising from the law and the implementing decrees.
Is the Czech Republic ready for NIS2 in terms of technology and personnel?
I have a good perception of the technological level and I don't think I see a fundamental problem in this area. The personnel issue is, of course, a big and well-known problem. The lack of cyber security experts is perceived mainly by the public sector, but also by the private sector, which, moreover, the public sector is unable to compete with. There are many discussions on how to address this situation, but the desired outcome is not yet known.
What is the current level of cyber security in the Czech Republic?
I still feel that cybersecurity is not a high enough priority. Let's not wait for something to happen. It makes no sense to wait for more attacks and damage like the hospital in Benesov, the hospital in Brno, etc. Cybersecurity needs to be actively addressed in both the public and private sectors. On the one hand, NIS2 "forces" us to do so, but on the other hand, I perceive concerns about the support that the entities concerned can receive.
The basis for the changes to the newly implemented NIS2 Directive is the creation of a new law on cyber security, which, in addition to the requirements of the Directive, also incorporates national institutes and requirements. According to Adam Kučínský, Director of the Regulatory Department, the National Office for Cyber and Information Security has prepared a draft of a new law on cyber security. The new rules should optimally apply from October 2024. As already mentioned, the new law will newly affect at least 6,000 organisations and regulate over 105 types of services in 18 sectors (energy, healthcare, banking, transport, public administration, digital infrastructure). The main criterion for inclusion in the regulation is the size of the entity, determined by the number of employees or its financial situation. The approach to the scope of regulation is also changing, with whole services rather than specific systems being selected. It is also proposed to include municipalities. All regulated organisations will operate under two regimes: lower and higher duties, depending on the regime set out.
This ground-breaking regulation brings with it the need and emergence of new standards such as the assurance of availability of a regulated service or the supply chain security review mechanism (SCR). The modification will impact some already existing standards such as: cyber threat status, (counter)measures, specific incident reporting deadlines, sanctions and others.
The new EU NIS Directive2 defines a list of obligations for implementing cyber security, implementing countermeasures and e.g. the obligation to ensure availability from the Czech Republic for selected (strategically important) services. To date, the draft law has been widely discussed and commented on. According to NCIB sources, there were 85 commenting points plus another 11 commenting points sent comments on their own initiative. The number of comments has reached 886.
As the Chairman of the Agency for Development and Support of Critical Infrastructure and the President of the Association of Schools of Critical Infrastructure PhDr. Mgr. Dušan Kalášek, the main reasons for the adoption of the law on cyber security include the higher risk of threats associated with the volume of processed data. This standard will also require the need to increase the number of cybersecurity professionals and investments in technology will also be necessary.
Data protection is a key issue. Therefore, according to Kalášek, it must be clear what needs to be protected, what data exists and what it depends on. We need to know what our weaknesses and risks are. This means that we need to put in place risk identification, assessment and management, to ensure the security and protection of data and information and access to it. Training of staff, particularly information security staff, is an integral part of these processes. According to Dušan Kalášek, the situation will require critical infrastructure entities to ensure the security of IT and information systems and applications, software, hardware and other IT equipment, including cloud services, effective protection against attacks and incident management, and subsequent provision of business recovery.
Cyber threats and information crime is also one of the domains that the Czech Army deals with and works on as part of building new capabilities of the army. Therefore, in connection with the introduction of the EU NIS2 directive and the new law on cyber security, we asked the Director of the Communications and Information Systems Section of the Ministry of Defence, Brig. Gen. Petr Šnajdárek several questions:
Was it possible for the Czech Army to interfere with the parameters of the NIS2 directive?
Yes, the Department of Defense had that option. On behalf of the MOD, the MOD actively participated in the inter-ministerial comment procedure on the application of NIS2 to the amendment to the Cyber Security Act.
Can the Czech Armed Forces take over the protection of designated critical infrastructure at the critical moment of a cyber attack?
Czech Armed Forces supervises the departmental critical infrastructure of KIS. At a critical moment, it can take over its protection.
Is there a link between cyber protection of the Czech Armed Forces and critical infrastructure?
The cyber protection of the critical infrastructure of the ministry is dealt with at the ministry level within the established competence (the managers for individual areas and the operator). At the non-departmental level, this protection is coordinated with other public administration bodies as well as with NATO and EU bodies (through national representations).