The amendment to the Cyber Security Act (ZKB) brings a significant expansion of the so-called mandatory entities that will have a legal obligation to address cyber security and take appropriate steps to prevent security risks:
This obligation is newly introduced into a whole range of important sectors, such as healthcare, and others that provide critical “basic services” such as utilities, etc.
One of the most important duties for all these companies is to monitor the events in their own network and information systems, to be able to evaluate security attacks and report them to the security authority in time.
We see this obligation as key, because today most companies unfortunately do not even fulfill the basic requirements of so-called cyber hygiene, which consist, among other things, in the ability to detect attacks, uncover, analyze and manage risks, and share information about attacks across individual companies, which will help other institutions to prepare better and in time for a possible threat.
newly established office that will prevent hacker
attacks and propose measures to deal with security incidents. The specialized body will thus take over part of the role of the National Security Office. Failure to fulfill the new obligations can result in a fine of up to five million crowns.
The risk of computer attacks is increasing worldwide, in the Czech Republic there can be up to 1.7 million cyber attacks per year with possible losses of up to 5.4 billion crowns, according to data from the Czech Insurance Association. However, public reports informing about the success of cyber attacks are still less frequent in the Czech environment than abroad, which is partly due to two factors:
The ability to detect (or the ability to even notice an ongoing attack) is on average relatively weak in the Czech Republic. As part of risk prevention, companies should use modern detection tools, which are necessary to detect modern threats, and secure high-quality experts and security analysts.
In the event that an attack is discovered in the company, it is now quite common practice to “hammer” and not reveal anything. Under the Cyber Security Act, the affected companies are now required to report the incident to the authority. The GDPR regulation approaches this area in a very similar way, which also includes the obligation to record every such incident, and to report the more significant ones within 72 hours.
Who will the amendment primarily affect?
Newly, the ZKB amendment will concern a large group of companies that are operators of so-called basic services, e.g. banks, hospitals, transport companies, etc., or providers of so-called digital services – platforms for electronic trading and search engines (in the current version of the applicable law, these remained companies outside its scope).
The words of the law, a basic service
service whose provision is dependent on networks or information systems and ture, chemical industry and public administration.” A digital service then means “an information society service. Consists in providing an online marketplace service that allows. Consumers to conclude a purchase contract or a contract for the provision of services with the seller online, an Internet search engine or cloud computing that provides access to a scalable, customizable, and sharable storage of computing resources”.d financial undervaluation in the past years, it will be very difficult for most businesses to meet the requirements of the ZKB in time.
In the future, how to harmonize the rules of the ZKB amendment with other legislation in this area, e.g. GDPR?
eport incidents in a timely manner), 2) the need to pay more attention and resources to cyber and information security.
We perceive big differences between the meaning and content of the two pieces of legislation, and the goal switzerland phone number data of protection and the approach to the selection of security measures are particularly worth noting.
selection of security measures, the amendment to the Act on Cyber Security is clearer, as it precisely sets out a specific list of security measures that every company to which the depth of interaction with the ZKB applies must adopt. This concerns, for example, the protection of access to the network, ensuring the safe login of its users, the use of encryption technologies, regular monitoring, etc. With the European by lists GDPR regulation, the approach is based on an individual risk assessment. This means that it is up to each data administrator to evaluate for himself how much personal data.