• Arts
  • Language Services
  • Furniture
  • Educational Services
  • Private Equity
  • Event Management
  • Nonprofit / Foundation
  • Manufacturing
  • Information Technology
  • Human Resources
  • Hotels and Restaurants
  • Health Care & Pharmaceuticals
  • Media - Broadcast and Publishing
  • Engineering / Construction
  • Food Products, Beverages and Tobacco
  • Petroleum Industry
  • Wholesale and Retail Trade
  • Travel and Leisure
  • Transporting, Moving and Warehousing
  • Telecommunications
  • Security Services
  • Real Estate
  • Marketing and Public Relations
  • Energy
  • Finance
  • Consumer Goods
  • Law Companies
  • Consultancy
  • Architecture
  • Airlines

News

Home / News / What changes are to be expected in the area of cyber-security

What changes are to be expected in the area of cyber-security

27.02.2016
Company: Deloitte

The December agreements regarding the Network and Information Security Directive (NIS) as well as an agreement reached within the so called trilogue regarding the General Data Protection Regulation (GDPR) demonstrate that the EU takes the issue of cybersecurity and online seriously.

In its efforts to eliminate security threats, the Czech Republic has seen the protection against an ever increasing number cyberattacks as a priority for a long time. Even prior to adopting the relevant European NIS directive, the Czech Republic followed the example of Estonia and Hungary and adopted a separate Cybersecurity Act.

The Cybersecurity Act became effective on 1 January 2015. It presents a comprehensive legal framework for the area of cybersecurity that is rather unique within the EU. The act sets out the minimum requirements for cyber-attack prevention with respect to information and communication systems in private companies as well as state authorities critical for state operation (eg information system of the cadastre of real estate, vehicle registry, information systems of larger power plants, heating plants, hydro-power plants, gas pipeline etc).

The act defines measures necessary in order to enhance the resilience of such systems against the increasing number of cyberattacks and introduces the obligation to report cybersecurity incidents in order to ensure a fast response. Rather than introducing new processes within the security measures, it is based on the ISO standards that have already been implemented by some liable entities. Instead of placing reliance on severe sanctions for non-compliance, the act relies on mutual trust among liable entities and supervisory bodies, government and national CERT, and their effective cooperation in dealing with potential security incidents.

What changes will the NIS directive bring?

The approval process related to the NIS directive was accompanied by an intensive debate regarding the group of entities to which the directive should apply. In addition to the entities defined by the current legislation (this applies namely to entities of critical information infrastructure defined based on the Cybersecurity Act and amended Regulation No. 432/2010 Coll. on the Criteria for the Determination of the Elements of the Critical Infrastructure), the list of the liable entities should newly also include key providers of information society services, such as online marketplaces, internet payment gateways, online search engines, and cloud computing services.

Violation of these services impedes the provision of further critical infrastructure services. However, the obligations should not apply to small enterprises with fewer than 50 employees and turnover below EUR 10 million. It is anticipated that the application of the NIS guideline will be extended to providers of digital infrastructure, such as internet exchange points, DNS service providers, and top level domain name registries. However, these elements are also anticipated in the Czech legal framework stated in the Cybersecurity Act.

However, mobile operators, which were originally anticipated to become liable entities, should not be included in the group of newly liable entities pursuant to the NIS directive. They are regulated by separate EU guidelines. Nevertheless, the EU member states may adopt more stringent measures, which would correspond to the current legal regulation of the Cybersecurity Act, or more precisely, the delegated legislation by which mobile operators may be included in the group of liable entities.

Owner or operator of critical information infrastructure?

Even pursuant to the current wording of the Cybersecurity Act, it is often fairly difficult to define who the liable entity of critical information infrastructures is, ie who is responsible for compliance with obligations stated in the Cybersecurity Act. Is it the owner or the operator of the given element of critical information infrastructure? In fact, the two are not always the same entity. To put it simply, problems arise in a situation when the owner of a power plant (an element of critical infrastructure) is owned by a different entity from the owner or provider of the information system (an element of critical information structure) that manages the power plant’s operation. As a result, in a situation when the operation (operating the information system managing the power plant’s operation) is eg outsourced, it is not quite clear who the liable entity under the Act is.

The Czech Cybersecurity Act, or better its explanatory note, anticipates that liable entities shall include anyone who determines the purpose of the relevant system and the terms of its operation, which is typically its owner. The newly evolved situation may thus be solved by negotiations between the potential liable entity and the National Security Authority that is entitled to determine a liable entity. Further guidance in such situations may be provided by the NIS directive that states that the liable entity is the critical infrastructure owner (in our example, the owner of the power plant). It would seem optimal to change the wording of the Czech Cybersecurity Act to reflect the spirit of the guideline and to clearly define who the liable entity is.

What does reporting incidents and events mean?

In our practice, we often encounter situations where the liable entities are rather uncertain as to what violations of cybersecurity they are to report to the national or government CERT. It is necessary to differentiate between a cyber security EVENT and a cyber security INCIDENT. An event may result in information security or service security breaches, or a breach of security and integrity of electronic communication networks. The Cybersecurity Act introduces the obligation to detect security events, however, the obligation to report to the national or government CERT applies to cybersecurity incidents only. Nevertheless, a security event may easily become a security incident.

A cybersecurity incident is, in fact, the existence of a breach of information security in information systems or a breach of service security, or a breach of security and integrity of electronic communication networks which comes as a result of a cybersecurity event. Entities are expected to keep, for their own use, records of detected security events. However, there are no sanctions for those who fail to meet the detection obligation. Liable entities should, therefore, be aware that there are great differences in the perception of threat level – what is considered to be a low level threat event by one entity may be considered a high level threat by another since some low threat level events may never become security incidents for one entity for whom they will always remain at the level of a threat; whereas for a different entity, these may easily become a serious security incident with a notable impact.

The obligation to report incidents is also introduced in the GDPR regulation, however, in a slightly different context. The GDPR aims to protect personal data, whereas the NIS directive aims to protect the networks. This is connected to the obligation of personal data administrators to adopt personal data protection measures (of similar nature as stated by the Cybersecurity Act), whereby the NIS directive requires that operators protect networks in order to ensure the provision of services. Even though the two aims may sometimes interweave, there are certain areas when the protective measures may follow different aims.

The same applies to the obligation of reporting incidents. Pursuant to the GDPR, personal data administrators will be obliged to notify the relevant authority of a detected incident within 72 hours after its detection. However, this does not apply to situations when the breach of data security does not pose risks to the rights and freedom of individuals. It follows that the notification obligation is only required if the rights of individuals are at risk. Pursuant to the NIS directive, however, the obligation to make a notification of an incident arises if a serious disruption of services occurs, ie disregarding of the impact on potential leakage or loss of data/ information. However, it may happen that an incident will have to be notified pursuant to either both the GDPR regulation and the NIS directive, or, on the contrary, only one of them.

It is very likely that the newly adopted EU regulation and the practical experience with the Cybersecurity Act will shortly lead to its amendment. In addition to amendments resulting from the NIS directive, lawmakers could consider defining further criteria for specific areas, eg with respect to legislation in other EU member states (eg chemical and pharmaceutical industries etc). Certain amendments could also be made in the area of sanctions for violating the Cybersecurity Act since the NIS directives obliges the member states to introduce sanctions that are effective, adequate and discouraging. It must be pointed out that the current highest possible sanction pursuant to the Cybersecurity Act amounts to CZK 100,000. One needs to ask if such sanction really is effective, adequate and discouraging.

Jaroslava Kračúnová +420 246 042 851 jkracunova@deloittece.com

Linkedin


AmCham Corporate Patrons

x
x

Delete

Are you sure? Do you really want to delete this item?