1. GOVERNING TEXTS

In the Czech Republic, the areas of cybersecurity and privacy and data protection are regulated separately. Cybersecurity is comprehensively governed by Act No. 181/2014 Coll. of 23 July 2014 on Cyber Security and Change of Related Acts ('the Cybersecurity Act') which also implemented the requirements set out by the Directive on Security Network and Information Systems (Directive (EU) 2016/1148) ('the NIS Directive'). The Cybersecurity Act goes beyond the NIS Directive which governs only essential and digital services and applies to a wider scope of subjects, as defined in Section 3 of the Cybersecurity Act. 

Please note that the Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555) ('NIS 2 Directive') was published in the Official Gazette of the European Union on 27 December 2022 and became effective as of 16 January 2023. Pursuant to Article 41 of the NIS 2 Directive, by 17 October 2024, Member States must transpose the NIS 2 Directive into their national legislation, and the transposition laws shall apply from 18 October 2024. On the same date, the NIS Directive will be repealed. For further information please see our Insight article on the NIS Directive here.

The NIS 2 Directive is not reflected in the Guidance Note below.

The Cybersecurity Act is accompanied by a broad secondary legislation which implements the Cybersecurity Act, defines the criteria for various categories of subjects, and/or implements other provisions of the Cybersecurity Act.

In addition to legislative measures, and in line with Article 7 of the NIS Directive, Czech Republic has adopted a National Cyber Security Strategy of the Czech Republic for the period from 2021 to 2025 (only available in Czech here) and the Action Plan for the National Cyber Security Strategy of the Czech Republic for the period from 2021 to 2025 (only available in Czech here).

In regard to privacy and personal data protection, these areas are mostly governed at the European level by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The GDPR has introduced obligations relating to security of personal data, data breaches, and technical and organisational measures which must be adopted by each data controller. These measures may overlap or correlate with some types of security measures contemplated by cybersecurity regulation (for further information on cybersecurity measures, see section 3.1 below).

The Czech Republic has adopted the following two acts for the purpose of adapting Czech legislation to the GDPR requirements:

• Act No. 110/2019 Coll., on Personal Data Processing ('the Data Protection Act'); and
• Act No. 111/2019 Coll. amending Certain Acts in connection with the Adoption of the Act on Personal Data Processing (available only in Czech here) ('the Amending Act').

The Data Protection Act and the Amending Act introduce only minor derogations and additions to the GDPR and neither has any particular relevance to cybersecurity.

1.1. Legislation

Cybersecurity:

• the Cybersecurity Act;
• Decree No. 82/2018 Coll. of 21 May 2018 on Security Measures, Cybersecurity Incidents, Reactive Measures, Cybersecurity Reporting Requirements, and Data Disposal (only available to download in Czech here) ('the Decree on Cybersecurity');
• Decree No. 317/2014 Coll. of 15 December 2014 on Important Information Systems and their Determination Criteria ('the Decree on Important Information Systems');
• Decree No. 205/2016 Coll. of 14 June 2016, which amends Decree No. 317/2014 Coll. on Important Information Systems and their Determination Criteria (only available in Czech here); and
• Decree No. 437/2017 Coll. of 8 December 2017 on the Criteria for the Determination of an Operator of Essential Service ('the Decree on Essential Services').

National security and critical infrastructure:

• Act No. 240/2000 Coll. of 28 June 2000 on Crisis Management and on Amendment to Certain Acts (only available in Czech here) ('the Crisis Management Act'); and
• Government Order No. 432/2010 Coll. of 22 December 2010 on the Criteria for the Identification of a Critical Infrastructure Element ('the Government Regulation on Critical Infrastructure').

Information security and integrity:

• Act No. 412/2005 Coll. 21 September 2005 on the Protection of Classified Information and on Security Capability (only available in Czech here) ('the Security and Classified Information Act');
• Act No. 365/2000 Coll. of 14 September 2000 on Public Administration Information Systems And on Amendments to some Other Acts (only available in Czech here) ('the Act on Public Administration Information Systems');
• Decree No. 433/2020 Coll. of 23 October 2020, on Cloud Catalogue Criteria (only available in Czech here) (the ‘Cloud Decree 4 on Catalogue Criteria');
• Act No. 297/2016 Coll. of 14 August 2016 on Trust Building for Electronic Transactions (only available in Czech here);
• Act No. 300/2008 Coll. of 17 July 2008 on Electronic Acts and Authorised Document Conversion (only available in Czech here);
• Decree No. 194/2009 Coll. on Setting of the Details of Using of Information System of Data Boxes (only available in Czech here);
• Decree No. 315/2021 Coll. on Security Levels for Using Cloud Computing Services by Public Authorities (only available in Czech here) ('the Cloud Decree 3 on Security Levels'); and
• Decree No. 316/2021 Coll. on Certain Requirements for Registration in the Cloud Computing Catalogue (only available in Czech here) ('the Cloud Decree 1 on ex ante control').

Electronic communications and information society services:

• Act No. 127/2005 Coll. of 22 February 2005 on Electronic Communications and on Amendment to Certain Related Acts ('the Electronic Communications Act');
• Act No. 480/2004 Coll. of 29 July 2004 on Certain Information Society Services and Amending certain Laws (only available in Czech here) ('the Act on Information Society Services');
• Decree No. 241/2012 Coll. of 27 June 2012 on Determination of Technical and Organisational Measures for Ensuring Security and Integrity of Public Communication Networks and Interoperability of Publicly Available Electronic Communication Services during Crisis (only available in Czech here); and
• Decree No. 242/2012 Coll. of 27 June 2012 on Determining the Extent and Form of Information Transmitted on Security Breaches and Loss of Network Integrity (only available in Czech here).

Cybercrime and criminal procedure:

• Act No. 40/2009 Coll. of 8 January 2009 the Criminal Code (only available in Czech here);
• Act No. 218/2003 Coll. of 25 June 2003 Concerning Youth Responsibility for Unlawful Acts and Justiciary in Suits of Youth and Amendments to Some Acts;
• Act No. 418/2011 Coll. of 27 October 2011 on Criminal Liability of Legal Persons and Proceedings against Them ('the Criminal Liability Act'); and
• Act No. 141/1961 Coll. of 29 November 1961 on the Criminal Procedure Code (only available in Czech here) ('the Criminal Procedure Code').

Administrative offences and proceedings:

• Act No. 500/2004 Coll. of 24 June 2004 Administrative Procedure Act (only available in Czech here); and
• Act No. 250/2016 Coll. of 12 July 2016 on Liability and Proceedings for Offences (only available in Czech here).

Recovery of damages:

• Act No. 89/2012 Coll. of 3 February 2012 the Civil Code.

Protection of personal data:

• the GDPR;
• The Data Protection Act; and
• the Amending Act.

Sectoral Legislation

In general, in Czech Republic, cybersecurity is governed in a uniform manner by the Cybersecurity Act. The sector-specific framework is provided for the financial sector, namely banks, savings and credit unions and securities traders. In particular, the Decree of the Czech National Bank No. 163/2014 Coll., on the Performance of Activities Of Banks, Savings and Credit Unions and Investment Firms ('the Financial Services Decree') sets out the requirements which banks and other concerned entities of the financial sector must comply with if they intend to outsource some parts of their activities to third parties. Cybersecurity-related measures are further described in Annex No. 7 to the Decree and they include e.g. security policies, information access management, security of communication networks, etc.

Apart from the above-mentioned sectoral regulation relating to banks and other entities of the financial sector, there is no other sector-specific legislation which would govern cybersecurity for a given sector. Nonetheless, the Cybersecurity Act sets out different criteria for individual types of obliged entities, as defined in Section 3 of the Cybersecurity Act (see section 2 below for further information).

In respect of critical information infrastructure and essential services, the Cybersecurity Act sets out two types of criteria which must be fulfilled at the same time for an entity to qualify and fall under the Cybersecurity Act. The criteria are as follows:

• cross-sectional or impact criteria which are common for all entities operating critical infrastructure or essential services; and
• sectoral criteria which differentiate between individual sectors, such as medical care, energy, information management, or finance.

1.2. Regulatory authority 

The NIS Directive prescribes that each Member State shall designate one or more national competent authorities in the field of cybersecurity and one or more computer security incident response teams ('CSIRTs').

Czech Republic has appointed two CSIRTs at the national level:

• the Government CSIRT integrated into the National Cyber and Information Security Agency ('NUKIB'); and
• the National CSIRT administered by a private entity CZ.NIC, z.s.p.o.

In respect of obligations imposed by the Cybersecurity Act on individuals, certain individuals are obliged to fulfil their obligations (mainly reporting) towards the Government CSIRT, while others are obliged to communicate with the National CSIRT. For further information in this regard, please see section 3.2 below.

A full list of CSIRT teams operating in the Czech Republic can be found here.

NUKIB was created in 2017 in line with the Act No. 205/2017 Coll., amending the Cybersecurity Act. NUKIB is the central state agency for cybersecurity, including the protection of classified information in the area of information and communication systems and cryptographic protection. It is also in charge of tasks relating to the Galileo satellite system on the Czech side. Under the Cybersecurity Act, NUKIB is an administrative supervisory authority which is empowered to conduct inspections, impose corrective measures, and administrative penalties, mainly fines up to CZK 5,000,000 (approx. €187,000). The purposes of the NUKIBS's tasks are enumerated in Section 22 of the Cybersecurity Act.

NUKIB is divided into four different sections. One of these sections, and the executive body of the NUKIB, is the National Cyber Security Centre ('NCKB'). The NCKB primarily operates the Government CSIRT and also organises cybersecurity trainings and participates in trainings on an international level.

The Government CSIRT falls under the NCKB's governance and as such, is integrated into the NUKIB's internal structure. It is the authority responsible for the security of networks and information systems and it is authorised to deal with the most significant security incidents, such as those affecting networks of public authorities, critical information infrastructure, and important information systems. The Government CSIRT also provides guidance and assistance in relation to cybersecurity to state authorities and private entities alike, so that security incidents are prevented or at least effectively solved and mitigated.

The National Security Authority ('NBU') is a governmental agency responsible for the security of classified information and maintaining security clearances. It was created on the basis of Act No. 148/1998 Coll., on the Protection of Classified Information (which was abolished and replaced by the Security and Classified Information Act).

As mentioned above, the second CSIRT team at the national level is the National CSIRT operated by a private entity called CZ.NIC on the basis of a public contract signed between NUKIB and CZ.NIC in December 2015. The National CSIRT cooperates with NUKIB, communicates with other CSIRT teams at the national and international level and coordinates the resolution of the problems and security incidents. It acts as an intermediary between the affected and the originator of the damage. It is also responsible for the education of the public.

1.3. Regulatory authority guidance

NUKIB has not issued one single handbook which would serve as guidance for every entity, public or private, citizen or agency. However, it provides individual pieces of guidance regarding particular issues relating to cybersecurity. Among these are:

• Warning methodology of 17 December 2018 (only available in Czech here);
• Recommended security measures regarding the warning of 16 April 2020 (only available in Czech here);
• Minimum security standard for entities not subject to the Cybersecurity Act (only available in Czech here);
• Security standard for videoconferences (only available in Czech here);
• Guidelines on reporting a cybersecurity incident (only available in Czech here);
• Diagram on the law on cybersecurity (only available in Czech here);
• Guidelines on administrators of information or communication systems (only available in Czech here);
• Diagram on obligations imposed by the Cybersecurity Act (only available in Czech here);
• Overview of deadlines for fulfilling the obligations imposed by the Cybersecurity Act (only available in Czech here);
• Guidelines for impact assessment (only available in Czech here);
• NUKIB recommendation on information the disclosure of which can jeopardise cybersecurity (Section 10(a) of the Cybersecurity Act) (only available in Czech here);
• Guidance on the system and scope of ISMS – the difference between information and communication system and information security management system (only available in Czech here);
• Diagram on the identification of critical information infrastructure (only available in Czech here);
• Guidelines on the identification of critical information infrastructure (only available in Czech here);
• Guidance on the rights and obligations of subjects of the critical information infrastructure according to the Crisis Management Act (only available in Czech here)
• Guidelines on the identification of providers of essential services and information systems of essential services (only available in Czech here);
• Guidelines on the identification of the important information systems (only available in Czech here);
• Guidelines on the identification of digital service providers (only available in Czech here);
• Security audit checklist (only available in Czech here);
• Guidance on security audit (only available in Czech here);
• Security roles and their classification within the organisation (only available in Czech here); and
• Guidance on classification of demanded cloud computing systems under appropriate security levels (only available in Czech here)
• Guidance on requirements for penetration tests reports in connection with registering cloud computing system into Cloud Computing Catalogue (only available in Czech here);
• Guidance on penetration testing – introduction into the topic (only available in Czech here); and
• Requirements on contracts with suppliers (only available in Czech here).

Requirements on contracts with suppliers (only available in Czech here). Updated versions of all guidance and materials issued by NUKIB are available here.

In the field of classified information, the NBU provides guidance in the form of informal FAQ (only available in Czech here).

2. SCOPE OF APPLICATION

The material scope of the Cybersecurity Act is defined in Section 1(1) of the Cybersecurity Act, which provides that the Cybersecurity Act regulates the rights and obligations of persons and the competence and powers of authorities in the field of cybersecurity.

In Section 3, the Cybersecurity Act defines the scope of entities that are subject to the obligations and requirements set out by the Cybersecurity Act:

• provider of electronic communications services;
• the operator of electronic communications network;
• the operator of important network;
• the operator of important information system;
• the administrator of important information system;
• the operator of information system qualifying as critical information infrastructure;
• the administrator of information system qualifying as critical information infrastructure;
• the operator of communication system qualifying as critical information infrastructure;
• the administrator of communication system qualifying as critical information infrastructure;
• the operator of essential service;
• the operator of information system of essential service;
• the administrator of information system of essential service; and
• digital service provider.

The Cybersecurity Act purposefully differentiates between an operator and an administrator of the information system. In the general sense, an operator is in charge of the information system, its purpose, and its functioning. In particular, Section 2(e) of the Cybersecurity Act defines the operator of information system as a person who 'determines the purpose of data processing and conditions of operation of the information system', whereas Section 2(f) of the Cybersecurity Act provides that an operator of the communication system is a person who 'determines the purpose of the communication system and the conditions of its operation.

On the other hand, Section 2(g) of the Cybersecurity Act defines an administrator of information or communication system ('IS/CS') as a person who 'ensures the functionality of technical and software components of the information or communication system.' An administrator contributes to the functioning of the IS/CS but is responsible and accountable to the operator of the information system. Additional details relating to the particular type of network or infrastructure are provided below.

2.1. Network and Information Systems

The general term of network is not defined in the Czech legislation. Under Section 2(2)(b) of the Electronic Communications Act, electronic communications network means '[the] transmission systems, whether or not they are based on a permanent infrastructure or are centrally managed; and, where applicable, switching or routing equipment and other facilities that permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed circuit-switched or packet-switched networks, including the internet, and mobile networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for broadcasting, and cable television networks, irrespective of the type of information conveyed.'

The Cybersecurity Act does not regulate information systems separately but only together with the particular type of network or infrastructure that the information or communication system is connected to. The scope of the obliged persons under the Cybersecurity Act, therefore, includes not only operators of such networks and infrastructure, but also operators and administrators of information and communication systems of such networks and infrastructure. For further information on obliged persons, see the scope of application in section 2 above.

2.2. Critical Information Infrastructure Operators

Critical infrastructure is defined under Section 2(g) of the Crisis Management Act as 'an element of critical infrastructure or system of elements of critical infrastructure, disruption of which would have a significant impact on the State security, on ensuring the basic living needs of the population, on health of people or State economy.'

The specific elements of critical infrastructure are further defined in the Government Regulation on Critical Infrastructure which classifies the critical infrastructure according to relevant sectors. The critical information infrastructure ('CII'), which is the only critical infrastructure subject to the Cybersecurity Act, corresponds to Section 6 of Annex of the Government Regulation on Critical Infrastructure and involves the sector of information and communication systems. The Government Regulation on Critical Infrastructure provides two types of criteria which qualify the information or communication system as the CII:

• sectoral (specific for establishing critical information infrastructure); and
• cross-sectional (common for critical infrastructure in general).

In order to fall under the Cybersecurity Act, an IS/CS must meet at least one criterion from each of those two categories. NUKIB has issued useful graphics demonstrating the process of determination of CII (only available in Czech here).

It is left to NUKIB to assess whether the IS/CS fulfills the above-mentioned criteria. In case certain IS/CS qualifies as the CII, NUKIB must issue a sui-generis decision and determine the concerned IS/CS as an element of the CII as outlined in Section 22(m) of the Cybersecurity Act, and Section 9(3)(b) and (c) of the Crisis Management Act.

Based on this decision, the operator of IS/CS qualifying as CII becomes subject to the requirements and obligations set down in the Cybersecurity Act.

The operator of CII may decide to outsource some technical and software components to a third party, i.e., its supplier, thereby engaging an administrator of CII. However, the primary responsibility with respect to cybersecurity and the Cybersecurity Act rests with the operator of CII. The operator is subsequently obliged to notify its administrators that the concerned IS/CS has been qualified as CII by NUKIB. A penalty of up to CZK 1,000,000 (approx. €39,380) can be imposed on an operator who failed to inform its administrator. A failure of the operator to inform its administrator simultaneously qualifies as a failure of the operator to manage its suppliers under Section 8 of the Decree on Cybersecurity for which a penalty of up to CZK 5,000,000 (approx. €196,905) may be imposed.

Additional information on how NUKIB evaluates whether the particular IS/CS should be considered as CII is further described in the Guidelines on the identification of critical information infrastructure issued by NUKIB (only available in Czech here). For additional information relating to the operators and administrators of information systems, Guidelines on administrators of information or communication systems (only available in Czech here).

2.3. Operator of Essential Services

The Cybersecurity Act distinguishes between operators of essential services and operators/administrators of information systems of essential services. Essential service is defined by the Cybersecurity Act as a service the provision of which is dependent on electronic communication networks or information systems, and the disruption of which may have a significant impact on the security of societal or economic activities in the listed areas. The particular criteria for determination of essential services are set down in the Decree on Essential Services and they include both sectoral and impact criteria. The operator must meet at least one criterion from each of the two categories to fall in the scope of the operator of essential service. The sectoral criteria are listed in the Annex to the Decree on Essential Services and correspond to the criteria established by the NIS Directive (e.g. the services consist in either IXPs, DNS services or TLD name registries). The impact criteria are listed in the Decree on Essential Services and represent the potential harm that could occur in the event of a cybersecurity incident related to the information system of the essential service. NUKIB has issued useful graphics demonstrating the process of determination of information system of essential service (only available in Czech here).

Operators of essential services established in the Czech Republic are determined by NUKIB which issues a decision pursuant to Section 22(a) of the Cybersecurity Act. NUKIB's decisions are not publicly available.

Similarly, to the critical infrastructure, an operator of essential service can out-source all or some technical or software components of the information system to its supplier or suppliers. Depending on the extent of its involvement in the functioning of the information system, the supplier can become an operator or administrator of the information system of essential service and thus subject to the requirements of the Cybersecurity Act. Pursuant to the Guidelines on administrators of information systems (only available in Czech here) issued by NUKIB, the operator of essential service is required to notify its operator or administrator of information system without undue delay after becoming aware of NUKIB's decision qualifying it as an operator of essential service. A penalty of up to CZK 1,000,000 (approx. €39,380) can be imposed on an operator who failed to inform its administrator. A failure of the operator to inform its administrator simultaneously qualifies as a failure of the operator to manage its suppliers under Section 8 of the Decree on Cybersecurity for which a penalty of up to CZK 5,000,000 (approx. €196,905) may be imposed.

2.4. Cloud Computing Services

The NIS Directive defines a cloud computing service as a digital service that enables access to a scalable and elastic pool of shareable computing resources. Section 2(l) of the Cybersecurity Act, together with the NIS Directive, classifies cloud computing services as a type of digital services and adopts an almost identical definition. Providers of cloud computing services will, therefore, be subject to the requirements of the Cybersecurity Act in the same extent as digital service providers. As in the case of the NIS Directive, the Cybersecurity Act does not distinguish between various cloud deployment models (public, private, hybrid, etc.).

As of August 2020, a cloud computing services deployed by the public sector must be cleared through a so-called Cloud Catalogue, i.e., a tool intended for pre-approving any cloud services permissible for use in the public sector.

The Cloud Catalogue, governed by the Cloud Decree 4 on Catalogue Criteria, introduces the concept of Security Levels which are further defined by the Cloud Decree 3 on Security Levels. According to the Cloud Decree 3 on Security Levels, public authorities need to classify their information and communication systems for which they intend to use cloud services ('demanded cloud computing service') under one of the security levels mentioned below. Security levels under the Cloud Decree 3 on Security Levels are therefore not used for classification of specific commercial cloud services offered by cloud service providers. On the other hand, the security level assigned to the demanded cloud computing service only indicates which specific cloud computing service products registered in the Cloud Computing Catalogue may be used to satisfy the demand of the public authority in question (only services that have the same or higher security level as registered in the Cloud Computing Catalogue may be used). Security levels are determined with regard to the possible implications of a security incident involving the demanded cloud computing service with respect to the following areas:

• public security and health;
• personal data protection;
• criminal proceedings;
• public order;
• international relations;
• management and operation of the respective public authority;
• credibility of the respective public authority;
• financial model (e.g., possible negative impact on public authority's financial resources); and
• provision of services by the respective public authority.

However, there are certain information systems which are automatically classified under a specific security level without considering the factors set out above, as indicated in the table below. Security levels defined by the Cloud Decree 3 on Security Levels are as follows:

The NUKIB has issued Guidance on classification of demanded cloud computing systems under appropriate security levels (only available in Czech here).

The Cloud Decree 1 on Ex Ante Control provides specific entry requirements for the cloud computing services which are to be registered into the Cloud Computing Catalogue. There are different entry requirements for each of the four security levels, which are divided into the two main areas:

• entry requirements for the provider of the cloud computing service (e.g., the requirement of establishment in the EU and the requirement for the integrity of the provider); and
• entry requirements for the cloud computing service which is to be registered into the Cloud Computing Catalogue, including:
  • location of data processing and data storage;
  • process for responding to data disclosure requests from public authorities;
  • audit rights;
  • level of accessibility of the service;
  • connection to an internet exchange node;
  • maintaining of the provision of the cloud computing service;
  • data handling;
  • certification of the cloud computing service;
  • reacting to cybersecurity threats and cybersecurity incidents; and
  • testing of the cloud computing service.

Once the provider of the cloud computing service fulfils the entry requirements, the cloud computing service is registered in the Cloud Computing Catalogue, and from that moment on, it may be offered to public authorities. Public authorities then choose the cloud computing service which is approved for the same or higher security level as the public authority's demanded cloud computing service.

Furthermore, there is another decree, the Cloud Decree 2 on Ex Post Control (only available in Czech here), in the legislative process. This decree will set out the requirements for the contractual documentation between public authorities and providers of cloud computing services.

2.5. Digital Service Providers

Under Section 2(l) of the Cybersecurity Act, a digital service is understood as an information society service in the meaning of the Act which consists in the operation of an online marketplace, online search engine or cloud computing.

The Act on Information Society Services establishes that a digital service must meet the following criteria:

• it must be provided by electronic means;
• the provided service consists of an online marketplace, online search engine or cloud computing service.
• usually in exchange for remuneration; and
• upon individual request of the user submitted via electronic means.

Unlike operators of CII or essential services, digital service providers are not designated by NUKIB and no formal decision needs to be issued before the requirements of the Cybersecurity Act become applicable. For further information, please see NUKIB's Guidelines on digital service providers (only available in Czech here).

2.6. Other

Operators of important network and important information systems

An important network is defined in the Cybersecurity Act as an electronic communication network providing direct international connectivity to public communication networks or providing a direct connection to the critical information infrastructure. An operator of CII is obliged to notify without undue delay the entity that is providing a direct connection to the CII. Upon the notification, the concerned entity becomes subject to the Cybersecurity Act as the operator of an important network.

According to Section 2(d) of the Cybersecurity Act, an important information system is understood as 'an information system operated by a public authority that is neither qualified as critical information infrastructure nor an information system of essential service, and for which a breach of information security may limit or significantly jeopardise the exercise of powers of the public authority.' The important information system is determined pursuant to the Decree on Important Information Systems. The Decree on Important Information Systems was amended in 2020 by Decree No. 360/2020 (only available in Czech here) introduced new types of the important information systems. There are currently two types of the important information systems:

• information systems administered by public authorities which are used for the provision of specified services such as electronic post used by the public authority, records management or public authority's notice board (the scope of the services will be extended in 2023); and
• Information systems administered by public authorities which fulfil the specified criteria corresponding to the potential harm which would be caused in case of an information security breach.

Details regarding the two types of the important information systems are provided in the Decree on Important Information Systems. Moreover, NUKIB has issued useful graphics demonstrating the process of determination of an important information system (only available in Czech here).

It is the public authority itself who examines and determines whether the information system it operates is or is not an important information system. If the authority comes to the conclusion that its information system should be qualified as an important information system, it renders an internal legal act constituting its status as an operator of an important information system. It is important to note, that the information system operated by a municipality or by a municipal district cannot be considered an important information system.   

The operator of an important information system can also out-source some technical or software components to its supplier. Same requirements as in the case of CII above would be applicable.

3. REQUIREMENTS

3.1. Security measures

One of the obligations that the Cybersecurity Act sets down for obliged entities is the adoption and implementation of security measures. Pursuant to the Cybersecurity Act and the Decree on Cybersecurity, the security measures consist of organisational (internal processes and management, etc.) and technical measures (physical security, restricted access, etc.). For particular details, please see the Decree on Cybersecurity, which applies different scopes of obligations to different obliged entities.

The operators of digital services must take appropriate and proportionate technical and organisational measures to prevent and minimise the impact of incidents affecting the network on which the digital service is provided. For the implementation of security measures, the digital service providers should also take into account the Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down the rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council.

The rest of the obliged persons are required to implement security measures in the extent necessary for ensuring the cybersecurity of their information or communication systems. They are also required for evidence of necessary security documentation.

Apart from security measures, the Cybersecurity Act and the Decree on Cybersecurity also establishes obligations to adopt reactive and protective measures.

The purpose of the reactive measures imposed by Section 13 of the Cybersecurity Act is to immediately react to a cybersecurity incident. The Cybersecurity Act distinguishes between two types of reactive measures:

• a decision; and
• the measure of general scope.

In the first case, a cybersecurity incident occurs in a specific information or communication system. NUKIB issues a decision aimed at a particular subject and containing specific obligations. In the second case, the extent of the cybersecurity incident is unknown, and thus the entity renders a measure of general scope, containing specific obligations but aimed at an indeterminate group of persons. Obliged entities are subsequently required to report to the Government CSIRT that the reactive measures have been implemented.

The purpose of protective measures set out in Section 14 of the Cybersecurity Act is to subsequently acknowledge experience gained from the resolution of previous incidents and adapt the information systems and networks in order to prevent future incidents. They are rendered as a measure of general scope.

For further information on the scope of obliged persons in respect of particular obligations resulting from the Cybersecurity Act, please see the table attached in section 3.5 below.

3.2. Notification of cybersecurity incidents

The Cybersecurity Act does prescribe reporting obligations. Depending on the entity, the obliged person will notify the security incident either to the Government CSIRT by using the form (only available in Czech here) or National CSIRT by using the form (only available in Czech here). Pursuant to Section 8 of the Cybersecurity Act, the obliged entities must report the security incidents immediately after detecting them. The digital service providers must, without undue delay, notify only if the relevant cybersecurity incident may significantly affect the service it provides. The NUKIB has issued Guidelines for the assessment of the impact of cybersecurity incidents (only available in Czech here).

The NUKIB has also issued Guidelines on reporting cybersecurity incident (only available in Czech here). For example, these Guidelines confirm that only accidental cybersecurity incidents should be reported, not planned maintenance of the system. Furthermore, the Guidelines set out an exception when a cybersecurity incident does not need to be reported which is the case when a part of the assets becomes unavailable but the backup assets of the system prevent the overall unavailability of the system provided that there is no evidence of wilful misconduct.

The reporting obligation per this paragraph can be fulfilled by the administrator of the relevant information system acting in place of the operator. The administrator shall always be obliged to inform the operator of the information system without undue delay.

Persons not falling in the scope of obliged persons under the Cybersecurity Act can still report cybersecurity incidents they become aware of. They can do so by addressing the NUKIB or the National CSIRT.

For further information on the scope of obliged persons in respect of particular obligations resulting from the Cybersecurity Act, please see the table attached in section 3.5 below.

3.3. Registration with a regulatory authority

There is no specific obligation to register with a regulatory authority. However, under Section 16(2) of the Cybersecurity Act, there is an obligation to report contact details to the relevant authorities. This can be done by using the Government CERT form available here or the National CERT forms available here. The authority which receives the contact details depends on the category of the obliged entity under the Cybersecurity Act. The obligation is divided between the Government CERT and the National CERT. The required details include the name of the entity, its registered offices, and identification number and additional information about the operating information system.

For further information on the scope of obliged persons in respect of particular obligations resulting from the Cybersecurity Act, please see the table attached in section 3.5 below.

3.4. Appointment of a 'security' officer

Section 6(2) of the Decree on Cybersecurity stipulates that every category of obliged entities under the Cybersecurity Act is required to put in place an Information Security Management System ('ISMS') in which it designates a committee for cybersecurity management, and other security roles and their rights and duties. The security roles under the Decree on Cybersecurity depend on the category of the entity. NUKIB issued, on 6 April 2020, an updated version of the guidelines regarding the security roles (only available in Czech here).

Section 6(3) of the Decree on Cybersecurity outlines that the operators/administrators of the CII and operators/administrators of information systems of essential services must appoint a cybersecurity manager, a cybersecurity architect, an asset guarantor, and cybersecurity auditor.

Section 6(4) of the Decree on Cybersecurity highlights that the operators/administrators of the important information system shall appoint a cybersecurity manager and asset guarantor. The remaining roles should be determined proportionally. The scope of duties of persons acting in designating roles is further defined in the Decree on Cybersecurity.

For further information on the scope of obliged persons in respect of particular obligations resulting from the Cybersecurity Act, please see the table attached in section 3.5 below.

3.5. Other requirements

Obligation to detect cybersecurity incidents

Section 7 of the Cybersecurity Act set down an obligation to detect cybersecurity incidents. Some categories of obliged entities such as operators/administrators of CII, operators/administrators of information systems of essential services and operators/administrators of important information systems are required to meet the criteria on detection established by Section 23 of the Decree on Cybersecurity (e.g. specific requirements for operation of LOG management, IDS/IPS systems and SIEM system).

Requirements relating to suppliers and contracts

The obliged entities are also required to take into account the requirements on the security measures when choosing their suppliers and to implement them into the respective contractual documentation (e.g. ownership, access and erasure of data, supplier chains, right to inspect and audit, notification obligations, etc.). Giving regard to these requirements is not regarded as an unlawful limitation of the competition or as an unjustified impediment of the competition. See NUKIB's guidance on Requirements on contracts with suppliers (only available in Czech here) for further information.

For further information on the scope of obliged persons in respect of obligations resulting from the Cybersecurity Act, please see below.

• Reporting contact details to National CSIRT: Section 16(2)(a) of the Cybersecurity Act.
• Reporting contact details to Government CSIRT: Section 16(2)(b) of the Cybersecurity Act
• Reporting cybersecurity incidents to National CSIRT: Section 8(3) of the Cybersecurity Act
• Reporting cybersecurity incidents to Government CSIRT: Section 8(4) of the Cybersecurity Act
• Detection of cybersecurity incidents: Section 7(3) of the Cybersecurity Act
• Adopting reactive measures and reporting to Government CSIRT: Section 11(3) of the Cybersecurity Act
• Adoption and implementation of security measures (technical and organisational measures): Section 4(2) & (3) of the Cybersecurity Act
• Adopting protective measures: Section 11(4) of the Cybersecurity Act
• Requirements relating to suppliers and contracts: Section 4(4) and (5) of the Cybersecurity Act

4. SECTOR-SPECIFIC REQUIREMENTS

As further described in section 1.1 above, except for the financial sector, there is no sector-specific cybersecurity legislation in Czech Republic. Cybersecurity is comprehensively governed by the Cybersecurity Act and its implementing decrees.

Cybersecurity in the health sector

There is no sector-specific regulation applicable to the health sector. The Ministry of Health has issued guidance on prevention and management of security incidents (only available in Czech here).

Hospitals and health services providers may qualify as an essential service if they disposed with at least 800 hospital beds over the last three calendar years or if the health services provider was granted a status of a highly specialized traumatology care center. Additional criteria relating to the impact of a potential cybersecurity incident (e.g., number of affected persons or casualties) are applicable.

Health services providers may potentially qualify as critical infrastructure as well, provided that they dispose with at least 2500 hospital beds. In such case, IS/CS of such health services providers may potentially qualify as CII and therefore, be subject to the requirements of the Cybersecurity Act.

Cybersecurity in the financial sector

As described above in section 1.1, the Financial Services Decree sets out cybersecurity-related requirements applicable to banks, savings and credit unions and securities traders.

Furthermore, financial institutions may qualify as essential service depending on the number of potentially affected persons in the event of a security incident, or critical infrastructure which may also entail implications in regard to cybersecurity requirements.

There are no cybersecurity-related specific requirements applicable to cryptocurrencies and blockchain.

Cybersecurity practices for employees

The Decree on Cybersecurity prescribes categories of security measures which include the obligation of obliged persons to inform, manage and ensure proper training of their employees in relation to cybersecurity, including monitoring and notification of security incidents.

Cybersecurity in the education sector

There are no sector-specific requirements applicable to the educational sector. Educational institutions are generally not likely to qualify as obliged persons under the Cybersecurity Act, however some information systems deployed in the education sector might qualify as important information systems. Please see NUKIB's guidance for further information (only available in Czech here).   

5. PENALTIES

The Cybersecurity Act establishes a complete regime of administrative sanctions that could involve either a corrective measure or a monetary fine up to CZK 5,000,000 (approx. €196,905) for the legal entities. The fines are relatively modest, but as the legislator explains, sanctioning pursuant to the Cybersecurity Act is based on the principle of prevention and autonomy of the regulated subjects. For more information see Sections 24 and 25 of the Cybersecurity Act. The nature of these fines is administrative, and the offences are classified into four different categories according to the amount of the fine. Complete list of the offences is listed in Section 25 of the Cybersecurity Act. They include:

• very serious offences such as a failure to take, adopt or implement security measures lead to a fine up to CZK 5,000,000 (approx. €206,246);
• serious offences such as a failure to report a cybersecurity incident, failure to notify the administrator/operator of the information system of essential service or a failure of the administrator to provide requested data to the operator lead to a fine up to CZK 1,000,000 (approx. €41,250);
• minor offences such as a failure to report contact details to the relevant authority lead to a fine up to CZK 10,000 (approx. €412).

A natural person can only commit an offence in case they are (or were) the employees of the respective cybersecurity authority and they violated their duty of confidentiality. Such fine may amount to CZK 50,000 (approx. €2,060).

The fines are imposed by NUKIB in administrative proceedings.

In terms of criminally prosecuted offences, the Criminal Code contains three crimes which may be applicable to cybersecurity threats and incidents:

• Section 230 of the Criminal Code concerning the unauthorised access to a computer system and information carrier is applicable to unlawful disposure with data contained in a computer system and data carrier, including manipulation, corruption, and erasure, punishable by fines or incarceration in case of natural persons;
• Section 231 of the Criminal Code concerning the procurement and harboring of access device and computer system password and other similar data is applicable to hacking activities, interference with transmitted content of the communication, by incarceration in case of natural persons; and
• Section 232 of the Criminal Code concerning damage to a record in a computer system or a data carrier and interference with computer equipment stipulates that the merits of this criminal act aim at negligent interference with data and information system, e.g. in the position of an employee or function, punishable by incarceration in case of natural persons.

Criminal liability of legal entities is governed by the Criminal Liability Act, on the criminal liability of legal entities. Potential criminal sanctions include dissolution of entity, confiscation of property, monetary fines, the prohibition of business activity, prohibition to take part in public tenders, the prohibition to receive any subventions and publishing of the judgment.

Criminal fines may rise up to CZK 36.5 million (approx. €1.43 million).

6. OTHER AREAS OF INTEREST

Several cyberattacks have taken place in the Czech Republic in 2022, targeting mainly information systems of strategic public authorities. The NUKIB has issued a warning against such cyberattacks which also includes certain recommendations for the general public (only available in Czech here).

In addition, several cyberattacks targeted at hospitals have taken place in the previous years; most of them involved ransomware. Some cyberattacks also took place during the Coronavirus pandemic targeting IS/CS across the Czech Republic, mainly IS/CS of healthcare institutions. As a follow-up, NUKIB issued guidance on such cyberattacks (only available in Czech here).

Jana Pattynova Partner [email protected] Teodora Drašković Associate [email protected] Pierstone, Prague