The year 2014 marked many important milestones in development of cyber security related legislation. The most significant was the adoption of the Cyber Security Act (Act no. 181/2014) and implementing legislation. The Government Decision no. 781 of 19 October 2014 tasked NSA with preparation of the law. The lack of similar legislation in the Czech legal order or those of our foreign partners has led to creation of a unique concept focused on setting up a system of coordination and cooperation among the most important cyber security stakeholders, and on introduction of security measures for protection of information and communication systems of state significance.
Along with the Cyber Security Act, implementing legislation was drafted and adopted, namely Regulation no. 316/2014 on Security Measures, Cyber Security Incidents, Reactive Measures and Reporting Guidelines in the Area of Cyber Security; Regulation no. 317/2014 on Important Information Systems and Their Identification Criteria, drafted jointly with the Ministry of Interior; and the amendment of Government Decision no. 432/2010 of 22 December 2010 on Identification Criteria of Critical Infrastructure, prepared by the Ministry of Interior.
Act no. 181/2014, on Cyber Security
The draft law prepared in cooperation with academia, the private sector and other state institutions was adopted by the Government on 2 January 2014 and had by the end of June 2014 passed all readings at the Chamber of Deputies. The deputies brought some amendments to the draft, yet the original concept had been preserved. It was approved by the Senate on 23 July 2014 and signed into law by the President of the Republic. The Cyber Security Act came into force on 1st January 2015.
The act is based on three pillars with the following focus:
-
introduction of preventive security measures for CII and IIS,
-
creation of a reporting system for cyber security incidents and for information exchange among main subjects of cyber security in the Czech Republic
-
establishment of NSA’s authority in cyber security, including the authority to enact measures in reaction to specific security incidents. The act also provides for functioning of GovCERT.CZ and National CERT.
Regulation no. 316/2014, on Security Measures, Cyber Security Incidents, Reactive Measures and Reporting Guidelines in the Area
of Cyber Security
Regulation no. 316/2014, on Security Measures, Cyber Security Incidents, Reactive Measures and Reporting Guidelines in the Area of Cyber Security is an implementing legislative act focused mostly on duties arising from the Cyber Security Act. It defines technical and organizational measures to be introduced by the CII and IIS subjects.
The draft of the Regulation went through a two-round review procedure in order to stimulate the broadest possible discussion and optimization of impacts on public and private entities in the Czech Republic.
On 21 February 2014 the draft was published on NSA website with a call for comments from the expert community. NSA received about 300 comments that were subsequently discussed at a public hearing on 11 April 2014. Once all the comments had been settled and incorporated, the draft was passed on for inter-departmental review until 21 August 2014. The comments received were again settled at a dedicated hearing on 18 September 2014.
After the accepted comments had been incorporated, the draft was sent to the Legislative Council of the Government. On 24 November 2014, the draft was debated in the Working Committee of the Legislative Council of the Government for Administrative Law. Most of those comments related to legislative techniques and did not change the fundamentals of the draft.
Regulation no. 317/2014, on Important Information Systems and Their Identification Criteria
Regulation no. 317/2014, on Important Information Systems and Their Identification Criteria was prepared jointly by NSA and the Ministry of Interior. The draft Regulation was drawn up in the first half of 2014 and after the reciprocal settlement of comments in September 2014 it was sent for inter-departmental review. The authors received comments from 26 entities. The comments dealt mostly with the inclusion of some systems into the Annex no. 1 of the Regulation listing the IIS, or focused on the extent of IIS identification criteria and other legislative and technical aspects of the norm. The comments were settled at meetings held on 6 and 7 November of 2014. On 20 November 2014, the Regulation was passed on to the Working Committee of the Legislative Council of the Government for Administrative Law for discussion. Both regulations were approved on 15 December 2014 and came into force on 1st January 2015.
Government Decree no. 432/2010 of 22 December 2010,
on Identification Criteria of Critical Infrastructure
NSA took part in the drafting of Government Decree no. 315/2014 amending Decree no. 432/2010, on Identification Criteria of Critical Infrastructure, in the area of cyber security. Information and communication systems have to fulfil both impact and sectorial criteria in order to be identified as CII. This amendment prepared by the Ministry of Interior came into force along with the Cyber Security Act on 1st January 2015.
ELABORATION OF STRATEGIC POLICY DOCUMENTS FOR CYBER SECURITY OF THE CZECH REPUBLIC
With regard to elaboration of cyber security conceptual documents, two main achievements should be noted, the new National Strategy of Cyber Security of the Czech Republic and the related Action Plan that further elaborates the Strategy, specifies individual tasks and assigns them to responsible subjects. Upon NSA’s initiative, the Security Strategy of the Czech Republic has been updated in order to better reflect the changes of the security paradigm in bordering regions, the strengthening of the role of non-state actors, and the changing nature of threats, including cyber ones. Among other, NSA also fulfilled the role of the national cyber security coordinator by providing opinions and comments on various policy proposals regarding the CS, or commenting on legislation with possible cyber security related impact.
Dostları ilə paylaş: |