Decree No. 202 / 2025 Coll.
Decree amending Decree No. 361 / 2016 Coll., on the Security of Nuclear Equipment and Nuclear Material
Valid
Effective from 01.07.2025
202
DECLARATION
of 18 June 2025
amending Decree No. 361 / 2016 Coll., on Nuclear Equipment and Nuclear Material Security
The State Authority on Nuclear Safety sets out, pursuant to § 236 of Act No. 263 / 2016 Coll., the Atomic Act, as amended by Act No. 83 / 2025 Coll., for the implementation of § 24 (7), § 159 (2), § 159a (5), § 160 (6), § 161 (4) and § 163 (2) (a) to (c) of this Act:
Decree No. 361 / 2016 Coll., on the Security of Nuclear Equipment and Nuclear Material, is amended as follows:
1. In the introductory sentence, "and (b) 'is replaced by" to (c)'.
2. in Paragraph 1, the word "a" shall be replaced by a comma at the end of point (e).
3. In Article 1, at the end of point (f), the dot is replaced by a comma and the following points (g) and (h) are added:
'(g) the scope and manner of the security, the continuous development, maintenance and periodic evaluation of the security culture; and
(h) the scope and manner of security of the computer system necessary to manage nuclear safety, the registration of nuclear materials, physical protection and the management of radiological emergencies. ';
4. in Article 2 (d):
"(d) subject to a threat to nuclear safety, an object which is capable of being misused for the purpose of theft, sabotage or other unauthorised activities against a nuclear installation or nuclear material which is a weapon, ammunition, explosive, alcoholic drink or other addictive substance, a portable electronic device enabling the processing of information to be affected and to prevent or disrupt the performance of the security functions of the system, construction or component, or any other object which is included in the project basic threat.";
5. In Article 3, the words "must be 'are replaced by the words" is', the words "No 1 'are inserted after the words" Annex' and the words "No 1 'are inserted after the words" Annex'.
6. In the title of Section 4, the word "Space 'is replaced by the words" Restricted spaces'.
7. in Article 6 (a) (5), the word "camera" shall be inserted after the word "equipped," the words "industrial television" shall be deleted and the word "her" shall be replaced by the word "his."
8. in Article 6 (a) (7), the word "camera" shall be inserted after the word "a" and the words "industrial television" shall be deleted;
9. in Articles 6 (b) and (c), 7 (1) (b), 7 (2) and 13 (1), the word "camera" shall be inserted after the word "interference," and the words "industrial television" shall be deleted.
10. In Article 10 (2), the word "protected 'shall be inserted after the word" protected', and at the end of the text of the paragraph the words "and entry into such premises shall be permitted only for reasons relating to the performance of the work here. '
11. In Section 10, the words "and must ensure that they are kept 'shall be added at the end of the text of paragraph 5.
12. in Article 12 (4), the words "comparable knowledge of the technology visited" are replaced by the words "knowledge of the systems, structures and components visited."
13. In Article 12 (5), the words "and technical 'shall be inserted after the words" organisational'.
14. in Paragraph 13 (1), the word "monitoring" is replaced by the word "monitoring."
15. in Article 13 (2), the words "a system of detection of their disruption, a system of industrial television with recording and mechanical means of defence, which must prevent the landing of means of air transport by natural persons, objects and material according to the parameters included in the project basic threat." shall be deleted and the following points (a) to (c) shall be added at the end of the text of the paragraph:
'(a) a system detecting its disruption by means of means for the air transport of natural persons, objects and material according to the parameters included in the project basic threat;
(b) a recording camera system; and
(c) by mechanical means which must slow the attacker's progress from roof to building. ';
16. In Article 13 (3), the word "a 'is replaced by the word" or' and at the end of the paragraph, the words "and a system of detection 'are added.
17. in Article 13 (4), the word "camera" shall be inserted after the word "interference," the word "monitoring" shall be replaced by the word "monitoring" and the words "industrial television" and the second sentence shall be deleted;
18. In Article 18 (1), the word "directly 'shall be inserted after the word" lines'; at the end of the paragraph, the words "The technical physical protection system may, on a one-way basis and in a way preventing unauthorised activities, obtain information from the information systems on the site of the nuclear installation designated 'and the following points (a) to (c) are added:
'(a) to manage works on nuclear installations;
(b) to manage the authorisation of inputs to that nuclear installation; or
(c) to monitor and register the qualifications of persons entering or moving within the premises of a nuclear installation. "
19. in Paragraph 18 (4), the words "must serve solely for the purpose of ensuring physical protection and" shall be replaced by the words "may" and the words "permit" shall be inserted after the words "to ensure physical protection, the management of radiological emergencies, nuclear safety and radiation protection."
20. In Article 19 (1), the words "its unauthorised use 'are replaced by the words" breach of its security' and the words "depth 'are inserted after the words" integration of computer systems into levels with the same level of security'.
21. in Paragraph 19 (2), the words "to be secured" shall be replaced by the words "to be secured";
22. in Paragraph 19 (3), "administrative" is replaced by "organisational."
23. in Articles 19 (3) and 28 (1) (h), the word "administrative" is replaced by "organisational."
24. in Paragraph 19 (4), the word "security" shall be inserted after the word "regular."
25. In Article 19, the following paragraph 5 is added:
"(5) The basic requirements for the security of computer systems and for the separation of computer systems security into different levels referred to in paragraph 1 shall be as set out in Annex 2 to this Decree. In the event that the authorisation holder has fulfilled the requirements for the implementation of security measures for critical infrastructure under the legislation governing cyber security and those requirements comply with those laid down in this Decree, the authorisation holder shall be deemed to have complied with the requirements of this Decree. ';
26. in Paragraph 20 (1):
"(1) Since the beginning of construction work on the basis of objects having an impact on nuclear safety, radiation protection, the management of a radiological emergency or security, the construction site of a nuclear installation under construction must be fenced and its physical security must be ensured, the control of the entry of individuals and the check of the entry of means of transport. The perimeter of the nuclear site under construction shall be at least 2,5 m high. '
27. in Paragraph 28 (1), the word "a" shall be replaced by a comma at the end of point (h).
28. In Paragraph 28, at the end of paragraph 1, the dot is replaced by "a 'and the following point (j) is added:
"(j) a preliminary proposal to ensure computer security in the field of nuclear safety management, nuclear material records, physical protection and management of radiological emergencies against their intentional misuse, which contains the chapters referred to in Annex 2 to this Decree."
29. in Paragraph 28 (2), the word "a" shall be replaced by a comma at the end of point (k).
30. In Paragraph 28, at the end of paragraph 2, the dot is replaced by "a 'and the following point (m) is added:
"(m) a proposal for the provision of computer security in the field of nuclear safety management, the registration of nuclear material, the physical protection and management of radiological emergencies against their intentional misuse, which contains the chapters set out in Annex 2 to this Decree."
31. in Article 28 (3) (d), the word "camera" shall be inserted after the word "test" and the words "industrial television" shall be deleted;
32. in Paragraph 28 (3) (e), point 3 is deleted;
Points 4 to 10 shall become points 3 to 9.
33.In Paragraph 28 (3), at the end of point (i), the word "a 'is replaced by a comma.
34. In Paragraph 28, at the end of paragraph 3, the dot is replaced by "a 'and the following point (k) is added:
"(k) a plan to ensure computer security in the field of nuclear safety management, nuclear material registration, physical protection and management of radiological emergencies against their intentional misuse, which contains the chapters set out in Annex 2 to this Decree.";
35. the following Part Six is inserted after Part Five:
SECURITY CULTURE
(1) In the context of the establishment, continuous development and maintenance of a culture of security,
(a) a predetermined strategy for its implementation;
(b) designated by the person responsible for ensuring the culture of security as its coordinator;
(c) describe how the establishment and subsequent permanent development and maintenance of a culture of security will be carried out; and
(d) a regular assessment of the level of the security culture is carried out.
(2) In the framework of security implementation, the training and training of the security culture shall be carried out for all personnel and other persons involved in security.
(3) In the framework of the implementation of security, a security culture plan, the content of which is set out in Annex 3 to this Regulation, which will aim at the establishment, continuous development and maintenance of the security culture within the organisation, between all its organisational units, workers and other persons involved in security. The security culture plan shall be submitted to the Authority at least 90 days before the start of the activity on the basis of an authorisation pursuant to § 9 (1) (b) to (e) of the Atomic Act.
(4) In the framework of the implementation of security, human and financial resources must be allocated for the establishment and implementation of a culture plan and its implementation checked on an ongoing basis.
(5) The coordinator of the security culture must oversee the implementation and results of the measures provided for in the security culture plan.
(6) On the basis of the results of a regular assessment of the level of the security culture, if necessary, the following shall occur:
(a) updating the security culture plan; and
(b) setting out measures to strengthen the culture of security.
(7) The update of the culture plan shall be notified to the Authority within 30 days.
In the context of security implementation, it is necessary to ensure that all workers and other persons involved in security participate in the enhancement of the security culture by the following measures:
(a) the protection of classified information and property;
(b) raising awareness of the real threat and importance of security;
(c) the fulfilment of the required security training and training activities and the provision of feedback assessing their benefits and effectiveness;
(d) the implementation of organisational and technical measures for the implementation of security and, where necessary, the proposal for amendments thereto;
(e) enhancing knowledge of security rules and culture;
(f) compliance with the rules on culture of security;
(g) reporting an unusual occurrence or security situation;
(h) providing assistance to managers in their efforts to create a working environment that promotes an increase in the culture of security;
(i) regular provision of feedback to managers and security culture coordinator on the effectiveness of planning, training and satisfaction with working conditions;
(j) by questioning the unusual event of another worker or other person involved in security; and
(k) by encouraging positive security behaviour in others. ";
Part six shall be renumbered part seven.
36. The Annex shall be renumbered Annex 1 and Annexes 2 and 3 shall be added, including the headings:
"Annex No 2
REQUIREMENTS TO ENSURE COMPUTER SYSTEMS UNDER LEVEL
The security levels of computer system security are, in accordance with the principle of depth protection and graduated approach, broken down into at least five levels, with Level 1 being the highest level of security, as follows:
Level 1 - important protection and security systems,
Level 2 - control systems, other protection and security systems,
Level 3 - support information systems,
Level 4 - communication and over-block information systems,
Level 5 - office systems.
Basic requirements for the security of computer systems
(a) Technical, physical, personnel and organisational measures for the security of computer systems shall be designed and implemented systematically and in accordance with applicable processes and procedures.
(b) Procedures and usual practice shall be defined for each level of security for computer systems.
c) Workers must follow the applicable procedures and security procedures.
(d) Workers with the right of access to systems must be sufficiently educated, trained and, where required by law, competent in security.
e) Workers may only have access to the functions of computer systems they need for their work.
(f) The functionality and interfaces of the systems must be limited in order to reduce overall vulnerability.
g) Access permissions must be managed, regularly checked and verified.
(h) Computer systems shall be protected against malicious code and its dissemination.
(i) Access to the computer system, including unauthorised access, must be recorded, monitored and secured.
j) The malfunctioning of the computer system must be monitored continuously and corrective technical measures prepared in advance.
(k) The effectiveness, adequacy of organisational and technical measures to safeguard the computer system and the vulnerability of the computer system must be regularly assessed.
(l) Portable electronic equipment to influence the processing of information and to prevent or disrupt the performance of the security functions of the system, structure or component ("portable electronic equipment") shall be checked in accordance with the applicable security procedure. Based on the vulnerability study carried out, its introduction into demarcated areas must be regulated. Portable electronic equipment which is not used to carry out work shall not be possible to connect to the system.
(m) The security measures for computer systems must be updated regularly in the light of any changes to the security procedures.
n) The procedures for data backup and recovery must be prepared in advance and the advances tested regularly.
(o) Portable electronic equipment used for carrying out work activities shall be intended for use at only one level of security.
(p) Physical access to individual parts of the computer system must be limited and managed according to the functions of those parts.
(q) Measures to manage data flows between security levels must be prepared and applied.
r) Only approved and qualified personnel may make changes to the configuration of the computer system.
The preliminary proposal to ensure computer security in the field of nuclear safety management, nuclear material records, physical protection and the management of radiological emergencies against their intentional misuse [Paragraph 28 (1) (j)], the proposal to ensure computer security in the field of nuclear safety management, nuclear material records, physical protection and management of radiological emergencies against their intentional misuse [Paragraph 28 (2) (m)] and the plan to ensure computer security in the field of nuclear safety management, nuclear material records, physical protection and management of radiological emergencies against their intentional misuse [Paragraph 28 (3) (k)] contain the following chapters:
(a) Organisational arrangements and determination of responsibilities
1. organisational structure,
2. determining the responsibility of persons and the reporting system;
3. a system of regular review and approval procedures;
4. mutual cooperation with other areas such as human resources, the exercise of sensitive activities, physical protection and training.
(b) Threat, vulnerability and compliance management
1. a system for risk assessment, identification and classification of computer systems at individual levels;
2. setting the frequency of evaluation of the computer security plan;
3. self-evaluation procedures;
4. a description of the audit evaluation and the correction of the deficiencies identified;
5. evaluation of compliance with applicable legislation.
(c) Design and management of computer security
1. the foundations of computer security architecture, including the determination of the different levels of computer systems security,
2. computer security measures taken at each level of computer security;
3. identification of computer security requirements for suppliers, including requirements for supply maintenance;
4. an assessment of computer security measures within the life cycle of a nuclear installation.
(d) Computer system management
1. the characteristics of computer systems, their identification, level, location and possible impacts in the event of illegal activities against them;
2. system security configuration,
3. network diagram indicating the data flow with external connection to other computer systems.
(e) Security procedures
1. procedures in the event of an incident in the field of computer system security;
2. a description of the data backup system and its renewal;
3. description of the supply chain;
4. a description of the access control system;
5. a description of the information and communication system;
6. a description of the security of the application system and platforms,
7. description of the monitoring system including the logging system.
(f) Personnel management
1. verification of sensitive activities;
2. carrying out training;
3. the implementation of the training and education system,
4. security incident reporting, including the protection of personnel reporting these events;
5. revocation of access to computer systems in the event of termination of the worker's employment relationship or transfer to another position.
Příloha č. 3
Annex No 3
CONTENTS OF THE SECURITY CULTURE PLAN
The security culture plan shall include the following information:
(a) setting objectives for the establishment, continuous development and maintenance of a level of security culture;
(b) a description of the periodic assessment of the level of the security culture;
(c) a description of the training and training of the security culture;
(d) a description of the measures taken to achieve the objectives set;
(e) identification of the persons responsible for implementing the measures;
(f) the time frame for the implementation of the measures;
(g) identification of the resources for the implementation of the measure;
(h) obstacles to the implementation of the measures;
(i) determining the procedure for implementing the measures;
(j) the expected results of the measure. "
Transitional provisions
1. Any person carrying out security shall draw up and adopt a plan for the culture of security in accordance with Article 28a (4) of Decree No. 361 / 2016 Coll., as effective from the date of entry into force of this Decree, within 1 year of the date of entry into force of that decree.
2. The holder of an authorisation pursuant to § 9 (1) (a) to (e) of the Atomic Act is required to provide an analysis of the needs and the possibility of ensuring physical protection, a preliminary plan to ensure physical protection and a plan to ensure physical protection to comply with the requirements for these documents set out in Decree No. 361 / 2016 Coll., as effective from the date of entry into force of this decree, within 1 year of the date of entry into force of the decree.
Efficacy
This Decree shall take effect on 1 July 2025.
President:
Ing. Drábová, Ph.D., v. r.
Sign in for notes, favorites and notifications
Regulation Information
| Citation | Decree No. 202 / 2025 Coll., amending Decree No. 361 / 2016 Coll., on Nuclear Equipment and Nuclear Material Security |
|---|---|
| Regulation Type | - |
| Author | - |
| Collection | Code of Laws |
| Date of Promulgation | 23.06.2025 |
|---|---|
| Effective from | 01.07.2025 |
| Effective until | - |
| Status | Valid |
The regulation text is for informational purposes only.
Comments 0