Act No. 150 / 2021 Coll.
Act amending Act No. 289 / 2005 Coll., on Military Intelligence, as amended, and certain other laws
Valid
Law
Effective from 01.07.2021
Text versions:
01.07.2021
31.03.2021
Zobrazeno prvních 200 z celkem 221 ustanovení tohoto předpisu.
Zobrazit celý předpis →
Pro stažení celého znění použijte tlačítko Stáhnout výše.
150
THE LAW
of 17 March 2021
amending Act No 289 / 2005 Coll., on Military Intelligence, as amended, and certain other laws
Parliament has decided on this law of the Czech Republic:
Amendment to the Military Intelligence Act
In Act No. 289 / 2005 Coll., on Military Intelligence, as amended by Act No. 274 / 2008 Coll., Act No. 254 / 2012 Coll., Act No. 273 / 2012 Coll., Act No. 64 / 2014 Coll., Act No. 250 / 2014 Coll., Act No. 47 / 2016 Coll., Act No. 35 / 2018 Coll. and Act No. 205 / 2019 Coll., the fourth part is inserted after Part Three, including the title and footnotes No 19 to 22:
ACTIVITIES OF MILITARY REPORTING IN ENSURE OF THE PROTECTION OF THE CZECH REPUBLIC
Military intelligence activities involved in providing state defence in cyberspace
(1) Military intelligence shall be carried out under the conditions laid down by this Law:
(a) targeted detection of cyber attacks and threats of foreign origin 12) and directed against the important interests of the State, the provision of which is the object of the defence of the Czech Republic under the Act on the security of defence of the Czech Republic 19) ("detection"),
(b) identification and evaluation of detected cyber attacks and threats and their impacts (hereinafter referred to as "evaluation"); and
(c) measures to avert detected cyber attacks and threats.
(2) The detection is carried out by the Military Intelligence on the basis of the indicators of cyber attacks and threats that allow detection in the cyberspace defined by the phenomena that have been assessed at that time as facts threatening the important interests of the State in the cyberspace.
(3) The indicators of cyber attacks and threats are established by Military Intelligence on the basis of:
(a) the data and information obtained by Military Intelligence in the performance of its tasks as a single armed intelligence service of the Czech Republic;
(b) the data and information transmitted by other intelligence services, the National Office for Cybersecurity and Information Security and other State bodies; or
(c) other facts capable of jeopardising the performance of the State's defence functions which are passed on to it.
Cooperation of Military Intelligence in carrying out activities involving the provision of State defence in the cyberspace
(1) Military intelligence shall cooperate with other intelligence services and with other state authorities, the armed forces of the Czech Republic, the Security Corps and legal and natural persons when operating in the field of security or defence.
(2) In ensuring military intelligence detection, it shall cooperate with legal or natural persons providing a public communications network or providing a publicly available electronic communications service, on the basis of a written cooperation agreement. The cooperation agreement cannot negotiate the transmission of metadata to a greater extent than is provided for in Section 16d (2).
(3) The cooperation agreement concluded in accordance with paragraph 2 shall include:
(a) the technical and organisational conditions necessary for the implementation of the detection;
(b) the way in which metadata are transmitted on a captured attack or threat; and
(c) the method of determining the amount of costs effectively incurred.
Synergy in detection
Where Military Intelligence does not have a cooperation agreement with a legal or business natural person providing a public communications network or providing a publicly available electronic communications service pursuant to Article 16b (2) and would be in danger of delay, it shall be entitled to request, for the period necessary, cooperation from that person in the targeted search for a particular cyber attack or threat by means of indicators within the scope of security measures already implemented by that person.
Detection tools and operating conditions
(1) Military intelligence may use its own detection tools, which are only placed for detection purposes at designated points in public communications networks, where this is required by an important interest in State defence; and
(a) neither the conclusion nor amendment of the cooperation agreement for the provision of detection pursuant to Article 16b (2) can be achieved with the effort required; or
(b) the provision of detection under the cooperation agreement concluded under Article 16b (2) is not effective.
(2) The detection tool records metadata
(a) describing the information and context necessary for the transmission of data, their structure and the time recorded for the operation of public communications networks and publicly available electronic communications services, only to the extent relevant to the detected cyber attack or threat on the basis of specified indicators; the content of the transmitted data is not included;
(b) the operation of the detection tool; and
(c) handling the configuration of the detection tool for the audit of activities carried out by Military Intelligence.
(3) Military intelligence may not use the detection tools referred to in paragraph 1 to perform wiretaps or to record reports under the Electronic Communications Act or to take active action under Paragraph 16f (3).
(4) Military intelligence exclusively performs detection in such a way as to ensure that:
(a) the confidentiality of communications between natural and legal persons in the provision of publicly available electronic communications services, the integrity of public communications networks and the availability of public communications networks and electronic communications services is maintained; and
(b) the performance of the obligations of a legal or business natural person providing a public communications network or providing a publicly available electronic communications service to network users, including the quality of the services provided, shall not be affected or affected by the performance of obligations of a legal or commercial natural person providing a public communications network or providing a publicly available electronic communications service to network users, other than to the extent appropriate to the public interest in safeguarding the State's defence.
Ensuring detection conditions
(1) For the purposes of Article 16d (1), the Ministry of Defence requires a legal or business natural person providing a public communications network or providing a publicly available electronic communications service to establish and secure at specified points the public communications networks provided by it with an interface for connecting the detection tool.
(2) The basic characteristics of the public communications networks available for the location of the detection tools with a view to ensuring the important interests of the State are laid down by the Government in the central defence plan of the state20).
(3) In order to fulfil the obligation referred to in paragraph 1, the Ministry of Defence shall, on the basis of a draft Military Intelligence drawn up as a measure to ensure the conclusions of the obligations laid down in Article 16a (1) and (2) of the Decision by which a legal or undertaking natural person providing a public communications network or providing a publicly available electronic communications service imposes an obligation to establish and secure an interface for the connection of the detection tools at the designated point of the public communications network and to maintain the location and operation of those instruments.
(4) The decision referred to in paragraph 3 shall include, in addition to the formalities laid down in the administrative rules, the following:
(a) determining the period for which the detection tool is to be operated at the designated point; and
(b) the period within which a legal or business natural person providing a public communications network or providing a publicly available electronic communications service is required to establish interfaces for the connection of the detection tool at specified points of the public communications network provided by it.
(5) The period referred to in paragraph 4 (a) must not exceed 12 months; The Ministry of Defence may extend it by a maximum of six months on a proposal from Military Intelligence.
(6) Decomposition against the decision does not have suspensory effect.
(7) Prior to the decision referred to in paragraph 3, Military Intelligence shall assess whether the connection of the detection tool itself is not a security risk or whether the consequences of such a security risk can be accepted as acceptable in view of the purpose of the connection of a specific detection tool. A document containing the conclusions of such an assessment shall be the basis for the decision referred to in paragraph 3.
(8) Before deciding to extend the period referred to in paragraph 5, the Ministry of Defence shall always assess whether the conditions laid down in Paragraph 16d are met. The decision to extend the time limit shall specify the period during which the detection tool is to be operated at the designated point.
Measures to avert detected cyber attacks and threats
(1) Military intelligence shall, on the basis of the outcome of the evaluation, take measures to avert detected cyber attacks and threats as referred to in paragraph 2 or 3.
(2) Where it identifies a specific cyber attack or threat for which the conditions for active action under Paragraph 16g are not met, it shall immediately forward the information identified for the implementation of further measures to the competent authorities. The information found may also be transmitted to the operator of the national CERT21 to the extent necessary, if it assesses that this is appropriate for the purpose of ensuring the cyber security of the State. In cases of special consideration, it may also, to the extent necessary, transmit the information to another person who, using it, may implement measures against a cyber attack or threat.
(3) If there is a risk of delay, the Military Intelligence will, under the conditions laid down in Section 16g, take an active action to prevent the detected cyber attack or threat without delay.
Authorisation to perform active intervention in cyberspace
(1) Military intelligence is entitled to take active action only if:
(a) the facts found in the cyberspace indicate the existence of a threat to the important interests of the State to a significant extent;
(b) a cyber attack or threat against important interests of the State persists or is imminent; and
(c) a cyber attack or threat to the important interests of the state cannot be averted in cooperation with the armed forces of the Czech Republic and the active action has been assessed as the only effective way to avert them.
(2) Military intelligence is only authorised to carry out active action after the prior approval of the Minister of Defence.
(3) It shall immediately inform the Government, the National Bureau of Cyber and Information Security and other intelligence services of the launch of active action by Military Intelligence.
(4) Military intelligence shall inform the Minister of Defence and the Minister of Defence of the implementation of active action immediately after its implementation.
(a) the Government,
(b) Chief of General Staff of the Army of the Czech Republic,
(c) the Director of the National Office for Cyber and Information Security; and
(d) other intelligence services.
(5) Paragraph 16h (2) shall apply mutatis mutandis to the content of the information transmitted pursuant to paragraph 4.
(6) If there is no threat to the important interest of the State, the operator of national CERT21 may be informed to the extent necessary).
(7) Military intelligence will provide synergies in this field to the National Office for Cyber and Information Security or the Police of the Czech Republic, in the context of its activities and measures involved in the defence of the State in the cyberspace, if they so request, in individual cases, solely for the purposes of their security in the cyberspace; This is without prejudice to the synergy of the performance of all military intelligence activities carried out under this Part against the armed forces of the Czech Republic in securing state defence.
Data and information transmission and / or active intervention records and their storage
(1) Where Military Intelligence, in the framework of ensuring synergies in the implementation of activities involving the provision of State defence in the cyberspace, transfers data and information resulting from the detection and evaluation carried out by it, it shall process a record of such transmission containing the characteristics of the data and information transmitted to the extent of the facts referred to in points (a) to (c) and (e) of paragraph 2, the purpose of the transmission of data and information, as well as data on the time of the transmission of the data and information and the identification data to the addressee of their transmission to the extent of:
(a) the name of the addressee;
(b) the address to which the data and information have been transmitted,
(c) the time-limit for the transmission of data and information to the nearest second;
(d) time-stamp of confirmation of receipt of data and information to the nearest second.
(2) Military intelligence is required to record each active intervention carried out at least to the extent that:
(a) the characteristics of the identified attack or threat against the important interests of the State;
(b) the conclusions of the assessment of the attack or threat against the State's important interests;
(c) the conclusions of the assessment of the admissibility of active intervention;
(d) information on the source of the attack or threat against the State's important interests;
(e) a timescale for the implementation of measures to stop or avert an attack or to eliminate the threat with an accuracy of seconds;
(f) how the intervention is carried out and a description of the organisational and technical measures used;
(g) other facts characterising the execution of the active intervention.
(3) The records referred to in paragraphs 1 and 2 shall be kept by Military Intelligence for a period of 10 years from the date of their processing.
Reports on military intelligence activities involved in securing state defence in cyberspace
(1) Military intelligence shall submit to the President of the Republic and the Government, through the Minister of Defence, once a year a detailed report on the activities and measures of the Military Intelligence involved in ensuring the defence of the State in the cyberspace and an evaluation of its effectiveness.
(2) Military intelligence shall submit a written report to the Defence Minister without delay after the end of the calendar half-year on the state of the tasks which it carries out to ensure the State's defence in the cyberspace during that period.
Inadmissibility of use of data and information for other purposes
The data and information obtained by Military Intelligence in carrying out detection shall not be used for purposes other than the provision of activities involving the provision of State defence, unless otherwise provided for in this Act.
Inspector for Cyber Defence
(1) The Government of the Czech Republic appoints and appeals, on a proposal from the Minister of Defence, to the cyber defence inspector; the proposal is translated to the Government of the Czech Republic after its discussion in the Committee of the Chamber of Deputies responsible for security matters.
(2) The Cyber Defence Inspector is hereby appointed for a term of 5 years.
(3) The Cyber Defence Inspector is an occupational soldier or an employee included in Military Intelligence and is under the authority of the Minister of Defence, unless otherwise provided for in this Act.
(4) In matters of employment or employment, the Minister of Defence shall act in law on behalf of the Czech Republic.
(5) In carrying out the tasks referred to in Article 16l (1) (a) and (b), the cyber defence inspector is independent and is only bound by the law of the Czech Republic; he is obliged to perform his duties impartially, within the limits of his authority and to refrain from performing it in any way that could jeopardise his impartiality and professionalism.
(6) Military intelligence is required to ensure that the cyber defence inspector is properly, in time and to the extent necessary involved in all matters related to military intelligence activities involved in providing defence of the Czech Republic in the cyberspace, in particular providing him with all necessary information on the implementation of detection and evaluation. Military intelligence also provides material and personnel conditions for the performance of the duties of cyber defence inspector.
(7) The Cyber Defence Inspector will report to the Defence Minister immediately after the end of the calendar semester on the deficiencies identified by him in the provision of data protection and information processed by the Military Intelligence in the performance of the activities involved in the provision of State defence in the cyberspace; the report also contains proposals for measures to improve the protection of privacy and personal data. In the event of a serious deficiency, the report shall be transmitted by the cyber defence inspector to the Minister of Defence without delay after its detection, including proposals for its removal and the adoption of preventive measures.
Tasks of the cyber defence inspector
(1) The cyber defence inspector shall carry out the following tasks:
(a) verify the correctness of military intelligence procedures in the activities involved in securing State defence in the cyberspace, in so far as they concern data protection and information security;
(b) verify the effectiveness of the measures taken by the Military Intelligence to ensure the protection of data and information processed in the activities involving the Military Intelligence in the defence of the State in the cyberspace, contribute to their deployment in the Military Intelligence activities and propose updating them where appropriate;
(c) in the military intelligence activities involved in providing State defence in the cyberspace, provide advice on request to members of the Military Intelligence in the field of data and information protection;
(d) in order to ensure that the measures taken to protect rights are effective, it shall cooperate with the bodies with which the detection tools referred to in Article 16e have been located.
(2) Legal or business natural persons providing a public communications network or providing a publicly available electronic communications service may contact the cyber defence inspector on all matters relating to the provision of their rights, if they are or might be threatened by military intelligence activities involved in the provision of State defence in the cyberspace.
(3) The Cyber Defence Inspector will investigate the complaint and draw up a report on the basis of the facts found and will inform the Chamber of Deputies and the person who lodged the complaint.
Control of activities involving military intelligence in securing state defence in the cyberspace and screening of related measures
(1) Where the Government, the Chamber of Deputies or an independent control body (22) carries out checks on the activities and measures of the Military Intelligence involved in securing State defence in the cyberspace, the Military Intelligence must, in particular:
(a) the records referred to in Article 16h; and
(b) other reports necessary to establish the actual situation to the extent necessary to achieve the purpose of the check.
(2) The controllers referred to in paragraph 1 shall be entitled to apply for:
(a) access to audit records of the operation of the detection tool;
(b) access to the file documentation in the case of decision-making on the location of the detection tool; or
(c) the provision of additional data and information related to the subject matter of the check.
(3) When carrying out the check, the controller shall be obliged to investigate the rights and legitimate interests of Military Intelligence as well as of third parties to whom obligations have been imposed in connection with the conduct of Military Intelligence activities under this Part.
(4) The control rules shall not apply to the control of military intelligence activities under this Part.
(5) The provisions of Section 41 of the Defence Act of the Czech Republic apply mutatis mutandis to the examination of measures taken by the Military Intelligence in order to ensure the security of activities involved in the defence of the State in cyberspace.
Compensation for damage or non-property damage
(1) Anyone who has suffered damage or non-property damage in connection with the military intelligence activities involved in the defence of the State is entitled to compensation.
(2) A natural or legal person shall also be replaced by damage or non-property damage resulting from the implementation of measures taken by the Military Intelligence in order to carry out an active intervention aimed at eliminating a cyber attack or threat in order to safeguard the State's defence in the cyberspace.
(3) The obligation of the State to make good or non-material damage referred to in paragraphs 1 and 2 shall not arise in respect of damage or non-property damage caused by the natural or legal person who has caused the attack or threat.
(4) The State is responsible for damage or non-property damage caused by Military Intelligence. The Ministry of Defence, on behalf of the State, provides compensation or non-property damage.
19) Paragraph 2 (1) of Act No. 222 / 1999 Coll., on the Protection of the Czech Republic.
20) Paragraph 2 (a) of Decree No 139 / 2017 Coll., on State Defence Planning.
21) Article 17 of Act No. 181 / 2014 Coll., on Cyber Security.
22) Article 12 of Act No. 153 / 1994 Coll., as amended. '
Parts four to six shall be referred to as parts five to seven.
Amendment of the Act on intelligence services of the Czech Republic
Act No. 153 / 1994 Coll., on News Services of the Czech Republic, as amended by Act No. 118 / 1995 Coll., Act No. 53 / 2004 Coll., Act No. 290 / 2005 Coll., Act No. 530 / 2005 Coll., Act No. 80 / 2006 Coll., Act No. 342 / 2006 Coll., Act No. 250 / 2008 Coll., Act No. 170 / 2013 Coll., Act No. 218 / 2009 Coll., Act No. 35 / 2014 Coll., Act No. 227 / 2009 Coll., Act No. 204 / 2015 Coll., Act No. 219 / 2015 Coll., Act No. 51 / 2016 Coll., Act No. 251 / 2017 Coll., Act No. 325 / 2017 Coll.
1. In Article 2, the current text becomes paragraph 1 and the following paragraph 2 is added:
"(2) Military intelligence is involved, to the extent and in the manner laid down by the Military Intelligence Act (10), in securing the defence of the Czech Republic in cyberspace.
10) Part of Act No. 289 / 2005 Coll., as amended by Act No. 150 / 2021 Coll.
11) Article 3 (2) of Constitutional Act No. 110 / 1998 Coll., on the Security of the Czech Republic. "
2. In Paragraph 12 (1), at the end of the text of the first sentence, the words "; controls are also subject to military intelligence, which is involved in securing state defence in cyberspace under the Military Intelligence Act 10 '.
3. in Article 12e (1), the second sentence is deleted;
4. in Article 12e (2), at the end of point (b), comma shall be replaced by "a."
5. in Article 12e (2), point (c) shall be deleted;
Point (d) shall be renumbered (c).
Amendment to the Electronic Communications Act
Act No. 2 / 2011, Act No. 5 / 2011, Act No. 5 / 2011, Act No. 5 / 2011, Act No. 5 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, p.
1. The following Section 98a is inserted after Paragraph 98, including footnotes 70 to 72:
(1) The legal or operating natural person providing a public communications network or providing a publicly available electronic communications service shall be required, on the basis of a decision issued by the Ministry of Defence under the Military Intelligence Act (70), to establish and secure at specified points a public communications network interface to connect the detection tool enabling targeted detection of phenomena suggesting the existence of a cyber attack or threat and their identification under the Military Intelligence Act (71).
(2) A legal or operating natural person providing a public communications network or providing a publicly available electronic communications service shall, upon request, provide synergies in the targeted search for a cyber attack or threat by means of indicators under the Military Intelligence Act (72) to the extent and through security measures already implemented by that person.
(3) The person referred to in paragraph 1 is not entitled, without the consent of the Military Intelligence, to intervene in, or in any way to restrict the functionality of, the instrument of detection attached to it; This does not apply if the operation of an intervention in the detection tool or the limitation of its functionality is necessary because, in the context of its connection and operation, a condition is triggered which endangers the operation of the public communications network itself, the provision of a publicly available electronic communications service or the health or the lives of natural persons where there is a risk of delay.
(4) The person referred to in paragraph 1 shall, upon request, be obliged to allow Military Intelligence access to the detection tool located on the public communications network provided for it, and the Military Intelligence shall act in such a way that its activities do not infringe the conditions of performance of duties imposed by law on that person.
(5) For the performance of the duties referred to in paragraph 1, the legal or commercial natural person from Military Intelligence shall be responsible for paying the costs effectively incurred. The method for determining the amount of costs effectively incurred, the procedure for applying them and the method for paying them shall be laid down in implementing legislation.
(6) The person referred to in paragraph 1, as well as other persons involved in the fulfilment of the obligations referred to in paragraphs 1 and 2, shall be obliged to maintain confidentiality regarding all the facts relating to the implementation of the detection and the connection and use of the detection tool. That obligation shall continue after such person ceases to be a person referred to in paragraph 1 or who is involved in the performance of the obligation under the first sentence.
(7) The obligation to maintain confidentiality pursuant to paragraph 6 shall not apply to the provision of information to controllers who carry out checks on military intelligence activities under Part Four of the Military Intelligence Act.
70) § 16e of Act No. 289 / 2005 Coll., as amended by Act No. 150 / 2021 Coll.
71) Article 16a (2) of Act No. 289 / 2005 Coll., as amended by Act No. 150 / 2021 Coll.
72) § 16c of Act No. 289 / 2005 Coll., as amended by Act No. 150 / 2021 Coll. '
2. In Paragraph 118, the following paragraph 23 is inserted after paragraph 22:
"(23) A legal or business natural person, as a person providing a public communications network or a publicly available electronic communications service, commits an offence by:
(a) in contravention of Paragraph 98a (1), establish or fail to secure at specified points the public communications networks provided by it to connect the detection tool in accordance with a decision issued by the Ministry of Defence;
(b) in breach of Paragraph 98a (2), does not provide synergies;
(c) do not allow Military Intelligence access to the detection tool;
(d) tamper with the detection tool or restrict its functionality; or
(e) infringes the obligation to maintain confidentiality pursuant to Paragraph 98a (6). ';
Paragraph 23 shall become paragraph 24.
3. in Paragraph 118 (24) (a), the words "or paragraph 14 (ae)" shall be replaced by "paragraphs 14 (ae) or 23 (e)";
4. In Article 118 (24) (b), the words "or 15 'are replaced by the words", 15 or 23 (b), (c) or (d)'.
5. in Paragraph 118 (24) (c), the words "or 22 'are replaced by the words", 22 or 23 (a)';
6. In Paragraph 119, the following paragraph 7 is inserted after paragraph 6:
"(7) The natural person involved in the performance of the obligations of a legal or business natural person providing a public communications network or a publicly available electronic communications service shall commit an offence by violating the obligation to maintain confidentiality pursuant to Paragraph 98a (6). ';
Paragraph 7 shall become paragraph 8.
7. In the first sentence of Paragraph 119 (8), "6 'is replaced by" 7'.
8. In Section 150, the following paragraph 7 is added:
"(7) The Ministry of Defence, in cooperation with the Office, shall issue a decree implementing Section 98a (5)."
Amendment to the Professional Soldiers Act
Sign in for notes, favorites and notifications
Regulation Information
| Citation | Act No. 150 / 2021 Coll., amending Act No. 289 / 2005 Coll., on Military Intelligence, as amended, and certain other laws |
|---|---|
| Regulation Type | Law |
| Author | - |
| Collection | Code of Laws |
| Date of Promulgation | 31.03.2021 |
|---|---|
| Effective from | 01.07.2021 |
| Effective until | - |
| Status | Valid |
The regulation text is for informational purposes only.
Comments 0