CSIRTs and CERTs

The legislative framework of CSIRT/CERT teams in the Czech Republic is partly set by the Cybersecurity Act. This act sets out the conditions for the existence of the national and government CSIRT/CERT team, but on the other hand does not restrict the establishment and existence of other CSIRT/CERT teams.

Based on the Cybersecurity Act, two CERT/CSIRT teams, namely national and government, are compulsorily established in the Czech Republic. Each of these teams has the rights and obligations specified by law (Section 17 et seq. of the AoCS).

Teams whose scope is defined by the Cybersecurity Act are obliged to respect the limits set by this act.

3.1.1    National CERT

The national CERT team is defined in Section 17 of the AoCS.  It is also stated that:

(1) The national CERT ensures, to the extent stipulated by this act, sharing of information at the national and international level in the field of cybersecurity.

(2)The operator of the national CERT

a)    receives notifications of contact details from the authorities and persons referred to in Section 3 (a), (b) and records and stores these details,

b)    receives reports of cybersecurity incidents from the authorities and persons referred to in Section 3 (b) and records, stores and protects these data,

c)    evaluates cybersecurity incidents in the case of bodies and persons referred to in Section 3 (b) and 

d)    provides the bodies and persons referred to in Section 3 (a), (b) and methodological support, assistance and cooperation in the event of a cybersecurity incident,

e)    acts as a contact point for the bodies and persons referred to in Section 3 (a), (b) and 

f)     assesses vulnerabilities in the field of cybersecurity,

g)    transmits to the Office data on cybersecurity incidents reported pursuant to Section 8 (3), without stating the notifier,

h)    transmits data pursuant to Section 16 (5) and (6) upon request to the Office,

i)     act as a CSIRT in accordance with the relevant European Union legislation [1] ,

j)     inform the relevant authority of another Member State, without disclosing the identity of the notifier, of a cybersecurity incident with a significant impact on the continuity of basic or digital service in that Member State, while informing the Office and maintaining the notifier's security and business interests,

k)    cooperate with CSIRTs of other Member States; and

l)    receives reports on cybersecurity incidents from authorities and persons not listed in Section 3, and if its capacities allow it, processes them and provides methodological support, assistance and cooperation to the authorities or persons affected by a cybersecurity incident.

(3) The operator of a national CERT may, on behalf of its own name and on its own responsibility, also perform other economic activity in the field of cybersecurity not regulated by this Act, provided that this activity does not interfere with the fulfilment of obligations referred to in paragraph 2.

(4) The operator of the national CERT shall, in fulfilling the obligations referred to in paragraph 2, coordinate its activities with the Office.

(5) The operator of a national CERT must act impartially in fulfilling the obligations under paragraph 2.

This provision defines the institution of the national supervisory body for which the legislative abbreviation national CERT is used and defines its activities. The act assumes that the national CERT will usually be run by a person governed by private law, who will enter into a public contract with the NBU, and will serve in particular as a joint contact and coordination point for obligated persons under private law. Providers of electronic communications services, entities providing electronic communications networks and entities providing significant networks will implement their legal notification obligation towards the national supervisory workplace.

The model of standard private law performance of the functions of the national CERT facilitates communication between the national CERT and the obligors using it as a contact point. These persons will also, as a rule, be of a private law nature. The National CERT will also be able to participate in international networks of similar private national supervisory bodies and benefit from the knowledge that is informally shared within these networks.

Given the meaning and purpose of the act, the presumed private law character of the national CERT is also appropriate because the operator of the national CERT may, if it is a person governed by private law, take initiatives on the basis of tacit permission, i.e. any activity under their private will not violate legal obligations. The operator of the national CERT will thus be able, for example, to provide methodological and information assistance to entities outside the personal scope of the act, i.e. to persons outside the definition of individual categories of obligors who show interest in it. The National CERT will be able to further develop its own educational, publishing, research or development activities, etc. The condition limiting the activities of the national CERT carried out on the initiative to achieve the purpose of this act is their indisputability with the fulfilment of obligations legally specified in the act.

Concerning Section 17 (2) (a), (b), (d) and (e)

Digital service providers are added to the entities with which the national CERT operator communicates and cooperates.

Concerning Section 17 (2) (c)

Digital service providers are added to the entities with which the national CERT operator cooperates, in this case for which it evaluates cybersecurity incidents. This provision is in reverse guard to the provision that obliges digital service providers to report cybersecurity incidents to the national CERT operator.

Concerning Section 17 (2) (g)

This is a linguistic adjustment of the provisions and the explicit relation of the obligation to provide information to incidents reported by obliged entities.

Concerning Section 17 (2) ( h)

The wording of the provision is clarified and the restriction of situations in which the national CERT transmits the contact details of obligors to the Office is removed.

Concerning Section 17 (2) (i) to (l)

The National CERT (Computer Emergency Response Team) acquires new competencies and related obligations under the directive in this provision. This provision is closely linked to Section 8, which, among other things, regulates the reporting of cybersecurity incidents that have affected the information system of a digital service provider. In this respect, the National CERT is determined, inter alia, as one of the CSIRTs (Computer Security Incident Response Team) in the Czech Republic; the government CERT (National Cyber ​​Security Centre, which is part of the NSA) is the second CSIRT within the meaning of the directive on incidents against the security of networks and information systems of designated basic service providers.

CSIRT teams must meet the requirements of Appendix I of the directive, which is fulfilled in the case of a national CERT operated by CZ.NIC by the requirements for the operator of the national CERT set out in Section 18 of the Act and by the content of the public contract which NBU entered into with it pursuant to Section 19. This contract pursuant to paragraph 1 of this provision is intended to ensure the fulfilment of activities pursuant to Section 17, i.e. also the new requirements arising from the directive.

Specifically, the act corresponds to the tasks of the CSIRT under the directive as follows:

National CERT: receives reports on cybersecurity incidents, evaluates them, provides methodological support, assistance and cooperation to the entities concerned, acts as a contact point, assesses vulnerabilities in the field of cybersecurity, transmits incident data to the NSA, acts as a CSIRT under the directive, cooperates with other CSIRTs, communicates with the relevant authorities of other Member States and, last but not least, receives voluntary reports of cybersecurity incidents. By this it meets the requirements of Appendix I to the Directive:

·       Monitoring of incidents at the national level – Section 17 (2) (b), (c), (l)

·       Issue of early warnings and alerts, notification and dissemination of information on risks and incidents to relevant stakeholders – Section 17 (2) (d), (e), (g), (j)

·       Response to incidents – Section 17 (2) (c), (d)

·       Provision of dynamic analysis of risks and incidents and overview of the situation – Section 17 (2) (f)

·       Participation in the CSIRT network – at the discretion of the national CERT operator, see further commentary on Section 20.

The obligation to set up at least one CSIRT security team responsible for risk management and incident resolution according to well-defined procedures and meeting the requirements for CSIRT security teams follows from Article  9 (1) of NIS.

The NIS Directive stipulates that this mandatory team must cover at least the sectors listed in Appendix II (types of entities) and the services listed in Appendix III (types of digital services).

Appendix I of the NIS Directive defines the tasks and requirements for CSIRTs. These tasks and responsibilities according to Appendix I of the NIS include:

1.     Requirements for CSIRTs

·       CSIRTs will ensure that there are no single points of failure in their communication services, so that these services are widely available and have several ways to contact others and which will make it possible to contact them at any time. In addition, communication channels must be clearly specified and well known to the collaborating partners and entities within the scope of the teams.

·       CSIRT practices and their support information systems are located in a safe place.

·       Continuity of activity:

·       CSIRTs must be able to participate in international cooperation networks if they wish to be part of them.

2.     Tasks of CSIRTs

·       The tasks of CSIRTs include at least:

·      CSIRTs will establish cooperation with the private sector.

·      In order to facilitate cooperation, CSIRTs promote the adoption and use of common or standard procedures in the areas of:

The CZ.NIC Association operates the national CSIRT team of the Czech Republic – CSIRT.CZ (for more details see https://csirt.cz/).

Concerning paragraphs (1), (2) and (4)

According to the Cybersecurity Act, the operator of the national CERT:

• receives notifications of contact details from the authorities and persons referred to in Section 3 (a), (b) and  of the AoCS and records and stores these details,
• receives reports of cybersecurity incidents from the authorities and persons referred to in Section 3 (b) and of the AoCS and records, stores and protects these data,
• evaluates cybersecurity incidents at bodies and persons referred to in Section 3 (b) and of the AoCS,
• provides the bodies and persons referred to in Section 3 (a), (b) and  of the AoCS methodological support, assistance and cooperation in the event of a cybersecurity incident,

The scope of activity of the CSIRT.CZ team is the entire address range of the Czech Republic. CSIRT.CZ can be contacted for help by all network administrators who need assistance with resolving an incident that requires coordination of the solution or have a suspicion that the incident could have a nationwide impact. More information and instructions on reporting incidents can be found here[2]. The CSIRT.CZ team does not have executive powers and in resolving incidents, it acts as a coordinator that can also provide methodological assistance in resolving them.[3]

• acts as a contact point for the bodies and persons referred to in Section 3 (a), (b) and of the AoCS,
• assesses vulnerabilities in the field of cybersecurity,
• transmits to the NUKIB data on cybersecurity incidents reported pursuant to Section 8 (3) of the AoCS without stating the notifier,
• transmits data pursuant to Section 16 (5) and (6) of the AoCS upon request to the NUKIB,
• act as a CSIRT in accordance with the NIS Directive,
• inform the relevant authority of another Member State, without disclosing the identity of the notifier, of a cybersecurity incident with a significant impact on the continuity of basic or digital service in that Member State, while informing the Office and maintaining the notifier's security and business interests,
• cooperate with CSIRTs of other Member States,
• receives reports on cybersecurity incidents from other persons not referred to in Section 3 of the AoCS, and if its capacities allow it, processes them and provides methodological support, assistance and cooperation to the authorities or persons affected by a cybersecurity incident.

Pursuant to Section 17 (4) of the AoCS, the CZ.NIC Association is obliged to coordinate the activities of the national CSIRT team with the activities of NÚKIB.

In addition to the obligations explicitly set out in the Cybersecurity Act, the national CSIRT has set itself other tasks [4] , including:

·       Information about an infection in the .CZ domain

For the purposes of central monitoring and handling threats in the second-order domain, CSIRT.CZ has developed an open source tracker: Malicious Domain Manager.

The application serves as a central point for collecting and analysing information about malicious URLs in the .CZ domain.

The application supports the history of threats in the domain and direct contact with their holder. Domain holders are contacted from the dedicated address malware@nic.cz.

·       Web scanner

For the non-profit and public sector, a free website penetration testing service is primarily provided. Testing consists of automatic and manual tests aimed at finding security vulnerabilities in the application. Each safety finding is identified by an estimated level of potential risk and contains a description of recommendations for its possible correction.

For more details, see https://www.skenerwebu.cz.

·       Education and lectures

In cooperation with the CZ.NIC Academy, the courses Computer Security in Practice and Fundamentals of CSIRT Team Operation are regularly implemented. CSIRT.CZ also implements specialised courses for security forces, state and educational institutions or ad hoc lectures.

·       Assistance in setting up a CERT/CSIRT team

·       Working groups

The CSIRT.CZ team organises regular meetings of security teams and members of the security community in the Czech Republic.

·       Stress tests

After the DDoS attacks of 2013, which were focused on important services in the Czech Republic, the CZ.NIC Laboratories prepared stress tests reaching the same and higher intensity as the mentioned DDoS attacks. In cooperation with CSIRT.CZ, this service is provided free of charge for all interested parties that meet the entry conditions.

·       Intrusion Detection System

In cooperation with CESNET Association, CSIRT.CZ operates a system that detects suspicious behaviour of systems connected to the Internet.

In case of recording suspicious connection attempts from specific IP addresses, the responsible administrators are immediately informed about such an event (via the e-mail address ids@csirt.cz).

·       Operation of honeypots

As part of security research, CSIRT.CZ, in cooperation with the CZ.NIC Laboratories, operates a number of honeypots. Within the Honeynet project, it is possible to find a visualisation of attacks in real time at https://honeymap.cz. Newly detected malware samples are analysed.

·       PROKI

Sending information about security incidents that originate in the range of Czech IP addresses.

Concerning paragraphs (3) and (5)

The provision of Section 17 (2) of the AoCS allows the CZ.NIC Association to carry out other economic activities in the field of cybersecurity on its own behalf and on its own responsibility, which is not directly regulated by the ​​Cybersecurity Act. However, there is a condition that this further economic activity does not interfere with the performance of the tasks of the national CSIRT.

The CZ.NIC Association is obliged to act impartially in fulfilling the obligations of the national CSIRT team.

Pursuant to the provisions of Section 18 of the AoCS, only such a legal entity may become the operator of a national CERT

a)    that satisfies the conditions set out in paragraph 2 and

b)    with that the Office has entered into a public contract pursuant to Section 19.

(2)The operator of a national CERT may only be a legal entity that

a)    does not act or has not acted against the interests of the Czech Republic in the sense of the law regulating the protection of classified information,

b)    operates or manages information systems or services and electronic communications networks [5] or has been participating in their operation and management for at least 5 years,

c)    has technical prerequisites in the field of cybersecurity,

d)    is a member of a supranational organisation operating in the field of cybersecurity,

e)    has no arrears recorded in the tax register of the bodies of the Financial Administration of the Czech Republic or the bodies of the Customs Administration of the Czech Republic or in social security premiums and public health insurance premiums,

f)     has not been convicted of a criminal offence referred to in Section 7 of the Act on Criminal Liability of Legal Entities and Proceedings Against Them,

g)    is not a foreign person under another piece of legislation and

h)    has not been established or set up solely for the purpose of making a profit; this does not affect the possibility for the operator of the national CERT to proceed in accordance with Section 17 (3).

(3) The applicant proves the fulfilment of the conditions by submission of

a)    a sworn statement in the case of paragraph 2 (a) to (d), (g) and ( h) and

b)    confirmation from the body of the Financial Administration of the Czech Republic and the Customs Administration of the Czech Republic in the case of paragraph 2 (e).

(4) From the content of the sworn statement according to paragraph 3 (a), it must be clear that the applicant meets the relevant requirements. The confirmation pursuant to paragraph 3 (b) that the applicant has no arrears recorded in the tax register of the bodies of the Financial Administration of the Czech Republic or the bodies of the Customs Administration of the Czech Republic or in social security premiums and public health insurance premiums, may not be older than 30 days. In order to demonstrate the condition referred to in paragraph 2 (f), the Office will request an extract from the Criminal Register in accordance with another legal regulation [6] .

(5) The operator of the national CERT performs activities pursuant to Section 17 (2) (a) to (c), (e) and (g) to (l) free of charge. The operator of the national CERT is obliged to incur the necessary costs for the proper and efficient performance of the activities referred to in Section 17 (2).

(6) The Office will publish on its website data on the operator of the national CERT, namely its business name or name, registered office address, entity’s identification number, data box identifier and address of its website.

This provision sets out the general conditions for the selection of the national CERT operator. At the same time, the method of establishing its obligation to operate a national CERT is regulated in the form of a public law contract entered into with the NBU. The use of the institute of a public contract corresponds to the assumption that the operator of the national CERT will be a person of private law. Although the obligations of the national CERT operator to perform the activities specified in this Act are mainly of a private nature, in relation to providers of electronic communications services, entities providing electronic communications networks and entities providing significant networks, the national CERT operator will act as an entity through which these obligors perform some of their legal obligations, typically the obligation to report contact details and, in the case of entities providing significant networks, also the obligation to report the occurrence of cybersecurity incidents.

Given that the national CERT is an organisation of great importance for the cybersecurity system of the Czech Republic, its operator is required to have its registered office in the Czech Republic. With regard to the security exposure of the national CERT, it is therefore not possible to perceive this requirement as discriminatory against persons established in other states of the European Union. Integrity, a transparent ownership structure and the absence of due financial obligations to the state are the standard formal conditions required in the case of cooperation between the state and a person governed by private law. The act also formulates the material conditions for the performance of the function of the national CERT operator, requiring the national CERT operator to demonstrate the factual skills, experience and technical capabilities to perform activities imposed on it by this act, as well as the ability to work in cooperation with foreign entities operating in the field of cybersecurity. The act further requires that the operator of a national CERT perform activities entrusted to it impartially by this act, regardless of its possible contractual or other relationship with obligors.

Concerning Section 18 (5)

This provision responds to the extension of the competencies of the national CERT operator in Section 17 and adequately expands the range of activities that the national CERT operator performs free of charge.

Concerning Section 18 (5)

Legislative technical adjustment due to the extension of the competencies of the national CERT operator. In order to ensure the consistent fulfilment of the obligations arising from the Directive and subsequently from the Cybersecurity Act, the obligation of the national CERT is to spend adequate funds on ensuring the exercise of competencies.

Re paragraphs (1) and (2)

The operator of the national CERT team is the CZ.NIC association.

The provisions of Section 18 of the AoCS define the conditions under which an entity may become the operator of the national CERT.

The operator of the national CERT can only be a legal entity [7] , with which NUKIB (or formerly NBU) has entered into a public law contract [8] (according to Section 19 of the AoCS), and which meets the following conditions:

a)    does not act or has not acted against the interests of the Czech Republic in the sense of the law regulating the protection of classified information,

According to Section 2 (b) of the Act on the Protection of Classified Information and on Security Competence is "in the interest of the Czech Republic to preserve its constitutionality, sovereignty and territorial integrity, ensure internal order and security, international obligations and defence, protect the economy and protect the life or health of individuals."

b)    operates or manages information systems or services and electronic communications networks or has been participating in their operation and management for at least 5 years,

c)    has technical prerequisites in the field of cybersecurity,

d)    is a member of a supranational organisation operating in the field of cybersecurity,

The requirement to operate one of the systems referred to in under (c), the existence of technical prerequisites in the field of cybersecurity and membership in a multinational organisation operating in the field of cybersecurity gives the state a guarantee that the person has been involved in cybersecurity, incident resolution etc. It is essentially a demonstration of the factual ability, experience and technical ability to perform the activities imposed on it by the AoCS.

e)    has no arrears recorded in the tax register of the bodies of the Financial Administration of the Czech Republic or the bodies of the Customs Administration of the Czech Republic or in social security premiums and public health insurance premiums,

f)     has not been convicted of a criminal offence referred to in Section 7 of the Act on Criminal Liability of Legal Entities and Proceedings Against Them,

The absence of due financial obligations to the state, as well as proof of integrity, is a standard condition for entering into a contract in the case of cooperation between the state and a person governed by private law.

The Act on Cybersecurity in Section 18 (2) (f) makes a factual inaccuracy caused by the amendment to Act No. 418/2011 Sb., on the Criminal Liability of Legal Persons and Proceedings against them. In this act, Section 7 originally defined those criminal offences which a legal person may commit. In the current effective legal regulation, Section 7 contains a negative definition of criminal offences.

The provision of Section 7 of ACLLE (Act on Criminal Liability of Legal Entities) (effective from 1^st December 2016) stipulates that a legal person may be criminally liable for the commission of all criminal offences, with the exception of the criminal offences exhaustively listed in this provision.

In addition to defining the scope of criminal offences, the issue of imputability must also be addressed in the case of criminal liability of legal persons. Although a legal person is a fictitious construct, the law generally recognises, in relation to legal persons, their ability to act legally (and therefore illegally), including by attributing fault to them. Fault as a condition of criminal liability is imputed to a legal person if circumstances have arisen pursuant to Section 8 (2) of the Act on Criminal Liability of Legal Entities.

Pursuant to Section 8 (1) of ACLLE, a criminal offence committed by a legal person means an unlawful act committed in its interest or within the scope of its activities, if it was an action of

a)    a statutory body or a member of a statutory body, or another person in a managerial position within a legal person who is entitled to act on behalf of or for a legal person,

b)    a person in a management position within a legal person who carries out management or control activities over that legal person, even if he/she/it is not the person referred to in (a),

c)    a person who exercises decisive influence over the management of that legal person, if his/her/its conduct was at least one of the conditions for the occurrence of a criminal liability of the legal person, or

d)    an employee or person in a similar position (hereinafter referred to as an “employee”) in the performance of his/her duties, even if he/she is not the person referred to in (a) to (c),

e)    if the actions of the above-mentioned person can be attributed to the legal person according to Section 8 (2) of ACLLE.

g)    is not a foreign person under another legal regulation,

According to Section 3024 of the Civil Code, a foreign person is a natural person with a residence or a legal person with a registered office outside the territory of the Czech Republic.

Due to the importance of the national CERT team in the field of cybersecurity in the Czech Republic, it is required that the operator of this team be based in the Czech Republic. This requirement cannot be perceived as discrimination against other persons established in another Member State of the Union.

h)    has not been established or set up solely for the purpose of making a profit; this does not affect the possibility for the operator of the national CERT to proceed in accordance with Section 17 (3) of the AoCS.

Concerning paragraphs (3) and (4)

A legal entity wishing to become the operator of a national CERT shall prove the fulfilment of the conditions by submitting a sworn statement [in the case of Section 18 (2) (a) to (d), (g), (h) of the AoCS] and confirmation from the body of the Financial Administration of the Czech Republic and the Customs Administration of the Czech Republic [in the case of Section 18 (2) (e) of the AoCS].

It must be clear from the content of the sworn statement that the applicant meets the relevant requirements. The confirmation that the applicant has no arrears recorded in the tax register of the bodies of the Financial Administration of the Czech Republic or the bodies of the Customs Administration of the Czech Republic or in social security premiums and public health insurance premiums, may not be older than 30 days.

In order to prove the fact that a legal person has not been convicted of a criminal offence, NUKIB will request an extract from the Criminal Register.

Concerning paragraph (5)

The operator of the national CERT performs the activities specified in Section 17 (2) of the AoCS free of charge. Exceptions to the free of charge condition are only the following activities:

·       it provides the bodies and persons referred to in Section 3 (a), (b) and  of the AoCS methodological support, assistance and cooperation in the event of a cybersecurity incident,

·       it assesses vulnerabilities in the field of cybersecurity.

The operator of the national CERT is obliged to incur the necessary costs for the proper and efficient performance of the activities referred to in Section 17 (2) of the AoCS.

Concerning paragraph (6)

Due to the possibility of contacting the operator of the national CERT team, the data on this operator are published on the NÚKIB website. The following information is published: business name or name, registered office address, entity’s identification number, data box identifier and address of its website. 

3.1.2    Government CERT

Government CERT, as part of the Office,

a)    receives notifications of contact details from the authorities and persons referred to in Section 3 (c) to (g),

b)    receives reports of cybersecurity incidents from the authorities and persons referred to in Section 3 (c) to (g),

c)    evaluates data on cybersecurity events and cybersecurity incidents from the critical information infrastructure, the basic service information system, significant information systems and other public administration information systems,

d)    provides the bodies and persons referred to in Section 3 (c) to (g) with methodological support and assistance,

e)    provides cooperation to the bodies and persons referred to in Section 3 (c) to (g) in the event of a cybersecurity incident and cybersecurity event,

f)     receives suggestions and data from the bodies and persons referred to in Section 3 and from other bodies and persons and evaluates these suggestions and data,

g)    receives data from the operator of the national CERT and evaluates such data,

h)    receives data from authorities acting in the field of cybersecurity abroad and evaluates such data,

i)     pursuant to Section 9 (4), provides the operator of the national CERT, bodies acting in the field of cybersecurity abroad and other persons operating in the field of cybersecurity with data from the register of incidents,

j)     assesses vulnerabilities in the field of cybersecurity,

k)    informs the relevant authority of another Member State, without disclosing the identity of the notifier, of a cybersecurity incident that has a significant impact on the continuity of basic services in that Member State or affects the provision of digital services in that Member State, while maintaining the notifier's security and business interests,

l)     receives reports of a cybersecurity incident from authorities and persons not referred to in Section 3; the government CERT processes the reports and, if its capabilities allow it and if it is a cybersecurity incident with a significant impact, it provides methodological support, assistance and cooperation to the authorities or persons affected by the cybersecurity incident,

m)  act as a CSIRT in accordance with the relevant European Union legislation [9] and

n)    cooperates with CSIRTs of other Member States.

The government CERT is a part of the NBU, or the National Centre for Cybersecurity, which is an organisational unit of the NBU, which ensures its activities. The government CERT is conceived as a central public department and a public "single point of contact" for the area of ​​cybersecurity. Its activities include the receipt of contact data from selected obligors, the receipt of information on the cybersecurity situation, in particular the receipt of mandatory and initiative reports of cybersecurity incidents and other data on the cybersecurity situation from domestic and foreign public authorities and cooperating entities and their evaluation. The Government CERT also provides cooperation to selected types of obligors in the event of a cybersecurity incident, ensures cooperation with other bodies and entities ensuring cybersecurity in the Czech Republic and in cooperating or allied states, and also conducts cybersecurity vulnerability evaluations.

Concerning Section 20 (a), (b), (d) and (e)

Among the entities with which the government CERT communicates and cooperates, new obligatory entities are added – operators of basic services and administrators and operators of information systems of basic services.

Concerning Section 20 (c)

Information systems for which government CERT evaluates data on cybersecurity events and cybersecurity incidents are complemented by information systems on the operation of which the provision of basic services depends.

Concerning Section 20 (i)

Legislative technical adjustment resulting from the need to add new letters to this provision.

Concerning Section 20 (j) and (k) to ( n)

The government CERT acquires new competencies and related obligations under the directive in this provision. This provision is closely linked to Section 8, which regulates the reporting of cybersecurity incidents.

According to the law, as amended by this proposal, the government CERT: receives reports on cybersecurity incidents, evaluates them, provides methodological support, assistance and cooperation to the entities concerned, acts as a contact point, assesses vulnerabilities in the field of cybersecurity, transmits incident data to the NSA, acts as a CSIRT under the directive, cooperates with other CSIRTs, communicates with the relevant authorities of other Member States and, last but not least, receives voluntary reports of cybersecurity incidents.

By this it meets the requirements of Appendix I to the Directive:

·       Monitoring of incidents at the national level – Section 20 (b), (c), (f), (g), (l).

·       Issuing early warnings and alerts, notifying and disseminating information on risks and incidents to relevant stakeholders – Section 20 (d), (e), (i), (n).

·       Response to incidents – Section 20 (d), (e).

·       Providing a dynamic analysis of risks and incidents and an overview of the situation – Section 20 (j).

·       Participation in the CSIRT network – Section 20 (m).

By fulfilling the role of the CSIRT, the government CERT, which is part of the NBU, will also meet the requirements of the Directive for the participation of the CSIRT team in the CSIRT network pursuant to Article 12 of the Directive. The participation of representatives of the national CERT will be left to their discretion.

Article 9 of the Directive stipulates that each Member State shall set up one or more CSIRTs, but does not address that representatives of all CSIRTs of a Member State should be required to participate in the work of the CSIRT. The full participation of at least one CSIRT team is thus sufficient, which will be fulfilled by representatives of the government CERT. The provision regulates the procedure of the government CERT in the event that the reported cybersecurity incident has a significant impact on the continuity of the provision of basic services, or the impact on the provision of digital services in another Member State of the European Union. In such a case, in accordance with Article 14 (5), and therefore Article 16 (6) of the Directive, the power of a governmental CERT to inform the relevant authorities of other Member States of the incident is enshrined.

Article 20 of the Directive provides for a situation in which an entity which has not been designated as an operator of basic services and is not a provider of digital services detects and seeks to address the security of its information systems. In this case, it may voluntarily report the cybersecurity incident to the government CERT and work with the CERT to resolve the situation. In this case, the government CERT will process the report and, if its capabilities allow it and it is a cybersecurity incident with a significant impact, provide it as adequately as when a cybersecurity incident is reported to it by the basic service provider.

Based on the Cybersecurity Act, two CERT/CSIRT teams, namely national and government, are compulsorily established in the Czech Republic.

The operator of the national CERT is a legal entity with which NUKIB (formerly NBU) has entered into a public law contract (see Section 19 of the AoCS).

Government CERT (GovCERT.CZ – see https://www.govcert.cz/) is established according to law as part of the National Cyber ​​and Information Security Agency (formerly under the responsibility of the NBU).

According to the Cybersecurity Act, the government CERT:

• receives notifications of contact details from the authorities and persons referred to in Section 3 (c) to (g) of the AoCS,
• receives reports of cybersecurity incidents from the authorities and persons referred to in Section 3 (c) to (g) of the AoCS,
• evaluates data on cybersecurity events and cybersecurity incidents from the critical information infrastructure, the basic service information system, significant information systems and other public administration information systems,
• provides the bodies and persons referred to in Section 3 (c) to (g) of the AoCS with methodological support and assistance,
• provides cooperation to the bodies and persons referred to in Section 3 (c) to (g) of the AoCS in the event of a cybersecurity incident and cybersecurity event,

• receives suggestions and data from the bodies and persons referred to in Section 3 of the AoCS and from other bodies and persons and evaluates these suggestions and data,
• receives data from the operator of the national CERT and evaluates such data,
• receives data from authorities acting in the field of cybersecurity abroad and evaluates such data,
• according to data from the incident register (see Section 9 (4) of the AoCS), it provides the operator of the national CERT, bodies acting in the field of cybersecurity abroad and other persons operating in the field of cybersecurity with data from the register of incidents,
• assesses vulnerabilities in the field of cybersecurity,
• informs the relevant authority of another Member State, without disclosing the identity of the notifier, of a cybersecurity incident that has a significant impact on the continuity of basic services in that Member State or affects the provision of digital services in that Member State, while maintaining the notifier's security and business interests,
• receives reports of a cybersecurity incident from authorities and persons not referred to in Section 3 of the AoCS; the government CERT processes the reports and, if its capabilities allow it and if it is a cybersecurity incident with a significant impact, it provides methodological support, assistance and cooperation to the authorities or persons affected by the cybersecurity incident,
• act as a CSIRT in accordance with Article 9 of the NIS Directive,
• cooperates with CSIRTs of other Member States.

In addition to the obligations explicitly set out in the Cybersecurity Act, the government CSIRT has set itself other tasks [11] , including:

• Data sharing - GovCERT.CZ obtains a number of reports and data concerning potentially infected information systems in the Czech Republic in cooperation with various multinational organisations dealing with cybersecurity. It provides this information to other entities as part of proactive activities. Shared data is divided into the following projects:

• BotnetFeed – using this tool, data about end stations connected to botnet networks from C&C servers taken over are processed. To identify a potentially infected computer system, the IP range manager is given an IP address and information about the botnet in which it is integrated.
• IHAP (Incident Handling Automation Project), MDM (Malicious Domain Manager) – fragments of compromise indicators (IoCs) from various servers are collected within these projects. The most common indicators include phishing, brute force attacks, ids alerts, spam, scanning attempts, exploit vulnerabilities, malware, and many other types. Based on these data, short reports are prepared, which always contain the IP address of the compromised machine and a brief summary of the type of incident.
• Shadowserver – the project is focused on the continuous search for relevant information about vulnerabilities in cyberspace and the occurrence of these vulnerabilities at specific IP addresses.
• Deployment of Honeypots
• Penetration testing

• Information HUB

On the govcert.cz website it is possible to find information, searches, analyses and articles concerning current threats and vulnerabilities related to systems in the Czech Republic. These documents are supplemented by regular monthly bulletins summarising significant security incidents in the Czech Republic and abroad.

• Education and research activities
• Forensic laboratory and SCADA laboratory