181/2014 Sb.
LAW
of 23 December 2003. July 2014
about cyber security and amending related laws (the law on the
Cyber Security)
Parliament has passed the following Act of the Czech Republic:
PART THE FIRST
CYBER SECURITY
TITLE I OF THE
BASIC PROVISIONS
§ 1
The subject of the edit
(1) this Act regulates the rights and obligations of persons and the scope and
the powers of the public authorities in the field of cyber security.
(2) this Act does not apply to information or communications systems,
that handle classified information.
Definition of terms
§ 2
In this Act shall mean the
and cyber space digital environment) allowing the creation,
the processing and exchange of information, information systems and services
and electronic communications networks ^ 1),
(b) the critical information infrastructure) or system control elements
critical infrastructure in the sectors of communication and information systems ^ 2)
the areas of cyber security,
(c) ensure the confidentiality of information safety), integrity, and availability
information,
d) important information system information system managed by the authority
a public authority that is not a critical information infrastructure and
which information security violation may restrict or significantly compromise the
performance of the public authority,
(e)) by the administrator of the information system authority or person, that determine the purpose of the
processing of information and the conditions of operation of the information system,
(f) communication system administrator authority) or person that determine the purpose of the
the communication system and the conditions of its operation, and
(g)), an important network of electronic communications networks ^ 1) providing direct
foreign link to the public communications network or ensuring
direct connection to critical information infrastructure.
§ 3
Authorities and persons, imposing obligations in the area of cybersecurity
security, are
and the provider of electronic communications services) and body to ensure
an electronic communications network ^ 1), unless the authority or a person referred to in
(a) (b)),
(b) the authority or person providing) an important network, if not by the administrator
the communication system referred to in subparagraph (d)),
(c)), the administrator of the information system of critical information infrastructure,
(d)), the administrator of the communication system of critical information infrastructure and
(e) significant information System Manager).
TITLE II
SYSTEM TO ENSURE CYBER SECURITY
Security measures
§ 4
(1) security measures means a summary of the actions, whose aim is to
ensuring information security in information systems and the availability of
and the reliability of the electronic communications services and networks ^ 1)
cyber space.
(2) the institutions and persons referred to in section 3 (b). c) to (e)) are required to the extent
necessary for ensuring cyber security to introduce and implement
security measures for information system critical information
infrastructure, communication system critical information infrastructure
or significant information system and lead them to the safety documentation.
(3) the institutions and persons referred to in section 3 (b). c) to (e)) are required to take into account the
requirements arising from security measures in the selection of suppliers
for information system critical information infrastructure, communication
the system of critical information infrastructure or significant information
the system. Taking into account the requirements arising from security measures
According to the first sentence to the extent necessary for the fulfilment of the obligations under this
the law cannot be regarded as unlawful restrictions of competition or
an unjustified obstacle to competition.
§ 5
(1) the security measures are
and organizational measures) and
(b) technical measures).
(2) Organizational measures are
and information security management system),
(b)) risk management
(c)) the security policy,
(d)) business security,
(e)) the determination of security requirements for the vendor
f) asset management,
g) safety of human resources,
h) traffic management and communications critical information infrastructure or
significant information system,
I) access control to critical information infrastructure or to
significant information system,
j) acquisition, development and maintenance of critical information infrastructure and
the major information systems,
to cope with cyber-security incidents) and cyber
security incidents,
l) business continuity management and
m) control and audit of critical information infrastructure and major
information systems.
(3) technical measures are
and physical security),
(b)) a tool for protecting the integrity of communication networks,
(c)), a tool for verifying the identity of users,
(d)), a tool for managing access permissions
e) tool to protect against malicious code,
(f)) for the recording of the activities of the critical tool information
infrastructure and information systems, their users and the
Administrators,
g) tool for the detection of cyber security incidents,
h) tool for the collection and evaluation of cyber security
events,
application security, even)
j) cryptographic means,
to the assurance level) of the availability of information and
l) safety of industrial and management systems.
§ 6
The implementing legislation provides for
and the content of safety measures)
(b)) the content and structure safety documentation,
(c)) the scope of the security measures for the institutions and persons referred to in section 3 of the
(a). c) to (e)) and
(d)) the significant information systems and their criteria.
Cyber Security cyber security incident and event
section 7 of the
(1) Cyber security incident is an event that can cause
distortion of information security in information systems or distortion
the security services or the security and integrity of electronic networks
Communications ^ 1).
(2) Cyber security incident is a violation of the safety
information in information systems or security breach services
or the security and integrity of electronic communications networks in the ^ 1)
as a result of cyber security incident.
(3) the institutions and persons referred to in section 3 (b). (b) to (e))) are required to detect
Cyber security events in their relevant network information
critical information infrastructure system, communication system
critical information infrastructure or significant information system.
§ 8
Cyber security incident reporting
(1) the institutions and persons referred to in section 3 (b). (b) to (e))) are required to report
Cyber security incidents in their relevant network information
critical information infrastructure system, communication system
critical information infrastructure or significant information system,
and it immediately after their detection; This does not affect the information
obligations under other legislation ^ 3).
(2) the institutions and persons referred to in section 3 (b). (b)) reports of cyber
security incidents, operators of the national CERT.
(3) the institutions and persons referred to in section 3 (b). (c) to (e))) reports of cyber
security incidents to the National Security Office (hereinafter referred to as
"The Office").
(4) Implementing legislation provides for
and) types and categories of cyber security incidents and
(b)) and method for reporting cyber security
the incident.
The registration of
§ 9
(1) the Office shall keep a register of cyber security incidents (hereinafter
"the registration of incidents"), which contains the
Cyber Security and incident reports),
(b) identifying information system) in which the cyber security
the incident occurred,
(c)) source cyber security incident and
(d)) to cyber security incident solution and its
the result of the.
(2) registration data are part of the incidents under section 20 (a). f) to (h)).
(3) the authority shall provide the information from the registration of incidents to the public authorities for
the performance of their responsibilities.
(4) the authority may provide information from the register of incidents by the operators
National CERT, authorities executing responsibility in the field of cyber
safety abroad and other persons active in the field of cyber
safety to the extent necessary to ensure the protection of cyber
space.
§ 10
(1) employees of the inclusion of the Czech Republic for the performance of work in the Office, who
involved in the solution of the cyber security incident, are
bound by obligations of confidentiality of the data of registration of incidents.
Obligation of secrecy endures even after the employment relationship to
The Office.
(2) the Director of the Office of a person referred to in paragraph 1 may waive the obligations
confidentiality of the data of registration of incidents, with an indication of the scope of the data and
the scope of the exemption.
§ 11
Measures
(1) measures shall mean acts, they may need to protect information
systems or electronic communications services and networks ^ 1) from the threat in the
the areas of cyber security, or against cyber security
incident or solution already recorded cyber security
the incident.
(2) the measures are
and warning)
(b) reactive measures) and
(c) protective measures).
(3) Reactive measures are required to implement the
and the authorities and persons) referred to in section 3 (b). and (b))) and the State of cyber
danger or for emergency ^ 4) on the basis of the request
According to § 21. 6 and
(b)) authorities and the persons referred to in section 3 (b). c) to (e)).
(4) the Protective measures are required to make the authorities and the persons referred to in section
3 (b). c) to (e)).
§ 12
Warning
(1) the Office shall issue a warning if, in particular, from its own activities, or from the
initiative of the operator or by the authorities of the national CERT, which perform
competence in the area of cyber security abroad, about the threat in
the field of cyber security.
(2) the Office shall publish the Warning on its website and notify the
the institutions and persons referred to in section 3, whose contact details are kept in the
registration in accordance with section 16. 4.
Reactive and protective measures
section 13
(1) the Office shall issue a decision, in which the stores to perform reactive measures to
Cyber security incident or solution to the security
information systems or electronic communications networks and services ^ 1)
before the cyber security incident, which is the first action in the
things. If you fail to deliver to the addressee of the decision into their own hands
within 3 days from the date of its issue, delivered to him so that he posted on the official
the Board of the authority, and this moment is enforceable. The decision referred to in the sentence
First, the Office may issue in the proceedings on the spot according to the administrative procedure.
(2) Breakdown brought on against the decision referred to in paragraph 1 shall not have suspensory
effect.
(3) if the reactive measures to tackle cyber security
the incident or to the security of information systems or networks and services
electronic communications ^ 1) against cyber security
the incident involve unspecified circle of authorities or persons, the Office shall issue to the
the form of the measures of a general nature.
(4) the institutions and persons referred to in section 3 shall without undue delay
notify the Office implementation of reactive measures and its result.
The essentials notice lays down detailed legal prescription.
§ 14
(1) the authority, in order to increase protection of the stored information systems or
electronic communications services and networks ^ 1), on the basis of the analysis already
vyřešeného cyber security incident, make a trade
measures in the form of the measures of a general nature.
(2) Measures of a general nature, the Office and the authorities of persons referred to in section 3 (b).
(c) to (e))) provides for a way to increase the protection of information systems or
electronic communications services and networks ^ 1) and the deadline for its implementation.
§ 15
(1) Measures of a general nature referred to in section 13 or 14 shall become effective
at the moment his fly on the notice board of the authority; the provisions of § 172
administrative procedure shall not apply. On the issue of measures of a general nature, the Office
also, inform the authorities and the persons referred to in section 3, whose contact information
are kept in the register under section 16(1). 4.
(2) comments on the measures of a general nature issued pursuant to section 13 or 14 may
apply within 30 days of the date of its posting up on the notice board of the Office.
The Office may, on the basis of the comments raised measures of a general nature
to change or cancel.
section 16 of the
Contact information
(1) contact details are
and in the case of a legal person) business name or the name, address of the registered office,
the identification number of the person or similar number assigned abroad,
(b)) for the entrepreneurial natural persons, including trade name or name
distinct appendix or other designation, the address of the registered office and
the identification number of the person
(c)) with a public authority its name, address, identification number
person, if allocated, and the identifier of the public authority, if he
is not assigned the identification number of the person, and the details of the natural person
that is for the authority or person referred to in section 3 shall be entitled to act in matters
governed by this Act, and the name, surname, telephone number and
electronic mail address.
(2) the contact information and their changes shall be notified
and the authorities and persons) referred to in section 3 (b). and (b)) and the national operator)
CERT and
(b)) authorities and the persons referred to in section 3 (b). (c) to (e))) Office.
(3) the institutions and persons referred to in section 3 (b). (c) to (e))) announce changes only
the information referred to in paragraph 1 which are not in reference data
Basic registers, and it immediately.
(4) the Office shall keep a register of contact data, which contains the information referred to
to in paragraph 1.
(5) the authority is in a State of cyber risk shall be entitled to require
the contact information collected by the national operator CERT
paragraph 2 (a). and).
(6) the model notification contact information and its form provides detailed
legal prescription.
§ 17
National CERT
(1) the national CERT in the range specified by this Act of sharing
information on the national and international level in the field of cyber
the safety.
(2) the operator of a national CERT
and receives notification contact information) from the institutions and persons referred to in section 3 of the
(a). and (b))), and these data records and stores,
(b) reports on the Cyber-) accepts the safety incidents from
the institutions and persons referred to in section 3 (b). (b)), and these data records, stores and
protects,
(c) Cyber Security) evaluates incidents for the institutions and persons
referred to in § 3 (b). (b)),
(d)) provides the authorities and persons referred to in section 3 (b). and (b))) and methodological
support, assistance and cooperation in the presence of cyber security
the incident,
e) acts as a focal point for institutions and persons referred to in section 3 (b).
and (b)),)
(f)) is the guest in the area of cyber security vulnerabilities,
(g) the particulars of the Authority passes) cyber security incidents without
putting security and debugging cyber incident
h) passes on request of the Office for the status of cyber risk
the contact details of the authorities and of the persons referred to in section 3 (b). and (b))).
(3) the operator of a national CERT may in its own name and on its own
the responsibility to carry out other economic activities in the area
Cyber Security an unedited this law, if this activity
does not interfere with the performance of the duties referred to in paragraph 2.
(4) the operator of a national CERT in the performance of the duties referred to in
paragraph 2 shall coordinate its work with the Office.
(5) the operator of a national CERT in fulfilment of the obligations under the
paragraph 2 act impartially.
section 18
The operator of the national CERT
(1) the operator of the national CERT can become the only legal person
and) which satisfies the conditions referred to in paragraph 2 and
(b)) that the authority has entered into a contract pursuant to section 19 of the public service.
(2) the operator of the national CERT may be the only legal person
and not even capable of action) against the interest of the Czech Republic in
the meaning of the law governing the protection of classified information,
(b)) operates or manages information systems or services and networks
electronic communications ^ 1) or on their operation and management
involved, and at least 5 years,
(c)) has the technical capability in the areas of cyber security,
d) is a member of the multinational organization working in the field of cyber
safety,
(e)) does not register the tax authorities the financial administration of the Czech Republic or
authorities of the customs administration of the Czech Republic or in the register of taxes, insurance on the
social security and health insurance premiums
recorded arrears,
(f)) was not been convicted of an offence referred to in section
7 of the law on criminal liability of legal persons and proceedings against them,
(g)) is not a foreign person pursuant to other legislation and
(h)) was not founded or established exclusively for the purpose of making a profit; by
not affect the possibility for the operator to follow the national CERT section 17
paragraph. 3.
(3) the Candidate shall demonstrate compliance with the conditions of presentation
and in the case of statutory declaration) paragraph 2 (b). and (d))) up, g) and (h)), and
(b) confirmation of the authority of the financial administration) of the Czech Republic and customs administration
The Czech Republic in the case of paragraph 2 (a). (e)).
(4) the contents of statutory declaration referred to in paragraph 3 (b). and) must be
obvious that the candidate meets the appropriate prerequisites. The confirmation by the
paragraph 3 (b). (b)) that the candidate does not have records of taxes on Financial institutions
administration of the Czech Republic or the authorities of the customs administration of the Czech Republic or in
the registration of taxes, social security and insurance
public health insurance recorded arrears, must not be older than
30 days. In order to demonstrate the conditions referred to in paragraph 2 (a). (f))
The Office will require a statement of convictions, according to another legal
^ 5 regulation).
(5) the operator of a national CERT activities pursuant to § 17 paragraph. 2
(a). and), b), c), (e)), g) and (h)) free of charge.
(6) the Office shall publish on its website the information about
operators of the national CERT, and its trade name or name,
the address of the registered office, the identification number of the person, the data boxes
and the address of its website.
§ 19
Public contract
(1) the authority concluded a contract governed by public law (hereinafter referred to as "the contract") with the
legal entity selected by the procedure under section 163, paragraph. 4 the administrative code
for the purpose of cooperation in the field of cyber security and ensure
the activities provided for in § 17 paragraph. 2. the procedure for the selection of applications the Office announces.
(2) the contract shall contain at least
and the designation of the Contracting Parties),
(b) the definition of the subject matter of the Treaty)
(c)) the rights and obligations of the Contracting Parties,
(d) the arrangements for the cooperation of the Contracting Parties),
(e) the method and conditions of withdrawal) of the parties to the contract,
(f) the period of notice) and the reasons for
g) prohibition of abuse of information obtained in connection with the performance of the activities
listed in § 17 paragraph. 2,
(h) the definition of the conditions for the exercise of) the activities of the national CERT according to § 17 paragraph.
3 and
I) method to pass and the range of the data transmitted to the Office in the case of the demise of the
the commitment.
(3) the contract concluded in accordance with paragraph 1, the Office publishes in the Gazette
The Office, with the exception of those parts of the Treaty, the disclosure of which does not
another piece of legislation.
(4) if the contract referred to in paragraph 1, or in the case of the demise of the
the undertaking, the activity of the national CERT Office.
section 20
Government CERT
Government CERT as part of the Office
and receives notification contact information) from the institutions and persons referred to in section 3 of the
(a). c) to (e)),
(b) reports on the Cyber-) accepts the safety incidents from
the institutions and persons referred to in section 3 (b). c) to (e)),
(c) evaluates the information about cyber) security incidents and
Cyber security incidents from the critical information
infrastructure of major information systems and other
the information systems of the public administration,
(d)) provides the authorities and persons referred to in section 3 (b). (c) to (e))) a methodological
support and assistance,
e) provides synergies to the authorities and the persons referred to in section 3 (b). (c) to (e)))
in the presence of cyber security and cyber incident
security events
f) accepts suggestions and information from institutions and persons referred to in section 3, and from the other
authorities and persons, and of these initiatives and evaluates the data,
(g) information from the operator) receives the national CERT and these data
evaluates,
(h) information from the authorities) accepts, that the scope of the exercise in the area
Cyber Security abroad, and evaluates this information,
I) provides under section 9 (2). 4 operators, the authorities of the national CERT
executing the scope in the area of cyber security abroad
and other persons active in the field of cyber security data from the
the registration of incidents and
(j)) is the guest in the area of cyber security vulnerabilities.
TITLE III
THE STATE OF CYBER RISK
section 21
(1) the status of cyber risk means the State in which it is in the
large range of compromised information security in information systems
or the safety and integrity of the services or networks of electronic
Communications ^ 1), and this could lead to violations of or threats to
the interest of the Czech Republic within the meaning of the law governing the protection of classified
the information.
(2) a declaration of a State of danger, the Director of the Office shall be decided by the cyber.
The decision on the Declaration of a State Cyber danger Announces
by posting on the official notice board of the Office. Information about the publication status
Cyber risk is published in nationwide radio and
the television broadcast. The operator of a nationwide television or
radio broadcasting is obliged without reimbursement of costs on the basis of the request
The authority shall without delay, and without modifying the content and meaning of the publish information on
the publication of the status of cyber dangers.
(3) the decision on the Declaration of a State cyber risk shall take
the effectiveness of the moment, that the decision be adopted. The State of cyber
danger announces the time required, up to a maximum of 7 days.
That period may be extended, the Director of the Office; the aggregate duration of
the declared state of cyber dangers must not be longer than 30 days.
(4) in the course of the declared state of cyber risk, the Director of the Office
inform the Government on how to resolve the status of cyber risk and
about the current state of threats that led to the proclamation of a State of cyber
the danger. For State cyber risk and for emergency ^ 4)
the cases referred to in paragraph 6, the Office shall be entitled to issue a decision or
measures of a general nature referred to in section 13 also authorities and persons referred to in section
3 (b). and (b))).
(5) the status of cyber risk not to declare, in the case where the
threats to information security in information systems or
the security services or the security and integrity of electronic networks
Communications ^ 1) can be used to distract the activities of the Office under this Act.
(6) if it is not possible to avert the threat to the security of the information in the
information systems or services or safety and security
the integrity of electronic communications networks ^ 1) in the framework of the State
Cyber risk, Director of the Office shall immediately request the Government of the
Declaration of an emergency ^ 4). The decisions and measures of a general nature
issued by the authority under section 13 before announcement of emergency shall remain in
If these measures are not in conflict with the crisis measures
embodied by the Government.
(7) the status of cyber risk ending on the expiry of the period for which it was
declared, if head of the Office decides to cancel before the end of
This time, or the announcement of emergency ^ 4).
TITLE IV
THE PERFORMANCE OF STATE ADMINISTRATION
section 22
(1) the State administration in the field of cyber security exercises the authority
unless the law otherwise.
(2) the Office of the
and) lays down security measures
(b) measures) issues
(c)) provides the National Cyber Security Center,
(d)) registration under this Act,
e) imposes fines for administrative offences pursuant to this Act,
(f)) acts as a coordinating authority in the State of cyber risk
g) cooperates with the authorities and persons active in the field of cyber
safety, in particular with public corporations, research and
preproduction and with other workplace type of CERT,
h) ensures international cooperation,
I) negotiates and concludes contracts on international cooperation,
j) provides prevention, training and methodological support in the area of
Cyber Security,
k) provides research and development in the areas of cyber security,
l) closes a public contract with the operator of the national CERT,
m) be sent to the Ministry of the Interior in accordance with the law of crisis suggestion elements
critical infrastructure in the sectors of communication and information systems in the
the areas of cyber security, whose operator is the organizational
the State,
n) determined by the crisis Act critical infrastructure elements in the
the sector of communication and information systems in the field of cyber
security, if it is not about the elements referred to in subparagraph (a) m), and
more about) tasks in the area of cyber security laid down in this
by the law.
THE HEAD OF THE
CONTROL, CORRECTIVE MEASURES AND ADMINISTRATIVE DELICTS
section 23
Check
(1) the Office shall exercise control in the field of cyber security. When
performance of Control Authority is examining how the institutions and persons referred to in section 3 shall carry out
the obligations laid down in this law and the decisions and measures of the General
nature issued by the Authority, and shall comply with the implementing legislation in the field of
Cyber Security.
(2) the Office shall monitor how
and the authorities and persons) referred to in section 3 (b). and (b))) carries out the obligations imposed
The authority in the decision or in the measures of a general nature referred to in section 13 in the State of
Cyber risk
(b)) authorities and the persons referred to in section 3 (b). (c) to (e))) fulfils the obligations
set out in section 4, paragraph 4. 2, § 8 paragraph. 3 and § 16. 2 (a). (b)) and
the obligations imposed by the authority in the decision or in the measures of a general nature
pursuant to section 13 or 14.
section 24
Corrective measures
(1) if the Office finds deficiencies in the control saves the controlled body
or the person that is removed within the time limit, where appropriate, to determine how
in a way.
(2) If the information system is the critical information infrastructure,
communication system critical information infrastructure or significant
information system for defects immediately at risk
Cyber security incident, which it can significantly
damage or destroy, the supervisory authority may prohibit the controlled
the authority or person of the use of this system or its parts in the period,
the defect is removed.
Administrative offences
§ 25
(1) a legal person or a natural person-entrepreneur referred to in § 3 (b).
and (b)) or) commits misconduct by
and for State Cyber fails) the risk of an obligation imposed by the Office
in the decision or in the measures of a general nature referred to in section 13, or
(b) fails to comply with any of the requirements) imposed corrective action under section
24.
(2) a legal person or a natural person-entrepreneur referred to in § 3 (b).
(c) to (e))) commits misconduct by
and) contrary to section 4 (4). 2 it introduces or does not perform security
or does the safety documentation,
(b) does not report a cyber security incident), pursuant to section 8 (2). 1 and 3,
(c) fails to comply with an obligation imposed by the Office) in the decision or in the measures
of a general nature referred to in section 13 or 14,
d) notifies the contact details or change them to the authority under section 16. 2
(a). (b)) or
(e) fails to comply with any of the requirements) imposed corrective action under section
24.
(
3) for administrative offence is imposed in the
and 100 000 CZK), with respect to the administrative offence referred to in paragraph 1 (b). and) or
(b) paragraph 2 (b)). and (c))), or (e)),
(b)) $ 10,000, in the case of an administrative offence referred to in paragraph 2 (a). (d)).
section 26
(1) a natural person has committed the offence, that the breach of an obligation
referred to in section 10, paragraph 1. 1.
(2) for the offence referred to in paragraph 1 shall be imposed of up to 50 000 Czk.
section 27 of the
(1) a legal person under the administrative tort does not match, if he proves that
made every effort, that it was possible to require that the infringement of the
a legal obligation.
(2) liability of legal persons for the administrative offence shall cease, if the Office
about him has commenced proceedings to 1 year from the date on which it learned,
not later than 3 years from the date when the administrative offence committed.
(3) in determining the acreage of the fine legal person shall take into account the seriousness of the
the administrative tort, in particular to the way a criminal offence and its consequences, and
the circumstances under which it was committed.
(4) administrative offences under this Act are heard by the Office.
(5) The liability for the acts, which took place in the business of physical
person or in direct connection with it, shall be subject to the provisions of this
the law on liability of legal persons and sanctions.
(6) the Fines collected by the authority. Income from fines is the income of the State budget.
(7) the financial penalty is payable within 30 days from the date of the entry into force of the decision on
its imposition.
TITLE VI OF THE
FINAL PROVISIONS
section 28
The enabling provisions
(1) the Office and the Ministry of the Interior shall determine by Decree the significant information
systems and their criteria under section 6 (a). (d)).
(2) the authority shall lay down by Decree
and) content and structure safety documentation, content security
the measures and the scope of the security measures pursuant to section 6 (a). and (c)))
(b)) types and categories of cyber security incidents and
the elements and method for reporting cyber security incident
pursuant to section 8 (2). 4,
(c) notification of the execution of the formalities) reactive measures and its
the result under section 13 (3). 4 and
(d) notification of contact data) model and its form under section 16(1). 6.
Transitional provisions
section 29
(1) the institutions and persons referred to in section 3 (b). and (b))) and shall notify the contact information
pursuant to section 16, no later than 30 days from the date of entry into force of this Act.
(2) the institutions and persons referred to in section 3 (b). (b) the obligation to commence)
provided for in section 8 (2). 1 and 2 not later than 1 year from the date of acquisition
the effectiveness of this Act.
section 30
The institutions and persons referred to in section 3 (b). (c)), and (d))
and shall notify the contact information) pursuant to section 16, no later than 30 days from the date of
the determination of their information system or a communications system critical
information infrastructure,
(b) the obligation to fulfil the start) in section 8 (2). 1 and 3 not later than 1
year from the date of the determination of their information system or communication
the system of critical information infrastructure and
(c)) shall introduce security measures pursuant to section 4, paragraph 4. 2 not later than 1 year
from the date of the determination of their information system or a communications system
critical information infrastructure.
section 31
The institutions and persons referred to in section 3 (b). (e))
and shall notify the contact information) pursuant to section 16, no later than 30 days from the date of
the fulfillment of the criteria that determine the significant information system, their
information systems,
(b) the obligation to fulfil the start) in section 8 (2). 1 and 3 not later than 1
year from the date of fulfillment of the defining criteria of significant information
system and
(c)) shall introduce security measures pursuant to section 4, paragraph 4. 2 not later than 1 year
from the date of fulfilment of the criteria that determine the major information system.
§ 32
National CERT exercises until the effective
public service contract concluded pursuant to section 19, the one who, before the date of the acquisition
the effectiveness of this law pursued an activity which by this Act
carries out the national CERT, but within 2 years from the date of entry into force of
of this law.
section 33
Common provisions
(1) this law shall apply only to such information or communications
systems intelligence services which satisfy the conditions for determining
critical information infrastructure, and to the extent that section 12 and 16;
the provisions of section 4 shall apply mutatis mutandis to these systems and the Office is as
elements of critical infrastructure pursuant to section 22 paragraph 1(b). 2 (a). m) is suggesting.
(2) The information system of the police of the Czech Republic for an analytic
activity in the criminal proceedings, the law applies only in the scope of § 12
and 16; the provisions of section 4 shall apply mutatis mutandis to this system. This does not apply,
If this system is the critical information infrastructure.
PART THE SECOND
Amendment of the Act on the protection of classified information and security
the eligibility of the
§ 34
Act No. 412/2005 Coll., on the protection of classified information and security
eligibility, as amended by Act No 119/2007 Coll., Act No. 177/2007 Coll.
Act No. 296/2007 Coll., Act No. 32/2008 Coll., Act No. 124/2008 Coll.,
Act No. 126/2008 Coll., Act No. 250/2008 Coll., Act No. 41/2009, Coll.,
Act No. 227/2009 Coll., Act No. 281/2009 Coll., Act No. 255/2011 Sb.
Act No 420/2011 Coll., Act No. 458/2011 Coll., Act No. 167/2012 Sb.
and Act No. 303/2013 Coll., is hereby amended as follows:
1. In article 145, the dot at the end of paragraph 5 is replaced by a comma and the following
subparagraph (f)), which read:
"(f)) on request, a report on each of the cyber-security
incidents of critical information infrastructure. ".
2. In article 146, paragraph. 1, after the words "security management", the words
"or in the context of the administrative procedure for the issue of the measures referred to in the Act on
Cyber Security ".
3. § 146 paragraph. 2, after the words "under this Act", the words
"or by the law on cyber security."
PART THE THIRD
Amendment of the Act on electronic communications
section 35
Act No. 127/2005 Coll., on electronic communications and
some related laws (Act on electronic communications)
as amended by law no 290/2005 Coll., Act No. 361/2005 Coll., Act No.
186/2006 Coll., Act No. 235/2006 Coll., Act No. 310/2006 Coll., Act No.
110/2007 Coll., the Act No. 261/2007 Coll., Act No. 304/2007 Coll., Act No.
124/2008 Coll., Act No. 177/2008 Coll., Act No. 189/2008 Coll., Act No.
247/2008 Coll., Act No. 384/2008 Coll., Act No. 227/2009 Coll., Act No.
281/2009 Coll., Act No. 153/2010 Coll., the finding of the Constitutional Court
declared under no 94/2011 Coll., Act No. 137/2011 Coll., Act No.
341/2011 Coll., Act No. 375/2011 Coll., Act No. 420/2011 Coll., Act No.
457/2011 Coll., Act No. 458/2011 Coll., Act No. 468/2011 Coll., Act No.
18/2012 Coll., Act No. 19/2012 Coll., Act No. 142/2012 Coll., Act No.
167/2012 Coll., Act No. 273/2012 Coll., Act No. 214/2013 Coll. and act
No 303/2013 Coll., is hereby amended as follows:
1. In article 89, paragraph 4 shall be added, which including a footnote No. 62
added:
"(4) an entrepreneur providing a public communications network or provides
publicly available electronic communications service shall, at the request
participant free of charge and in a form that allows for more electronic processing
the data provide the traffic and location data, which is available on the
the basis of this Act, if a participant is unable to solve its
equipment as a result of cyber security incident ^ 62)
capture or save. Information entrepreneur, passes the is-if technically possible,
without delay, but not later than within 3 days from the date of delivery of the request, or in
the case of the ongoing communication from the date of delivery.
§ 7, paragraph 62). 2 of law No 181/2014 on cyber security and
change related laws (the law on Cyber Security). ".
2. In § 118 paragraph. 14 (a). y), the word "or" is deleted.
3. In section 118 at the end of paragraph 14 of the dot is replaced by "or", and
the following letter ad), which read:
"ad) contrary to section 89, paragraph. 4 does not provide the information, or contact the
belatedly. ".
4. In § 118 paragraph. 22 (a). and), the word "or" is replaced by a comma and the
the end of the text of subparagraph (a)), the words "or (b), paragraph 14. ad) ".
PART THE FOURTH
Amendment of the Act on free access to information
section 36
In section 11 (1). 4 of Act No. 106/1999 Coll., on free access to
information, in the wording of Act No 61/2006 Coll., is at the end of subparagraph (e))
dot is replaced by a comma and the following subparagraph (f)), which read:
"(f)) the data held in the register of incidents under the law on Cyber
security, from which it was possible to identify the authority or person,
that cyber security incident reported or whose
the provision would undermine the effectiveness of the reactive or protective measures
under the law on cyber security. ".
PART THE FIFTH
Amendment of the Act on radio and television broadcasting
§ 37
In § 32 paragraph. 1 (a). k) of the Act No. 231/2001 Coll., on the operation of the
radio and television broadcasting and other laws, as amended by
Act No. 274/2003 Coll., the words "State of war,", the words
"the State of cyber risk".
PART SIX
The EFFECTIVENESS of the
section 38
This law shall enter into force on 1 January 2005. January 2015.
In r. hamáček.
Zeman in r.
Sobotka in r.
1) Act No. 127/2005 Coll., on electronic communications and
some related laws (Act on electronic communications)
in the wording of later regulations.
2) section 2 of the Act No. 240/2000 Coll., on crisis management and amending certain
laws (the crisis Act), as amended.
Regulation of the Government No. 432/2010 Coll., concerning the criteria for the determination of critical control
infrastructure.
for example, section 3, paragraph 98). 4 and § 99 paragraph. 4 Act No. 127/2005 Coll., in
as amended.
4) the Constitutional Act No. 110/1998 Coll., on the safety of the Czech Republic, in the
amended by Constitutional Act No. 300/2000 Sb.
5) Law No. 269/1994 Coll., on criminal records, as amended
regulations.
