Decree No. 430 / 2024 Coll.
Ordinance on the competence of information and communication systems and separate electronic equipment, shielding chambers, secure areas and objects to protect against the leak of classified information by compromising radiations and on certain elements of the application for a contract to secure activities (Decree on compromising radiations)
Valid
Order
Effective from 01.01.2025
Text versions:
01.01.2025
19.12.2024
430
DECLARATION
of 18 December 2024
on the eligibility of information and communication systems and separate electronic equipment, shielding chambers, secure areas and objects to protect against the leak of classified information by compromising radiation and on certain elements of the request for a contract to secure activity (Decree on compromising radiation)
The National Bureau of Cyber and Information Security shall determine, pursuant to § 34 (7) (a), § 35 (6) (b), § 36 (4) and § 53 (b) to (f) of Act No. 412 / 2005 Coll., on the protection of classified information and on security competence, as amended by Act No. 255 / 2011 Coll., Act No. 205 / 2017 Coll. and Act No. 267 / 2024 Coll., ("the Act '):
INTRODUCTORY PROVISIONS
Subject matter
(1) This decree amends following the European UnionRegulation (1)
(a) certain requirements for an information system consisting of the security of components of the information system before the release of classified information of a confidential or higher level of electromagnetic, acoustic or other physical radiation, the unwanted capture and subsequent processing of which may be obtained by classified information (hereinafter referred to as "compromising radiation"); and
(b) certain elements of the communication system security project consisting of the fulfilment of security requirements for the security of components of communication systems before the release of classified information by compromising radiation.
(2) The order also provides for:
(a) conditions for the safe operation of electrical or electronic equipment which are not part of the information or communication system, processing classified information of confidential or higher ("separate electronic equipment") in terms of security against the leakage of classified information by compromising radiation;
(b) the particulars of the application and of the repeated application for the certification of the screen chamber and the documentation necessary for the certification of the screen chamber;
(c) the manner and conditions for carrying out the certification and repetition of the screening chamber and the content of the certification report pursuant to Section 46 (13) of the Act;
(d) a model certificate for the shield chamber;
(e) the particulars of the request for verification of the competence of electrical or electronic equipment which are part of an information or communication system handling classified information of a confidential or higher level (hereinafter referred to as "the information or communication system component"), a separate electronic device, a secure area or an object to protect against the leakage of classified information by compromising radiations (hereinafter referred to as "eligibility") and a way of assessing their competence; and
(f) the details of the application for the conclusion of a contract for the provision of activities under Section 52 of the Act, the purpose of which is to carry out the measurement of the possible leakage of classified information pursuant to Section 45 (4) of the Act and to carry out partial tasks in the verification of the competence of the screening chamber under Section 46 (15) of the Act.
Definition of terms
For the purposes of this decree:
(a) a zone measurement of the attenuation detection of compromising radiation in the environment between the location of the components of the information or communication system or of separate electronic equipment and the limit of the controlled area and subsequent evaluation; and
(b) a technical check on the verification of the competence of security areas and objects in order to detect the illicit use of technical means of information.
COMPLEMENTARY EQUIPMENT
Information and communication system
Safety requirements for protection against compromising radiation
(1) The components of the information or communication system must be capable of protecting against compromising radiations and must be located in such a way as to prevent unauthorised persons from reading, listening or otherwise obtaining classified information.
(2) The components of the information or communication system shall not contain functional wireless technologies unless otherwise specified in the framework of the verification of competence.
Request for verification of the competence of components of the information or communication system
(1) The request for verification of the competence of components of the information or communication system shall include:
(a) the name and surname of the contact person of the applicant and the contact link which means at least his telephone number and e-mail address;
(b) identification of the components of the information or communication system to be verified;
(c) an indication of the classification of classified information to be processed through the information or communication system components; and
(d) a justification for the application which contains the purpose of using the components.
(2) The information service shall only indicate in the request referred to in paragraph 1 the information referred to in points (b) to (d) to such extent as does not jeopardise the performance of its tasks under another legislation.
Method of evaluation of the competence of the components of the information or communication system
(1) The assessment of the competence of the components of the information or communication system shall, as a general rule, be carried out by the National Bureau of Cyber and Information Security by measuring the levels of their compromising radiation and comparing the measured values with the maximum permissible values.
(2) In the framework of the evaluation of eligibility, the National Bureau of Cybersecurity shall assess the result of the measurement of levels of compromising radiation of components of the information or communication system carried out by the State authority, by a legal person under Section 60b of the Act or by an entrepreneur under an activity contract concluded with the National Office for Cybersecurity and Information Security pursuant to Section 16, if the measurement has been carried out.
(3) In the course of the evaluation of the competence of the components of the information or communication system, if deficiencies are identified in the protection of classified information against leakage by compromising radiations referred to in paragraph 1, the National Office for Cyber and Information Security shall invite the applicant to remove them.
(4) The outcome of the assessment of eligibility is set out in the decision to verify the competence of the components of the information or communication system.
Separate electronic equipment
(1) The condition for the operation of a separate electronic device is its competence.
(2) Separate electronic equipment shall not contain functional wireless technologies unless otherwise specified in the framework of the verification of competence.
(3) A separate electronic device must be located in such a way as to prevent unauthorised persons from eavesdropping, eavesdropping or otherwise obtaining classified information.
(4) Paragraph 4 and 5 shall apply mutatis mutandis when applying for verification of competence, for the assessment of competence and for the measurement of levels of compromising radiation of separate electronic equipment.
Secure area and object
Request for verification of the capability of the secured area or object
(1) The application for verification of the competence of the secured area or object contains:
(a) the name and surname of the applicant's contact person and contact details;
(b) the number of the business certificate, indicating the appropriate classification level or a copy of the valid business statement, if the applicant is an entrepreneur;
(c) identification of the protected area or object whose competence is to be verified;
(d) an indication of the classification of classified information to be processed in a secure area or object; and
(e) a justification for the request, which shall include the purpose of the use of the secured area or object.
(2) The application shall be accompanied by a report on the outcome of the zone measurement of the secured area or object carried out by the State authority, by a legal person under Section 60b of the Act or by an entrepreneur under an activity contract concluded with the National Office for Cyber and Information Security pursuant to Section 16, if the measurement has been carried out.
(3) The information service shall only indicate in the request referred to in paragraph 1 the information referred to in points (c) to (e) to such extent as does not jeopardise the performance of its tasks under another legislation. The information service shall submit the supporting documents referred to in paragraph 2 only to the extent that it does not jeopardise the performance of its tasks under another legislation.
Assessment of the competence of the secured area or object
(1) The assessment of the competence of the secured area or object is carried out by the National Office for Cyber and Information Security by zone measurement. In a secure area or facility where components of an information or communication system or separate electronic device are installed, which process classified information of a classified classification level of Secret or Top Secret, or, if necessary, within a zone measurement, a technical check shall be carried out in accordance with Section 9.
(2) If deficiencies are identified during the evaluation of the competence of the secured area or object, the National Bureau of Cyber and Information Security shall invite the applicant to remove them and shall set a reasonable time limit.
(3) The outcome of the aptitude assessment is given in the decision on the verification of the competence of the secured area or object.
(4) Where a zone measurement is carried out by a State authority, a legal person under Section 60b of the Act or an entrepreneur under a contract for the provision of activities under Section 52 of the Act, shall draw up a report on the zone measurement and report the result on request to the National Office for Cyber and Information Security and the applicant.
Technical control
(1) Technical inspection shall be carried out by the National Cyber and Information Security Authority upon completion of the installation of the components of the information or communication system or separate electronic equipment.
(2) Repeated technical control is carried out
(a) where there is a suspicion of a compromise in areas where a technical inspection has already been carried out; or
(b) a change which could have an impact on the protection of classified information, in particular as a result of building modifications to a secure area or object.
Installation of components of the information system, communication system or separate electronic equipment
Safety requirements for installation
(1) The components of the information or communication system or separate electronic equipment must be installed by the information or communication system operator in such a way as to avoid the release of classified information by compromising radiations and an installation record of such installation must be drawn up by the National Cyber and Information Security Office.
(2) The accuracy of the installation of the information or communication system components is verified within the framework of the certification of the information system or the approval of the communication system safety project. Correct installation and installation recording are a condition of safe operation of separate electronic equipment.
(3) Any change in the installation requires a change in the installation record.
(4) In the case of an information or communication system or a separate electronic device operated by the intelligence service, the installation record shall be drawn up by the intelligence service.
Certification of the shield chamber
Shadow chamber
For the protection of classified information of a classified level Confidential or higher before their escape compromising electromagnetic radiation may be used a shield chamber which is closed by an electromagnetic shielded space preventing the spread of electromagnetic radiation outside that space, certified by the National Office for Cyber and Information Security.
Application for certification of the shield chamber
(1) The application for certification of the shield chamber shall contain:
(a) the name and surname of the applicant's contact person and contact details;
(b) the number of the business certificate, indicating the appropriate classification level or a copy of the valid business statement, if the applicant is an entrepreneur;
(c) markings and indications of the location of the screen chamber; and
(d) the identification data of the manufacturer of the screen chamber.
(2) The application shall be accompanied by a report on the outcome of the part-tasks carried out in the framework of the assessment of the competence of the screening chamber carried out by the State authority, by a legal person under Section 60b of the Act or by an entrepreneur under an activity contract concluded with the National Office for Cyber and Information Security pursuant to Section 16, provided that such partial tasks have been performed.
(3) The information service shall only indicate in the application referred to in paragraph 1 the information referred to in points (c) and (d) to the extent that it does not jeopardise the performance of its tasks under another legislation. The information service shall submit the supporting documents referred to in paragraph 2 only to the extent that it does not jeopardise the performance of its tasks under another legislation.
Method and conditions for carrying out the screening chamber certification
(1) The certificate of the shield chamber is carried out by the National Bureau of Cyber and Information Security by measuring and comparing the attenuation properties of the shield chamber with the maximum permissible values.
(2) Measurement of the attenuation properties of the screen chamber may be carried out with the participation of the applicant and, where appropriate, the supplier of the screen chamber.
(3) A report shall be drawn up by the National Office for Cyber and Information Security on the progress and partial results of the certification of the shield chamber, which is the basis for the issue of the certificate.
(4) Where a Member State authority, a legal person under Section 60b of the Act or an entrepreneur performs part of its competence assessment tasks, it shall draw up a report on their results as part of the report referred to in paragraph 3.
(5) If it is verified, in accordance with the procedure referred to in paragraph 1, that the shield chamber has competence, the National Bureau of Cyber and Information Security shall issue a certificate.
(6) The model certificate of the shield chamber is set out in the annex to this decree.
Screen chamber certification report
The certificate report shall contain:
(a) an indicative description of the shield chamber, its location and the purpose of its use;
(b) an indication of the classification level of the classified information processed; and
(c) the principles and conditions of use of the shield chamber.
Repeated application for certification of the shield chamber and its method of implementation
(1) The repeated application for certification of the shield chamber contains:
(a) the name and surname of the applicant's contact person and contact details;
(b) the identification of the certificate issued by the screening chamber containing its holder, the registration number, the date of issue and the period of validity; and
(c) the identification of a certified shade chamber containing its name, type designation, variant design and its location.
(2) A repeated application for certification shall be accompanied by a report by the applicant on the outcome of the measurement of the attenuation properties of the shield chamber carried out by a State authority, a legal person under Section 60b of the Act or an entrepreneur under an activity contract concluded with the National Office for Cyber and Information Security pursuant to Section 16, if the measurement has been carried out.
(3) The National Cyber and Information Security Authority shall carry out, on the basis of a repeated request for certification, additional verification of the capability of the shield chamber to the extent necessary, and shall issue a certificate if the shield chamber has competence.
(4) The National Cyber and Information Security Authority shall issue a certificate if the applicant can demonstrate that there have been no changes in the screen chamber at the time of the measurement carried out pursuant to Paragraph 13 (1) on the expiry date of the existing certificate.
(5) The reporting service shall only indicate in the application referred to in paragraph 1 the information referred to in points (b) and (c) to the extent that it does not jeopardise the performance of its tasks under another legislation. The information service shall submit the supporting documents referred to in paragraph 2 only to the extent that it does not jeopardise the performance of its tasks under another legislation.
TREATY CONCERNING INSURANCE
Forms of the application for the conclusion of an activity contract pursuant to Article 52 of the Act, the purpose of which is to carry out the measurement of the possible release of classified information pursuant to Article 45 (4) of the Act and to carry out the partial tasks of verifying the competence of the shield chamber
(1) The request for the conclusion of a contract with the National Office for Cyber and Information Security to ensure the operation under Section 52 of the Act (hereinafter referred to as "the contract for the operation") contains:
(a) the number of the business certificate, indicating the appropriate classification level, if the applicant is an entrepreneur; and
(b) the name and surname of the applicant's contact person and contact details.
(2) The request referred to in paragraph 1 relating to a contract for the purpose of carrying out the measurement of a possible release of classified information under Paragraph 45 (4) of the Act shall also include:
(a) the identification of the applicant's relevant professional workplace, in particular the subject matter of the activity and the detailed specification of the location of the entrusted workplace, the name and surname of the applicant's contact person and the contact links thereto;
(b) details of the staff assumptions of the workplace for carrying out the required activities, in particular the name and surname of the head of the professional workshop, the name and surname of the other professional staff of the workplace;
(c) a declaration by the responsible person or by his or her authorised person or the Security Director of the level of physical, personnel and administrative security ensured for the professional establishment;
(d) an indication of the level of classification of classified information with which the information system is intended to be handled and the registration number of the information system certificate where the use of a certified information system is necessary for carrying out activities under an activity contract;
(e) details of the technical equipment of the professional workshop needed for carrying out the activities under the contract of performance; and
(f) the condition for drawing up the report on the course and results of the measurements and the condition for notifying the result of the measurements to the applicant for the measurement according to Article 45 (4) of the Act and the National Office for Cyber and Information Security.
(3) The application referred to in paragraph 1 concerning a contract for the performance of part-tasks in the verification of the competence of the screen chamber shall also include:
(a) the address of the location of the workplace carrying out the required activities;
(b) a declaration by the responsible person or by his or her authorised person or the Security Director of compliance with the requirements for the physical and personnel safety of the workplace;
(c) details of the scope of the activities required;
(d) data on the staffing of the required activities; and
(e) the technical and organisational details of the activities required.
TRANSITIONAL AND FINAL PROVISIONS
Transitional provisions
Electrical and electronic equipment, the competence of which has been verified in accordance with Decree No. 523 / 2005 Coll., on the safety of information and communication systems and other electronic devices handling classified information and on the certification of shielding chambers, as amended by Decree No. 453 / 2011 Coll., shall be considered eligible under this legislation according to their nature as:
(a) the components of the information or communication system referred to in Article 3 (1); or
(b) separate electronic equipment as referred to in Article 6 (1).
Efficacy
This Decree shall take effect on 1 January 2025.
Director:
Ing. Kintr v. r.
Annex
1) Council Decision (EU) 2013 / 488 / EU of 23 September 2013 on the security rules for protecting EU classified information, as amended.
Sign in for notes, favorites and notifications
Regulation Information
| Citation | Decree No. 430 / 2024 Coll., on the eligibility of information and communication systems and separate electronic equipment, shielding chambers, secured areas and objects to protect against the leak of classified information by compromising radiation and on certain elements of the request for a contract to secure activities (Decree on compromising radiation) |
|---|---|
| Regulation Type | Order |
| Author | - |
| Collection | Code of Laws |
| Date of Promulgation | 19.12.2024 |
|---|---|
| Effective from | 01.01.2025 |
| Effective until | - |
| Status | Valid |
The regulation text is for informational purposes only.
Comments 0