What is Decree No. 409 / 2025 Coll.?

Decree No. 409 / 2025 Coll., on the security measures of the regulated service provider in the higher duty regime — Ordinance on security measures of a regulated service provider under higher obligations.

When it became Decree No. 409 / 2025 Coll. effectiveness?

Decree No. 409 / 2025 Coll. became effective 01.11.2025.

Is Decree No. 409 / 2025 Coll. still valid?

Yes, Decree No. 409 / 2025 Coll. is still valid and effective.

How many times was it Decree No. 409 / 2025 Coll. amended?

Decree No. 409 / 2025 Coll. has 3 time versions of the text.

Decree No. 409 / 2025 Coll. - Ordinance on security measures of a regu...

409

DECLARATION

of 26 September 2025

on the security measures of the regulated service provider under higher obligations

The National Bureau of Cyber and Information Security provides, pursuant to § 13 (3) of Act No. 264 / 2025 Coll., on Cyber Security, hereinafter referred to as "the Act":

ČÁST PRVNÍ

INTRODUCTORY PROVISIONS

§ 1

Subject matter

This decree implements the relevant European Union1) and, for regulated service providers under higher obligations ("the obliged entity '), regulates the content of security measures and the way in which they are implemented and implemented.

§ 2

Definition of terms

For the purposes of this decree:

(a) by a user, a natural or legal person or a public authority using assets;

(b) a privileged user or another person whose activity on a technical asset may have a significant impact on the safety of the regulated service;

(c) by an administrator, a privileged user or another person providing management, operation, use, maintenance and security of a technical asset;

(d) security policy, a set of principles and rules which determine how the protection of assets is ensured;

(e) risk assessment of the process of identifying, analysing and evaluating risks;

(f) risk management process involving risk assessment, implementation of risk management and risk communication measures;

(g) the information security management system part of the management system of the obliged entity based on access to risks, including the way in which the provision, implementation, operation, monitoring, review, maintenance and improvement of information security is established; and

(h) an important supplier who provides a mandatory person with a performance that is relevant to ensuring the cyber security of the regulated service.

ČÁST DRUHÁ

SECURITY MEASURES

HLAVA I

Organisational measures

§ 3

Information security management system

Compulsory person under the Information Security Management System

(a) set out the objectives of the information security management system aimed at ensuring the cyber security of the regulated service;

(b) manage the risks referred to in Article 8;

(c) implement and implement adequate security measures to ensure the cyber security of the regulated service based on the objectives of the information security management system, safety needs and risk management;

(d) establish a security policy and safety documentation in relation to the management of cyber security, which contains the guiding principles, objectives of the information security management system, safety needs, rights and obligations in relation to information security management, and, on the basis of the safety needs and the results of the risk assessment, establish a security policy and safety documentation in other areas as referred to in Article 6;

(e) ensure that a cyber security audit is carried out in accordance with Article 16;

(f) ensure at least once a year an evaluation of the effectiveness of the safety management system of the information it contains

1. an evaluation of the objectives of the information security management system aimed at ensuring the cyber security of the regulated service;

2. an assessment of the implementation of the risk management plan prepared pursuant to Article 8 (1) (g);

3. evaluation of the status of the information security management system, including revision of the risk assessment;

4. an assessment of the results of the cyber safety and control audits carried out in the field of cyber security,

5. the results of the previous evaluation of the effectiveness of the information security management system carried out under this point;

6. an assessment of the impact of cyber security incidents on cyber security and services provided pursuant to § 15; and

7. assessment of significant changes pursuant to § 11;

(g) prepare a report on the review of the information security management system on the basis of an evaluation of the effectiveness of the information security management system referred to in point (f);

(h) update the information security management system and relevant documentation based on:

1. findings from audits of cyber security and controls in the field of cyber security,

2. the results of the evaluation of the effectiveness of the information security management system;

3. the impact of cyber security incidents on the services provided; and

4. significant changes have been made;

(i) manage the operation and resources of the information security management system and record the activities associated with the information security management and risk management system; and

(j) establish a process for managing exemptions from the rules laid down in the security policy referred to in point (d).

§ 4

Top management requirements

(1) The statutory body of the obliged entity or another person or group of persons in a similar management position with the obliged entity (hereinafter referred to as "senior management") with regard to the information security management system

(a) it is demonstrably trained in accordance with Section 10 (3) (a);

(b) ensure that the security policy and the objectives of the information security management system referred to in Article 3 are established, compatible with the strategic direction of the obliged entity;

(c) ensure the integration of the information security management system into the processes of the obliged entity;

(d) ensure the availability of the resources necessary for the information security management system;

(e) inform employees and all concerned persons of the importance of the information security management system and the importance of reaching compliance with its requirements;

(f) ensure support to achieve the objectives of the information security management system;

(g) leads and supports employees to develop the effectiveness of the information security management system;

(h) involved in drawing up an impact analysis pursuant to Article 15;

(i) ensure testing of continuity plans for activities, recovery plans and processes associated with the management of cyber security incidents;

(j) promote continuous improvement of the information security management system;

(k) support security actors in promoting cyber security in their areas of responsibility;

(l) ensure that rules are laid down for the identification of administrators and persons who will hold security roles;

(m) ensure that confidentiality of all relevant persons, in particular administrators, security actors and suppliers, is maintained; and

(n) ensure, for persons holding security roles, the powers necessary for the fulfilment of their roles and resources, including budgetary means for the fulfilment of their roles and related tasks.

(2) The senior management is shown to be familiar

(a) the report on the review of the information security management system;

(b) the risk assessment report;

(c) the risk management plan;

(d) the results of the impact analysis; and

(e) with the results of audits of cyber security and cyber security controls.

(3) The senior management shall set up a committee for the management of cyber security and designate its members,

(a) ensure that a member of the cyber-security management committee shall be a member of the senior management or the person delegated by it and a cyber-security manager;

(b) identify the rights and obligations of the cyber security management committee and its members related to the information security management system;

(c) ensure that regular meetings of the Cybersecurity Management Committee are held at least once a year;

(d) ensure that an alert is made on the conduct of the Cyber Security Management Committee's deliberations; and

(e) ensure that the Cyber Security Management Committee is composed of persons with competence and competence for the overall management and development of the information security management system and of persons significantly involved in the management and coordination of cyber security activities.

(4) The senior management shall identify persons, including the definition of their rights and obligations related to the information security management system, which will hold security roles.

(a) a cyber security manager,

(b) architect of cyber security,

(c) the guarantee of the assets; and

(d) an auditor of cyber security.

(5) The senior management shall ensure that the security roles referred to in paragraph 4 (a) and (b) are substitutable.

§ 5

Determination of safety roles

(1) Cyber Security Manager

(a) be entrusted with the management of the information security management system, the performance of which may be entrusted to a person who has been trained for this activity and who has demonstrated the competence of experience in the management of cyber security or information security for at least 3 years;

(b) be responsible for regularly informing senior management of:

1. activities resulting from the extent of its liability; and

2. the state of the information security management system;

(c) may not be entrusted with the performance of the roles responsible for operating the technical assets of the regulated service.

(2) The cyber security architect is responsible for ensuring that security measures are implemented in such a way as to ensure the safe architecture of the regulated service, the performance of which may be entrusted to the person trained for this activity and to demonstrate the competence of the practice of designing the implementation of security measures and ensuring a safe architecture of at least 3 years.

(3) The asset guarantor is responsible for ensuring the development, use and security of the asset.

(4) Cyber Security Auditor

(a) be responsible for carrying out an audit of cyber security, the performance of which may be entrusted to a person who is trained for this activity and demonstrates the competence of the practice of carrying out cyber security audits or audits of the information security management system for a period of at least 3 years;

(b) ensures that the audit of cyber security is impartial; and

(c) shall not be responsible for the performance of other safety roles.

§ 6

Security policy management and security documentation

(1) The mandatory person shall establish a security policy in relation to the management of cyber security and shall lead the security policy and safety documentation to the relevant security measures referred to in paragraphs 3 to 27.

(2) The mandatory person complies with the rules and procedures laid down in the security policy and the security documentation referred to in paragraph 1.

(3) The mandatory person shall regularly review the security policy and the security documentation, ensure that they are up-to-date and include their relevant areas in the operational documentation, rules and procedures.

(4) The mandatory person shall designate the person responsible for the regular review and updating of the security policy and the security documentation referred to in paragraph 3.

(5) The security policy and the security documentation must be managed in such a way as to:

(a) available in electronic or paper form;

(b) the persons concerned within the obligation to be informed of the rights, obligations and procedures contained therein;

(c) reasonably available to the persons concerned;

(d) protected from confidentiality, integrity and availability; and

(e) the information contained therein is complete, legible, easily identifiable and traceable.

§ 7

Asset management

Compulsory person following the determination of the scope of cyber security management under Section 12 of the Act

(a) establish a methodology for determining assets;

(b) establish a methodology for the assessment of assets, including the determination of the levels of assets, at least to the extent specified in Annex 1 to this Decree;

(c) records the guarantees of assets pursuant to Article 4 (4) (c);

(d) evaluate primary assets in terms of confidentiality, integrity and availability and include them in the different levels referred to in (b);

(e) assess, in assessing primary assets, at least the areas listed in Annex 1 to this Decree;

(f) identify and register links between assets that affect the security of the regulated service;

(g) assess the ancillary assets and rely in particular on identified links to primary assets; and

(h) for the different levels of assets referred to in point (b), establish and implement the protection rules necessary to ensure their confidentiality, integrity and availability, which shall include at least:

1. permitted means of use of assets;

2. rules on asset handling, including rules on secure electronic sharing and physical transfer of assets;

3. Rules for the classification of information,

4. Rules on asset labelling;

5. Rules governing the management of exchange media; and

6. Rules for determining how information and data are to be disposed of and copies thereof and for the disposal of technical assets which are carriers of information and data with regard to the level of assets in accordance with Annex 2 to this Decree.

§ 8

Risk management

(1) Mandatory in risk management following § 7

(a) establish a methodology for the identification and assessment of risks, including the setting of criteria for the acceptability of risks;

(b) identify the relevant threats and vulnerability when determining risks with regard to assets; consider at least the categories of threats and vulnerabilities listed in Annex 3 to this Decree,

(c) carry out risk assessments at regular intervals at least once a year and in the event of significant changes identified in accordance with Article 11 (1) (c), taking into account:

1. the relevant threats and vulnerabilities referred to in point (b) and assess the potential effects on assets, based on the asset assessment referred to in Article 7;

2. significant changes,

3. changes to the defined scope pursuant to Section 12 of the Act,

4. counter-measures under Section 20 of the Act;

5. cyber security incidents, including previously addressed;

6. the results of audits of cyber security and controls on cyber security,

7. results of penetration testing and vulnerability scanning; and

8. the results of the evaluation of the effectiveness of the information security management system;

(d) the risk assessment is carried out at least within the scope of Annex 4 to this Decree;

(e) prepare a risk assessment report on the basis of the risk assessment carried out as referred to in (c);

(f) it shall, on the basis of the safety needs and the results of the risk assessment, draw up a declaration of applicability containing an overview of all the security measures required by this Decree, which:

1. have not been applied, including justification and indication of any alternative safety measures taken; and

2. has been applied, including the way in which it is carried out;

(g) on the basis of the risk assessment carried out in accordance with point (c) and in accordance with the criteria laid down for the acceptability of risks, it shall prepare a risk management plan containing:

1. a description of the risk management safety measures;

2. the objectives and benefits of risk management security measures;

3. identification of the person ensuring the introduction of risk management security measures;

4. the envisaged human, financial and technical resources for implementing security measures;

5. the required date for the introduction of security measures;

6. a description of the links between the risks and the relevant safety measures; and

7. concrete way of implementing security measures.

(2) The mandatory person, in accordance with the risk management plan, introduces security measures.

(3) A risk assessment may be ensured in ways other than those provided for in paragraph 1 (c), provided that the obligor ensures the same or higher level of risk assessment process and complies with paragraph 5 of Annex 4 to this Decree.

(4) The mandatory person does not have to apply certain security measures provided for in this decree only on the basis of the risk management carried out.

§ 9

Management of suppliers

(1) Compulsory person when managing suppliers

(a) lay down rules for suppliers which take into account the requirements of the information security management system;

(b) it shall clearly identify its suppliers with the rules referred to in (a) and require compliance with those rules;

(c) manage the risks associated with suppliers;

(d) identify and register its significant suppliers within the meaning of Article 2 (h);

(e) verifiably inform its significant suppliers in writing of their records referred to in (d);

(f) ensure, in relation to the management of the risks associated with significant suppliers, that contracts concluded with significant suppliers include the relevant provisions set out in Annex 5 to this Decree; and

(g) regularly review the performance of contracts with significant suppliers in terms of the information security management system.

(2) Compulsory person for significant suppliers

(a) carry out, in the framework of a selection procedure under the Public Procurement Act (2) or, before the conclusion of the contract, an assessment of the risks related to the performance referred to in Annex 4 thereto;

(b) establish, within the framework of contractual relations concluded, the methods and levels of implementation of security measures and, by contract, the content of mutual responsibility for the establishment and control of security measures;

(c) carry out regular risk assessments and periodic checks on the security measures in place for the performance provided through own resources or through a third party; and

(d) ensure, in response to the risks and the deficiencies identified, solutions to be taken without undue delay.

(3) The elements of verifiable information referred to in paragraph 1 (e) are:

(a) identification details of the obliged entity, including an indication that the obliged entity is the provider of the regulated service under higher obligations;

(b) the name of the regulated service of the obliged entity;

(c) identification of the relevant supplier; and

(d) a statement that the supplier is an important supplier to the obligor.

§ 10

Human resources security

(1) A security awareness development plan shall be established by a mandatory person in the framework of human resources security, taking into account the status and needs of the information security management system, in order to ensure adequate education and improvement of safety awareness, including the form, content and extent of lessons learned and training referred to in paragraph 2.

(2) The obliged entity shall include in the security awareness plan:

(a) lessons learned from senior management on its responsibilities and security policy, in particular in the areas of the information and risk management system;

(b) the lessons of users, administrators and persons performing security roles on their duties and on security policy;

(c) the necessary theoretical and practical training of users, administrators and security actors;

(d) rules on the creation of safe passwords in accordance with § 19; and

(e) the relevant subjects listed in Annex 6 to this Decree.

(3) The responsible person in the framework of the security awareness shall ensure:

(a) guidance to senior management on its responsibilities, on security policy, in particular in the area of information security management system, risk management and continuity management of activities in the form of input and periodic training to acquire knowledge and skills leading to risk identification and assessment of the suitability of the selected risk management procedures and their impact on the regulated service;

(b) lessons to users, administrators and persons holding security roles on their responsibilities and on security policy in the form of entry and regular training;

(c) regular training of persons performing security roles, based on the current needs of the mandatory person in the field of cyber security; and

(d) regular training and verification of the safety awareness of staff members in accordance with their work capacity or service assignment.

(4) Compulsory person in the framework of human resources security

(a) designate the persons responsible for carrying out the individual activities listed in the Security Awareness Development Plan;

(b) ensure, in accordance with the Security Awareness Development Plan, the implementation of the lessons and training referred to in paragraph 3;

(c) regularly evaluate the effectiveness of the plan for the development of safety awareness, lessons learned, training and other activities related to the improvement of safety awareness;

(d) ensure compliance with the security policy by users, administrators and persons representing security roles;

(e) identify rules and procedures for dealing with breaches by users, administrators and persons representing security roles; and

Citation	Decree No. 409 / 2025 Coll., on the security measures of the regulated service provider in the higher duty regime
Regulation Type	Order
Author	-
Collection	Code of Laws

Date of Promulgation	14.10.2025
Effective from	01.11.2025
Effective until	-
Status	Valid

Decree No. 409 / 2025 Coll.

Ordinance on security measures of a regulated service provider under higher obligations

Contents

ČÁST PRVNÍ

§ 1

§ 2

ČÁST DRUHÁ

HLAVA I

§ 3

§ 4

§ 5

§ 6

§ 7

§ 8

§ 9

§ 10

Contents

Comments 0

Regulation Information

Public Contracts 5

Partner Websites

Favorites

Browsing History