Cyber Security Act

Cyber Security Act

As of April 1, 2018, Act no. 69/2018 Coll. on cyber security and on amendments to certain acts (hereinafter referred to as the “Cyber Security Act”) has come into force.

According to information from the website of the National Security Office of the Slovak Republic, the Cyber Security Act “comprehensively regulates the area of ​​cyber and information security, introduces basic security requirements and measures important for coordinated protection of information, communication and management systems. At the same time, it transposes the European Directive on Network and Information Security (NIS) into Slovak law. ”

The Cyber Security Act requires service providers to implement and comply with specific security processes through modern security technologies and requires them to detect computer security threats in large networks and communications or information systems. Any failure by service providers to fulfill their legal obligations may result in fines of up to EUR 300 000.

The explanatory memorandum to the government bill on Cyber Security Act states, inter alia:

“The National Security Office, as the central state administration body for cyber security, has prepared on the basis of the approved program declaration of the Government of the Slovak Republic for 2016-2020 and in accordance with the approved Concept of Cyber ​​Security of the Slovak Republic for 2015-2020 and as per the Action Plan for the Implementation of the Concept of Cyber ​​Security of the Slovak Republic for 2015-2020 a draft law on cyber security and amending certain acts (hereinafter referred to as "the bill") transposing Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 on measures to ensure a high common level of network and information security systems in the Union ('the NIS Directive') into national law.

Networks and information systems play an essential role in free movement and are often interconnected and connected by the Internet as a global tool. The disruption of the network and information systems in one Member State therefore affects other Member States and the European Union as a whole. The resilience of networks and the stability of the information system are essential to the smooth and undisturbed functioning of the European Union's internal market and to credible international cooperation.

The NIS Directive is the first pan-European legislation in the field of cyber security aimed at strengthening the competences of national competent authorities, enhancing their coordination and providing security conditions for key sectors.

The aim of the NIS Directive is to guarantee common security of networks and information systems within the European Union by increasing the security of the Internet and private networks and information systems on which the functioning of economic and societal interests is largely based.

An important player in the field of cyber security in the European Union is the European Network and Information Security Agency (ENISA), which contributes to ensuring a high level of security and, in cooperation with European countries, creates a common culture of network and information security in the European Union.

The obligations of the Member States under the NIS Directive are set at the lowest acceptable level necessary to achieve the required preparedness and to ensure inter-state cooperation based on trust. Member States may take into account their national specificities in the framework of the measures taken and each Member State shall transpose the NIS Directive in this respect, taking into account the real, real risks inherent in society.

The NIS Directive in particular:

• calls for specific types of cyber-responsibility to be assumed, first and foremost, by providers of basic and digital services;
• introduces security and cyber security incident reporting requirements for the basic service provider and the digital service provider;,
• imposes an obligation on Member States to designate national competent authorities, single points of contact and security teams of cyber security incident handling units (hereinafter referred to as CSIRTs);
• imposes an obligation on Member States to adopt a national cyber security strategy;
• establishes a Cooperation Group to promote strategic cooperation and exchange of information between Member States and to build mutual trust,
• sets up a network of CSIRTs to contribute to building trust between Member States and to promote effective cooperation.

Pursuant to the Cyber Security Act, a cyber security incident is considered to be any event that causes or may cause a breach of information security in information systems or electronic communication services and networks. Service providers are obliged to report cyber security incidents to the National Security Office of the Slovak Republic (“NSA”), which has the status of a national computer incident handling unit with competence for the Slovak Republic (“CSIRT”).

In connection with the Legislative Intent of the Draft Information Security Act, which, in addition to the partial objectives, set out two basic areas of problems, namely ensuring protection for public administration information systems and establishing a general legal framework for the protection of the entire digital space of the Slovak Republic, in line with the objectives of the NIS Directive, it can be also stated that the draft law on cyber security addresses all relevant issues in a comprehensive and exhaustive manner.

The preparation of the bill was preceded by a broad expert discussion. In preparation, the National Security Authority organized workshops on the transposition of the NIS Directive into the national legal order, consultations with the academic community and the professional public were held, and relevant working groups were established. The Act was therefore also drafted on the basis of suggestions and consultations with public authorities, which commented on the proposed changes and areas of adjustment, as well as on the basis of suggestions and discussions with representatives of the professional public.

Basic service provider

The identification criteria of the basic service and its providers are specified in the implementing regulation of the National Security Authority, namely in Decree no. 164/2018 Coll. ( "Regulation").

Under the provisions of the Cyber ​​Security Act, the provider of a basic service, if it exceeds the identification criteria set out in the Decree, is obliged to inform the National Security Authority within 30 days of the date on which it exceeded. The national safety authority shall subsequently include the basic service in the list of basic services and its provider in the register of basic service providers.

The provider is obliged to take and comply with general security measures at least to the extent defined by the Cyber ​​Security Act and sectoral security measures, if any applied.

If the provider uses a third party network and information system supplier, it is obliged to enter into a contract with that supplier to ensure compliance with the security measures and notification obligations under the Cyber ​​Security Act throughout the term of the delivery contract.

The Cyber ​​Security Act also regulates several reporting obligations to third parties, the National Security Authority, a law enforcement agency or the police. The obligations of the basic service provider shall include not only the notification of registration of the service and its provider in the relevant register or notification of cyber security incidents. The obligations imposed by law are extensive and include the obligation for the provider to cooperate with competent authorities in dealing with cyber security incidents, providing relevant information, providing evidence for the purpose of criminal proceedings and reporting cyber security offenses.

Digital service provider

The Cyber ​​Security Act defines a digital service and its provider. Digital services include online marketplaces, Internet search engines and cloud computing services provided by a legal or natural person - entrepreneur who also employs at least 50 employees and has an annual turnover or annual balance of more than EUR 10 000 000.

The digital service provider shall notify the National Security Authority of the start of the provision of digital services. Based on this notice, the digital service will be included in the digital service list and its provider in the digital service provider register.

Like the basic service provider, the digital service provider is obliged to take and comply with the relevant security measures, but under separate regulations for the purpose of managing the risks related to the threat to the continuity of digital services and the cyber security incident resolution process. In this context, the provider shall assess in particular the security of the networks and information systems and its ability to prevent and deal with cyber security incidents, the necessary means to ensure the continuity of digital services in the event of a cyber security incident and network and information systems compliance with security standards.

In addition, the digital service provider is subject to several notification obligations regarding the reporting of cyber security incidents, as well as to cooperate with the competent authorities in dealing with these incidents.

Sanctions

The National Security Authority controls compliance with the provisions of the Cyber ​​Security Act. The NSA may impose fines ranging from EUR 300 up to EUR 300 000 in the event that the basic service providers or digital service providers breach the obligations or otherwise fail to comply with the requirements laid down in the Cyber ​​Security Act. In any event, the National Security Authority shall assess the seriousness of the administrative offense, in particular the manner in which it was committed, its duration, the consequences and the circumstances in which the offense was committed.

Conclusion

The Cyber Security Act imposes a wide range of obligations on service providers to prevent and detect cyber security incidents in networks and information systems. It is important to stress that this includes not only the basic notification obligations but also the obligation to deal with cyber security incidents and to cooperate with competent authorities in dealing with them. Basic service providers and digital service providers should pay due attention to these obligations, as failure to comply with them may lead to significant fines.