Laws and regulations governing cybersecurity
4. Cybersecurity and its legal regulation
4.2. Cybersecurity Legislation in the Czech Republic
In 2000, the state started to systematically address the issue of cybersecurity.
Government Resolution No. 205 was adopted to address cybersecurity issues in the Czech Republic in 2010.[1] This resolution established the MICR (Ministry of the Interior of the Czech Republic) as the manager of the issue of cybersecurity and at the same time the national authority for this area. The Minister of the Interior was further instructed to:
1. coordinate the activities of other state institutions in the field of ensuring cybersecurity,
2. coordinate the representation of the Czech Republic in matters of cybersecurity in international forums, including the participation of state bodies in the activities of relevant international organisations,
3. submit the statute of the Interministerial Coordinating Council for Cyber Security to the government for approval by 30 April 2010,
4. submit a cybersecurity strategy to the government by 15 December 2010,
5. start ensuring the operation of the government workplace of the CSIRT (Computer Security Incident Response Team) no later than 31 December 2010.
On 19 October 2011, the Government of the Czech Republic adopted Resolution No. 781 on the establishment of the National Security Authority (in Czech: Národní bezpečnostní úřad, NBU) as the custodian of cybersecurity issues and at the same time the national authority in this area.[2] Concurrently with this resolution, the Government of the Czech Republic established the Council for Cyber Security[3] and approved the establishment of the National Center for Cyber Security (as part of the NBU).
In 2011, the Strategy for Cybersecurity of the Czech Republic for the period from 2011 to 2015[4] and an action plan for this strategy were adopted. However, given the transfer of responsibility from the Ministry of Interior to the NBU, this strategy is more often referred to as: Strategy for the area of cybersecurity of the Czech Republic for the period from 2012 to 2015.[5]
The presented strategic goals and measures were set in the presented strategy:
- creation of a legislative framework,
- creation of the National Centre for Cybersecurity and the CERT government office,
- protection of critical information infrastructures,
- strengthening the cybersecurity of public administration information and communication systems,
- streamlining the fight against crime in cyberspace,
- coordination of activities to ensure cybersecurity in Europe,
- use of reliable and trustworthy information technologies,
- raising awareness of cybersecurity,
- response to cyberattacks.
On 28 June 2013, the NBU submitted a draft law on cybersecurity to the Government of the Czech Republic. The subsequent legislative process took place without any significant comments and Act No. 181/2014 Coll., on Cyber Security and on Amendments to Related Acts (Cyber Security Act) entered into force on 29 August 2014 with effect from 1 January 2015.
Simultaneously with the law, statutory legal instruments were drawn up, namely:
- Decree No. 316/2014, on security measures, cybersecurity incidents, reactive measures and on the determination of the requirements for filing in the field of cybersecurity (Decree on Cybersecurity);
- Decree No. 317/2014, which sets out important information systems and their defining criteria;
- Decree No. 315/2014, amendment to Government Decree No. 432/2010 Coll., on criteria for determining the element of critical infrastructure.
All statutory instruments came into force at the same time as the Cyber Security Act.
In August 2015, the operator of the National CERT Team was selected on the basis of the requirements set out in the CSA. The CZ.NIC association became this operator.[6] On 18 December 2015, the Public Contract on Securing the Activities of the National CERT and on Cooperation in the Field of Cybersecurity was signed.[7] This contract was entered into for an indefinite period.
The Cyber Security Act has undergone two significant amendments since 2015, when it entered into force.
The first amendment was made by Act No. 104/2017 Coll.,[8] with effect from 1 July 2017 and Act No. 205/2017 Coll. with effect from 1 August 2017. This amendment extended the circle of obligors falling under the CSA to include information system operators and further amended certain sanctions.
The second content-significant amendment was made by Act No. 205/2017 Coll.,[9] with effect from 1 August 2017. This amendment implemented Directive 2004/1148 of the European Parliament and of the Council of 6 July 2016 on measures to ensure a high common level of security of networks and information systems in the European Union (NIS) into the CSA and at the same time the National Office for Cyber and Information Security (NUKIB) was established. It took over rights and obligations in the field of cybersecurity from the NBU, including protection of classified information in information and communication systems and cryptographic protection. NUKIB is the central administrative body in the above areas.
At present, the issue of cybersecurity is specifically addressed by the Cybersecurity Act. However, partial aspects of the protection of the Czech Republic against cyberattacks can be found in other legal regulations. In terms of cybersecurity, the most important documents are the following:
Constitutional acts
- Constitutional Act No. 1/1993 Coll., the Constitution of the Czech Republic, as amended
- Constitutional Act No. 2/1993 Coll., Charter of Fundamental Rights and Freedoms, as amended[10]
- Constitutional Act No. 110/1998 Coll., on the Security of the Czech Republic
Acts
- Act No. 106/1999 Coll., on Free Access to Information, as amended
- Act No. 101/2000 Coll., on the Protection of Personal Data and Amendment to Some Acts, as amended[11]
- Act No. 121/2000 Coll., on Copyright, on Rights Related to Copyright and on Amendments to Certain Acts (Copyright Act), as amended
- Act No. 240/2000 Coll., on Crisis Management and Amendments to Certain Acts (Crisis Act), as amended
- Act No. 365/2000 Coll., on Public Administration Information Systems, as amended
- Act No. 480/2004 Coll., on Certain Information Society Services and on Amendments to Certain Acts (Act on Certain Information Society Services), as amended[12]
- Act No. 127/2005 Coll., on Electronic Communications, as amended[13]
- Act No. 412/2005 Coll., on the Protection of Classified Information and on Security Clearance, as amended[14]
- Act No. 69/2006 Coll., on the Imposing of International Sanctions, as amended
- Act No. 300/2008 Coll., on Electronic Acts and Authorised Conversion of Documents, as amended
- Act No. 40/2009 Coll., Criminal Code, as amended[15]
- Act No. 111/2009 Coll., on Basic Registers, as amended
- Act No. 418/2011 Coll., on the Criminal Liability of Legal Persons and Proceedings against Them
- Act No. 89/2012 Coll., the Civil Code
- Act No. 181/2014 Coll., on Cybersecurity and on Amendments to Related Acts (Cybersecurity Act)
- Act No. 297/2016 Coll., on Services Creating Trust for Electronic Transactions
Statutory Instruments
- Government Decree No. 522/2005 Coll., which lays down lists of classified information, as amended
- Decree No. 523/2005 Coll., on the security of information and communication systems and other electronic devices handling classified information and on the certification of screening chambers, as amended
- Decree No. 529/2006 Coll., on requirements for the structure and content of the information concept and operational documentation and on requirements for the management of security and quality of public administration information systems (Decree on long-term management of public administration information systems)
- Government Regulation No. 432/2010 Coll., on criteria for determining the element of critical infrastructure
- Decree No. 357/2012 Coll., on the retention, transfer and deletion of traffic and location data
- Decree No. 317/2014 Coll., on important information systems and their defining criteria
- Decree No. 437/2017 Coll., on the criteria for determining the operator of the basic service
- Decree No. 82/2018 Coll., on security measures, cybersecurity incidents, reactive measures, requirements for filing in the field of cybersecurity and data disposal (Decree on Cybersecurity)
[1] RESOLUTION OF THE GOVERNMENT OF THE CZECH REPUBLIC of 15 March 2010 No. 205 addressing the issue of cybersecurity of the Czech Republic. [online]. Available from: https://apps.odok.cz/attachment/-/down/KORN97BQ9ASZ
[2] RESOLUTION OF THE GOVERNMENT OF THE CZECH REPUBLIC of 19 October 2011 No. 781 on the establishment of the National Security Authority as the custodian of cybersecurity issues and at the same time the national authority in this area. [online]. Available from: https://apps.odok.cz/attachment/-/down/KORN97BUKZ3E
[3] This council is an advisory body to the Prime Minister in the field of cybersecurity.
[4] Strategie pro oblast kybernetické bezpečnosti České republiky na období let 2011 až 2015. [online]. Available from: https://www.databaze-strategie.cz/cz/cr/strategie/strategie-pro-oblast-kyberneticke-bezpecnosti-cr-2011-2015?typ=struktura
[5] Strategie pro oblast kybernetické bezpečnosti České republiky na období 2012 - 2015. [online]. Available from: https://www.govcert.cz/download/legislativa/container-nodeid-719/20120209strategieprooblastkbnbu.pdf
[7] For more details see [online]. Available from: https://www.nic.cz/files/nic/doc/NBU-Smlouva-narodni-cert-201512.pdf
[8] Act No. 104/2017 Coll., amending Act No. 365/2000 Coll., on Public Administration Information Systems and amending certain other acts, as amended, Act No. 181/2014 Coll., on Cybersecurity and Change of Related Acts (Cybersecurity Act) and some other acts. [online]. Available from: https://www.zakonyprolidi.cz/cs/2017-104
[9] Act No. 205/2017 Coll., amending Act No. 181/2014 Coll., on Cybersecurity and Amending Related Acts (Cybersecurity Act), as amended by Act No. 104/2017 Coll. and Certain Other Acts.[online]. Available from: https://www.zakonyprolidi.cz/cs/2017-205
[10] Hereinafter referred to as the Charter of Fundamental Rights and Freedoms or Charter.
[11] Hereinafter referred to as the Personal Data Protection Act or the PDPA. In connection with the effectiveness of the GDPR, this act will be recodified and is expected to be replaced by the Personal Data Processing Act. For more details, see e.g. [online]. Available from: https://apps.odok.cz/veklep-detail?pid=KORNAQCDZPW5
[12] Hereinafter referred to as the Act on Certain Information Society Services or ACISS.
[13] Hereinafter referred to as the ECA
[14] Hereinafter referred to as the PCIA
[15] Hereinafter referred to as the Criminal Code or CC.