Act No. 181 / 2014 Coll.
Act on Cybersecurity and Change of Related Laws (Act on Cybersecurity)
Valid
Effective from 01.01.2015
Contents
ČÁST PRVNÍ
HLAVA I
§ 1
§ 2
§ 3
§ 3a
HLAVA II
§ 4
§ 4a
§ 5
§ 6
§ 6a
§ 7
§ 8
§ 9
§ 10
§ 10a
§ 11
§ 12
§ 13
§ 14
§ 15
§ 15a
§ 16
§ 17
§ 18
§ 19
§ 20
HLAVA III
§ 21
HLAVA IV
§ 21a
§ 22
§ 22a
§ 22b
§ 22c
HLAVA V
§ 23
§ 24
§ 24a
§ 24b
§ 24c
§ 25
§ 26
§ 27
HLAVA VI
§ 28
§ 29
§ 30
§ 31
§ 32
§ 33
ČÁST TŘETÍ
§ 35
ČÁST PÁTÁ
§ 37
ČÁST ŠESTÁ
§ 38
Zobrazeno prvních 200 z celkem 575 ustanovení tohoto předpisu.
Zobrazit celý předpis →
Pro stažení celého znění použijte tlačítko Stáhnout výše.
181
THE LAW
of 23 July 2014
on cyber security and the amendment of related laws (Cybersecurity Act)
Parliament has decided on this law of the Czech Republic:
CYBERNETIC SECURITY
BASIC PROVISIONS
Subject matter
(1) This law regulates the rights and obligations of persons and the powers and powers of public authorities in the field of cyber security.
(2) This law incorporates the relevant European Union6), building on the directly applicable European Union17) and governing the security of electronic communications networks and information systems.
(3) This law shall not apply to information or communication systems which handle classified information.
Definition of terms
This law means:
(a) the cyberspace of a digital environment enabling the creation, processing and exchange of information, consisting of information systems, and electronic communications services and networks (1);
(b) a critical information infrastructure element or system of critical infrastructure elements in the communication and information system2) in the field of cyber security;
(c) security of information ensuring confidentiality, integrity and availability of information and data;
(d) an important information system managed by a public authority which is not a critical information infrastructure or a basic service information system and which may reduce or significantly jeopardise the exercise of the powers of the public authority,
(e) the controller of the information system by the authority or person which determines the purpose of processing the information and the conditions for the operation of the information system;
(f) by the controller of the communication system, the authority or person which determines the purpose of the communication system and the conditions for its operation;
(g) the operator of the information or communication system, the authority or person ensuring the functionality of the technical and programming means constituting the information or communication system;
(h) an important network of electronic communications networks (1) providing direct external links to public communications networks or providing direct connection to critical information infrastructure;
(i) a basic service, the provision of which is dependent on electronic communications networks (7) or information systems, and the disruption of which could have a significant impact on the security of social or economic activities in one of these sectors.
1. energy;
2. to the right,
3. Banking,
4. financial market infrastructure;
5. health care,
6. water management,
7. digital infrastructure,
8. chemical industry,
(j) an information system for the basic service, the functioning of which depends on the provision of the basic service;
(k) the operator of the basic service by the authority or person providing the basic service and designated by the National Office for Cyber and Information Security (hereinafter "the Office") pursuant to § 22a; for the purpose of fulfilling the information obligation under the relevant European Union Regulation (8), the authorities and persons referred to in § 3 (c) and (d) shall also be considered to be the operator of the basic service;
(l) the digital service information society service under the law governing certain information society services 9), which consists in the operation of:
1. an online marketplace which enables the consumer or seller to enter into a sales contract with the seller of the business10) through an online marketplace website or through a seller website that uses the service provided by the online marketplace;
2. an Internet search engine that allows you to search in principle on all websites, based on a user's enquiry on any topic in the form of a keyword, phrase or other assignment, the service providing links to which information related to the required content can be found; or
3. cloud computing that allows access to an expandable and adaptable repository or computer resources that can be shared; and
(m) by the competent authority, the competent authority in the field of cyber security.
The institutions and persons imposing duties on cyber security shall:
(a) the electronic communications service provider and the entity providing the electronic communications network (1), unless it is an authority or person referred to in (b);
(b) an authority or person providing a significant network, unless it is the controller or operator of the communication system referred to in (d);
(c) the administrator and the information system operator of the critical information infrastructure;
(d) the controller and the operator of the critical information infrastructure communication system;
(e) the administrator and the operator of the significant information system;
(f) the administrator and the operator of the basic service information system if they are not the controller or operator referred to in (c) or (d);
(g) the operator of the basic service if he is not the administrator or operator referred to in (f); and
(h) a digital service provider.
Representative of the digital service provider
(1) A digital service provider providing this service in the Czech Republic is not established in the European Union and has not established a representative in another Member State of the European Union (hereinafter referred to as "another Member State") is obliged to establish a representative in the Czech Republic. The representative of the digital service provider is a person established in the Czech Republic who is a provider of the digital service under the authority of the authority to represent him in relation to obligations under this law.
(2) If the digital service provider has its seat outside the European Union and has established a representative in the Czech Republic, it is deemed to be established in the Czech Republic and subject to obligations under this Act.
(3) In the event that the digital service provider is established in the Czech Republic or has a representative established there, but the electronic communications networks used by it and the information systems are located in another Member State, the Authority shall cooperate with the competent authority of the Member State concerned in the exercise of its administration.
SECURITISATION SYSTEM
Security measures
(1) Security measure means a summary of actions aimed at ensuring information security in information systems and the availability and reliability of services and electronic communications networks (1) in the cyberspace.
(2) The authorities and persons referred to in Article 3 (c) to (f) are required to establish and maintain security measures to the extent necessary to ensure the cyber security of critical information infrastructure information system, critical information infrastructure communication system, basic service information system and significant information system.
(3) The digital service provider shall establish and implement appropriate and proportionate security measures for electronic communications networks and information systems used in the context of the provision of its service, taking into account the security of information, the management of cyber security incidents, the management of continuity of activities, monitoring, audit, testing and compliance with international rules.
(4) The authorities and persons referred to in § 3 (c) to (f) are required to take into account the requirements arising from the security arrangements for the selection of the supplier for their information or communication system and to include those requirements in the contract concluded with the supplier. Taking into account the requirements arising from the security measures under the first sentence to the extent necessary to fulfil the obligations under this law, it cannot be regarded as an unlawful restriction on competition or an unjustified obstacle to competition.
(5) Before concluding a contract with a cloud computing service provider, public authorities are required to include the requested cloud computing in the security level, taking into account the nature of the information or communication system concerned under the implementing legislation, and to ensure that the security rules for the provision of cloud computing services established by the Authority are complied with, and that, upon request without undue delay, information and data are available to them by the cloud computing service provider, including the possibility of checking stored information and data in real time.
(6) The cloud computing service provider and the public authority shall further agree in the contract the manner and amount of compensation effectively incurred for the implementation of the security rules and the implementation of the customer's security policy.
(7) Taking into account the requirements arising from the security policy, the security rules, the security measures and other conditions agreed in the contract referred to in paragraph 5 which are necessary to fulfil the obligations under this law, it cannot be regarded as an unlawful restriction on competition or an unjustified obstacle to competition.
(1) The authorities and persons who have become administrators of critical information infrastructure information or communication systems or managers of significant information systems and are not required to operate such systems shall immediately and demonstrably inform the system operator of this fact and of the fact that that operator has become an authority or person pursuant to § 3 (c), (d) or (e).
(2) The authorities and persons who have become controllers or managers of critical information infrastructure information or communication systems are required to immediately and demonstrably inform the body providing the electronic communications network to which their critical information infrastructure information or communication system is connected, and to that effect and to become the body or person referred to in Article 3 (b).
(3) The authorities and persons who, pursuant to Article 22a, have been designated by the operator of the essential service and are not at the same time the controllers or operators of their basic service information systems are obliged to inform the administrator or operator of the essential service without delay and demonstrably of their designation and of the fact that the administrator or operator concerned has become an authority or person pursuant to Article 3 (f).
(1) Security measures are:
(a) organisational measures; and
(b) technical measures.
(2) The organisational measures are:
(a) the information security management system;
(b) risk management;
(c) security policy;
(d) organisational security;
(e) setting safety requirements for suppliers;
(f) asset management;
(g) human resources security;
(h) traffic and communication management;
(i) access management;
(j) acquisition, development and maintenance;
(k) the management of cyber security incidents and cyber security incidents;
(l) business continuity management; and
(m) control and audit.
(3) Technical measures are:
(a) physical safety;
(b) an instrument for protecting the integrity of communication networks;
(c) user identity verification tool;
(d) the access authorisation management tool;
(e) the instrument for protecting against harmful code;
(f) an instrument for recording the activities of the information or communication system, its users and administrators;
(g) a tool for detecting cyber security incidents;
(h) an instrument for collecting and evaluating cyber security incidents;
(i) application safety;
(j) cryptographic products;
(k) an instrument for ensuring the level of information availability; and
(l) the safety of industrial and control systems.
Implementing legislation provides for:
(a) the content of the security measures;
(b) the content and structure of the security documentation;
(c) the scope of security measures for the authorities and persons referred to in § 3 (c) to (f);
(d) significant information systems and their defining criteria;
(e) the content and scope of the security rules for public authorities using the services of cloud computing providers, including the security levels for the use of cloud computing by public authorities.
(1) The administrator of a critical information infrastructure information system, a critical information infrastructure communication system or a significant information system may entrust the operation of a critical information infrastructure information system, a critical information infrastructure communication system or a significant information system to another authority or person, unless another law excludes it.
(2) The operator of a critical information infrastructure information system, a critical information infrastructure communication system or a significant information system shall, upon request of the administrator of that system without undue delay and in an agreed format, transmit the data, operational data and information available to him in connection with the operation of that system. The provisions of the legislation governing intellectual property rights are without prejudice to the transmission of data, operational data and information.
(3) If the critical information infrastructure information system operator, critical information infrastructure communication system or significant information system does not continue to operate the system, the controller of that system shall transmit the data, operational data and information available to it in connection with the operation of that system and which are necessary for the possible further operation of that information system or other use thereof and shall safely dispose of copies thereof in its digital environment. The procedure for the disposal of data, operational data, information and copies thereof shall be laid down in the implementing legislation.
(4) The operator of a critical information infrastructure information system, a critical information infrastructure communication system or a significant information system shall be entitled to reimbursement of the cost effectively incurred for the transmission of data, operational data and information referred to in paragraphs 2 and 3; the costs shall be paid to the operator by the administrator of that system.
Cyber security incident and cyber security incident
(1) A cyber security event is an event which may cause a breach of information security in information systems or a breach of the security of services or of the security and integrity of electronic communications networks (1).
(2) The cyber security incident is a breach of information security in information systems or of the security of services or of the security and integrity of electronic communications networks (1) due to a cyber security event.
(3) The authorities and persons referred to in § 3 (b) to (f) are required to detect cyber security incidents in their significant network, critical information infrastructure information system, critical information infrastructure communication system, basic service information system or significant information system.
Cyber security incident reporting
(1) The authorities and persons referred to in Article 3 (b) to (f) are required to report cyber security incidents in their significant network, critical information infrastructure information system, critical information infrastructure communication system, basic service information system or significant information system immediately upon detection; This is without prejudice to the obligation of information under other legislation3) or directly applicable European Union law on the protection of personal data (11). Where a cybersecurity incident has a significant impact on the continuity of the provision of the essential service, the operator of the essential service shall notify the Office.
(2) A digital service provider shall report without undue delay a cyber security incident with a significant impact on the provision of its services if it has access to the information necessary to assess the significance of that impact.
(3) The authorities and persons referred to in § 3 (b) and (h) report cyber security incidents to the national CERT operator.
(4) The authorities and persons referred to in § 3 (c) to (g) report cyber security incidents to the Office.
(5) The obligation referred to in paragraph 1 shall be fulfilled by the controller of the information system of the critical information infrastructure, the communication system of the critical information infrastructure or the relevant information system even if a cyber security incident has been reported by the operator of that system. The operator of a critical information infrastructure information system, a critical information infrastructure communication system or a significant information system shall inform the administrator of that system of reported cyber security incidents without undue delay.
(6) The authorities and persons not listed in Section 3 may report cyber security incidents to the national CERT operator or to the Office.
(7) The implementing act provides for:
(a) the types, categories and assessment of the significance of the impact of the cyber security incident; and
(b) the formalities and means of reporting a cyber security incident.
(8) Where a cyber security incident affecting a digital service provider has a significant impact on the continuity of the provision of the essential service, its operator shall report this fact to the Authority.
Registration
(1) The Authority shall keep a register of cyber security incidents ("incident records") containing:
(a) a report of a cyber security incident;
(b) identification of the system in which the cybersecurity incident occurred;
(c) data on the source of the cyber security incident; and
(d) the procedure for dealing with the cyber security incident and its outcome.
(2) The incident records shall include the data referred to in § 20 (f) to (h) and (l).
(3) The Office provides data from the incident records to public authorities for the exercise of their responsibilities.
(4) The Authority may provide incident records to the national CERT operator, the authorities responsible for cyber security abroad and other persons involved in cyber security to the extent necessary to ensure the protection of cyberspace.
(1) The employees of the Czech Republic, who are involved in the handling of a cyber security incident, are bound by the obligation of confidentiality of incident records. The obligation of confidentiality shall continue after the termination of the employment relationship with the Office.
(2) The Director of the Office may exempt persons referred to in paragraph 1 from the obligation of confidentiality regarding incident records, indicating the extent of the data and the extent of the exemption.
Information the disclosure of which could jeopardise the security of cyber security or the effectiveness of a measure granted under this Act, or information that is kept in the alert for incidents from which an authority or person reporting a cyber security incident could be identified shall not be provided under the rules governing free access to information.
Measures
(1) Measures are those necessary to protect information systems or services and electronic communications networks (1) from threats to cyber security or from a cyber security incident or to address a cyber security incident.
(2) Measures are:
(a) warnings,
(b) reactive measures; and
(c) a safeguard measure.
(3) Reactive measures must be implemented
(a) the authorities and persons referred to in Article 3 (a) and (b) under a cyber hazard or emergency condition (4) declared on the basis of a request pursuant to Article 21 (6); and
(b) the authorities and persons referred to in Article 3 (c) to (f).
(4) Safeguard measures must be implemented by the authorities and persons referred to in Article 3 (c) to (f).
Warning
(1) The Authority shall issue a warning, in particular on its own initiative or at the initiative of the operator of the national CERT or of the authorities carrying out their duties in the field of cyber security abroad, of a threat to cyber security.
(2) The Office shall publish the warning on its website and notify it to the authorities and persons referred to in Article 3 whose contact details are kept in the register referred to in Article 16 (4).
(3) In order to protect the internal order and safety, to protect the life and health of persons or to protect the economy of the State, the Office is entitled, after consultation with the authority or person referred to in § 3 (c), (d), (f), (g) or (h), which is affected by a cyber security incident, to inform the public of the incident or to order the person concerned to do so himself.
Reactive and protective measures
(1) The Authority shall issue a decision imposing reactive measures to address a cyber security incident or to secure information systems or electronic communications networks and services (1) before a cyber security incident, which is the first act in the matter. If the decision to deliver it to the addressee has not been reached within 3 days of the date of its issue, it shall be delivered by hanging on the official record of the Office and shall be enforceable at this time. The decision referred to in the first sentence may also be taken by the Office in an on-the-spot procedure under the administrative rules.
(2) Decomposition against a decision under paragraph 1 shall not have suspensory effect.
(3) If reactive measures to address a cyber security incident or to secure information systems or electronic communications networks and services (1) prior to a cyber security incident are to relate to an unspecified range of authorities or persons, the Office shall issue them in the form of general measures.
(4) The authorities and persons referred to in points (a) to (f) of Article 3 are required to notify the Office without undue delay of the implementation of the reactive measure and its outcome. The details of the notification shall be laid down in the implementing legislation.
In order to enhance the protection of information systems or services and electronic communications networks (1) and on the basis of an analysis of the already resolved cyber security incident as a safeguard measure, the Office shall issue a general measure in which the authorities and persons referred to in points (c) to (f) of Article 3 provide for a way of increasing the protection of information systems or services and electronic communications networks (1) and a reasonable period for its implementation.
(1) A measure of a general nature pursuant to Article 13 or Article 14 shall take effect at the time of its hanging on the official plate of the Office; Paragraph 172 of the Administrative Regulation shall not apply. The Office shall also inform the authorities and persons referred to in Article 3 whose contact details are kept in the register referred to in Article 16 (4) of a general measure.
(2) Comments on a measure of a general nature issued pursuant to Paragraph 13 or 14 may be made within 30 days of the date of its publication on the official plate of the Office. The Authority may amend or repeal measures of a general nature on the basis of the comments made.
(1) In the event of an imminent cyber security incident, the Authority may, on a proposal from the information system administrator which has in vain called on the operator to comply with the obligation to transmit the data, operational data and information available to it in connection with the operation of this critical information infrastructure system, a communication system of critical information infrastructure or a significant information system, by decision to require the operator of that system to transmit the data, operational data and information available to it in connection with the operation of that system; the proposal shall include a justification for the request in the light of an imminent cyber security incident, a detailed description of the previous conduct between the operator and the administrator of the system, in particular with regard to the failure to fulfil the operator's contractual obligations and possible consequences, unless the required data, operational data and information are transmitted.
(2) The decision imposing the obligation to transmit the data, operational data and information referred to in paragraph 1 is the first act in the proceedings, is enforceable on the date of service of the decision and the decomposition does not have suspensory effect.
(3) In order to cover the costs incurred by the operator of the information system of the critical information infrastructure, the communication system of the critical information infrastructure or an important information system for the transmission of data, operational data and information referred to in paragraph 1, Article 6a (4) shall apply mutatis mutandis.
Contact details
(1) The contact details are:
(a) in the case of a legal person, the name, address of the registered office, the identification number of the person or similar number assigned abroad;
(b) in the case of the natural person in business, a commercial firm or a name, including a distinguishing supplement or another designation, the address of the registered office and the identification number of the person;
(c) to a public authority, its name, address of the registered office, the identification number of the person, if any, and the identifier of the public authority, provided that the person's identification number is not assigned to him;
and details of the natural person who is entitled to act as an authority or person referred to in Article 3 in matters governed by this law, namely the name, surname, telephone number and e-mail address.
(2) Contact details and changes to them shall be notified
(a) the authorities and persons referred to in § 3 (a), (b) and (h) of the operator of the national CERT; and
(b) the authorities and persons referred to in § 3 (c) to (g) of the Office.
(3) The authorities and persons referred to in § 3 (c) to (g) shall notify amendments only to those data referred to in paragraph 1 which are not reference data kept in the basic registers, without delay.
(4) The Office shall keep a register of contact details containing the information referred to in paragraph 1.
(5) In the event of a cyber hazard, the Authority is entitled to require the contact details collected by the national CERT operator in accordance with paragraph 2 (a).
(6) The Authority is also authorised to request the contact details of the authorities and persons referred to in Article 3 (h) from the national CERT operator for inspection purposes.
(7) The model for the notification of contact details and its form are laid down in implementing legislation.
National CERT
(1) National CERT ensures, to the extent provided by this law, information sharing at national and international level in the field of cyber security.
(2) National CERT operator
(a) accept the notification of contact details from the authorities and persons referred to in Article 3 (a), (b) and (h) and register and store such data;
Contents
ČÁST PRVNÍ
HLAVA I
§ 1
§ 2
§ 3
§ 3a
HLAVA II
§ 4
§ 4a
§ 5
§ 6
§ 6a
§ 7
§ 8
§ 9
§ 10
§ 10a
§ 11
§ 12
§ 13
§ 14
§ 15
§ 15a
§ 16
§ 17
§ 18
§ 19
§ 20
HLAVA III
§ 21
HLAVA IV
§ 21a
§ 22
§ 22a
§ 22b
§ 22c
HLAVA V
§ 23
§ 24
§ 24a
§ 24b
§ 24c
§ 25
§ 26
§ 27
HLAVA VI
§ 28
§ 29
§ 30
§ 31
§ 32
§ 33
ČÁST TŘETÍ
§ 35
ČÁST PÁTÁ
§ 37
ČÁST ŠESTÁ
§ 38
Sign in for notes, favorites and notifications
Regulation Information
| Citation | Act No. 181 / 2014 Coll., on Cyber Security and Change of Related Laws (Cyber Safety Act) |
|---|---|
| Regulation Type | - |
| Author | - |
| Collection | Code of Laws |
| Date of Promulgation | 29.08.2014 |
|---|---|
| Effective from | 01.01.2015 |
| Effective until | - |
| Status | Valid |
The regulation text is for informational purposes only.
Comments 0