Czech Republic (CZ)

Current status:

The Cyber Security Strategy for the Czech Republic covers the years 2015 to 2020. The Cyber Security Council (CSC) came into being through the Decision of the Government of the Czech Republic n. 781 (19 October 2011). The CSC advises the Prime Minister on cybernetic security. It also supports the NSA CZ, which is a body responsible for the cybernetic security on the issues demanding co-operation with other state bodies and operators of critical information infrastructures.

Principles:

  • Protection of fundamental human rights and freedoms and of the democratic rule of law principles.
  • Comprehensive approach to cyber security based on principles of subsidiarity and cooperation.
  • Trust building and cooperation among public and private sector, and civil society.
  • Cyber security capacity building.

Main goals:

  • Efficiency and enhancement of all relevant structures, processes, and of cooperation in ensuring cyber security.
  • Active international cooperation.
  • Protection of national CII and IIS.
  • Cooperation with private sector.
  • Research and development / Consumer trust.
  • Education, awareness raising and information society development.
  • Support to the Czech Police capabilities for cybercrime investigation and prosecution.
  • Cyber security legislation (development of legislative framework). Participation in creation and implementation of European and international regulations.

The Action Plan 2015-2020 sets out two actions on risk assessment with the aim of developing a methodology at the state level. The two actions are:

  • Choose a risk and a threat assessment methodology for the cyber security field at the state level.
  • Assess, on a continuous basis, cyber security risks and threats at the state level.

WISER interview: Viktor Paggio, Národní bezpečnostní úřad - National Security Authority, Národní centrum kybernetické bezpečnosti - National Cyber Security Centre (October 2016).

 

NATIONAL CYBER SECURITY STRATEGY - NIS Capacities

Year of adoption

2011: The Cyber Security Strategy of the Czech Republic for the Period 2011-2015 was adopted in 2011. The strategy provides general cybersecurity principles and clearly stated goals.

In 2015 a new strategy was published, Czech Republic - National Cyber Security Strategy 2015-2020 (in English): https://www.enisa.europa.eu/topics/national-cyber-security-strategies/nc...

Updates and revisions

The Czech Republic’s National Cyber Security Strategy (NCSS) and the associated Action Plan (AP) were drafted by the Czech National Security Authority (NSA) and adopted by the Government in 2015.

Both cover the years 2015 to 2020. The previous NCSS and AP covered the years 2012 to 2015.

During the WISER interview with the National Security Authority representative, Viktor Paggio outlined the priorities for 2016:

  • Provide prompt & reliable assistance to NCSC's constituency – administrators of the strategic ICT networks defined by the Cyber Security Act (https://www.export.gov/article?id=Czech-Republic-Cyber-Security; English).
  • Continue to invest in the NCSC’s human capital providing the employees with top courses and trainings.
  • Further develop the ICS-SCADA & forensics lab, and other priorities.

Annual reports and progress checks are part of the Action Plan: https://www.govcert.cz/en/info/publications/.

Operational capacity building

The Czech Republic has two response teams: 1) a Government Computer Energency Response Team (GovCERT.ZE) and 2) a national Computer Security Incident Response Team (CSIRT.CZ).

The Government CERT (GovCERT.CZ), https://www.govcert.cz/ (Czech); https://www.govcert.cz/en/ (English), is based in Brno. Its main task is to collect reports of cyber incidents from specified entities, analyse them and provide assistance.

CERT & CSIRT Capacity Building Strategy defined in the Action Plan 2015-2020.

Efficiency and enhancement of all relevant structures, processes, and of cooperation in ensuring cyber security

  • Develop an effective cooperation model at the national level among the cyber security actors – CERT and CSIRT teams, etc. and reinforce their existing structures and processes.
  • Develop, in coordination with other entities, a scheme and a detailed model of cooperation in ensuring cyber security.
  • Analyse the cyber security agenda and, based on the analysis, define main national interests and priorities for cyber security.
  • Carry out technical and non-technical cyber security exercises at the national level.
  • Develop a national coordinated incident handling procedure that will set acooperation format, contain a communication matrix, a procedure protocol and define each actor’s role.

Develop a national coordinated incident handling procedure that will set acooperation format, contain a communication matrix, a procedure protocol and define each actor’s role.

  • Develop a unified methodology for cyber security incident handling on the basis of the Act on Cyber Security and related regulations.
  • Develop a communication matrix for cyber security authorities (national actors, CII, IIS).
  • Provide description of a safe communication interface, which will enable the NSA to receive XML messages with cyber security incident reports automatically. It will also contain an XML schema description that meets the content of the form for cyber security incident reports, mentioned in the regulation no. 316/2014 Coll., complemented by the other non-obligatory options.
  • Develop a protocol of procedures successfully employed in ensuring cyber security.

Based on interview with Viktor Paggio.

CSIRT.CZ English version: https://csirt.cz/. Its role co-operate with the global community of CERT/CSIRT teams as well as with organisations supporting the community; various entities across the country – ISPs, content providers, banks, security organisations, institutions in the academic sphere, public authorities and other institutions, as well as to provide security services.

A National Cyber and Information Security Agency is also part of the national strategy. The expansion is scheduled to be carried out between 2018 to 2023 with the aim of establishing a new laboratory, training centre and data protection centres as well as increasing the office's workforce.

Legal conditions

Following the EU NIS Directive adoption, on September 30 2016, the NSA CZ proposed to the Goverment an ammendment to the Cyber Security Act, which constitutes the basic legal framework of our action (source: Viktor Paggio). It should be noted that the Czech Repblic followed the examples of Estonia and Hungary in adopting a separate Cyber Security Act even prior to the EU NIS Directive.

The current legislation for the national Cyber Security Centre Legislation is outlined here: https://www.govcert.cz/en/legislation/legislation/

2015, 1 Jan: The Law No. 181/2014 Coll. on Cyber Security entered into force together with implementing regulations.

On 19 December 2014 the regulations implementing the Law No. 181/2014 on Cyber Security were published in the Collection of Laws:

  • Regulation No. 316/2014 Coll. on Security Measures, Cyber Security Incidents and Reactive Measures (“Cyber Security Regulation).
  • Regulation No. 317/2014 Coll. on the Determination of Important Information Systems and their Determination Criteria.
  • Decision of the Government No 315/2014 Coll. which amends the Decision of the Government No. 432/2010 Coll. on the Criteria for the Determination of the Elements of the Critical Infrastructure.

The Act Coll. on the Cyber Security and on the Amendments of the Related Acts: no. 181/2014: 29 Aug. 2014.

Decision No. 781 of 19 October 2011, the Government of the Czech Republic established the NSA to be the body responsible for cyber security and the national authority in this field.

The Cyber Security Strategy of the Czech Republic for the period 2011-2015 was published in 2011. The strategy provides general cybersecurity principles and clearly stated goals. On 1 January 2015, the Act on Cyber Security came into force. This law includes comprehensive provisions on most aspects of cybersecurity and is complemented by several important regulations.

The country has also established a national CERT, CSIRT.CZ, as well as a CERT dedicated to government agencies: GOVCERT.CZ.

The National Cyber Security Centre was launched on 1 January 2015 to promote public-private partnerships. Furthermore, the Czech Republic is conducting a sector-based security risk assessment in cooperation with the academic and private sectors. The project is the first such assessment that addresses cybersecurity.  

In September 2017, the Ministry of the Interior of the Czech Republic published a bill to replace the current Act No. 101/2000 Coll., on the Protection of Personal Data.The bill is not only a response to the EU General Data Protection Regulation (GDPR) but also the EU Directive on the processing of personal data in connection with the investigation and prevention of criminal offences. A separate part of the bill then deals with the processing of personal data in the course of the defence and security of the state.

List of main provisions:

  • Setting maximum fines for public authorities and public entities at CZK 10 million.
  • Containing the definition of a “public entity” which (in addition to a public authority) must appoint a data protection officer (DPO).
  • The age limit when the consent of a child’s statutory guardian is needed when using online services is reduced to 13 years (GDPR sets out 16 years).
  • Providing for exceptions for the processing of data for so-called compatible purposes, and the possibility of restricting the rights of the data subject in matters of public interest.
  • Providing the possibility of informing data subjects by publishing information on the Internet, if processing is carried out on the basis of law, or in the public interest.
  • Providing the right for data controllers to notify, under certain circumstances, any changes, limitations, and removal of personal data to recipients of the updates of the default registers.
  • Setting out the confidentiality requirements of the DPO for personal data and security measures.
Businesses and Public Private partnerships

Within the NCSC's constituency there are only businesses of stategic importance regulated by the Cyber Security Act. The NCSC helps them to safeguard their critical information infrastructure, provides them with security information and assistance, and enhances their knowledge about internet security. Most of the Czech businesses, including internet service providers, deal with the National CSIRT Team of the Czech Republic (CSIRT.CZ), https://www.csirt.cz/ (Czech) and https://www.csirt.cz/ (English), run by CZ.NIC. (Source: Viktor Paggio).

The NSA has an ‘agreement on government security programme’ with Microsoft, under which the parties are able to share and exchange cyber security information, which means that the NSA has access to Microsoft products’ source codes and documentation. A similar information exchange agreement has been concluded between NSA and Cisco. Based on this memorandum of understanding, these two entities share cyberthreat information and exchange information on current cyber security trends and best practices.

Beyond these measures, there are currenlty no public-private partnerships for cyber security and no sector-specific security priorities established through government agencies.

A private cyber security cluster operates through the Network Security Monitoring Cluster (NSM Cluster; http://www.nsmcluster.com/en/; English), a co-operative industrial cluster focusing on the network security and security in IT. It currently counts 21 members together with Mararyk University in Brno. Its activities include networking and know-how sharing; education and training about network security monitoring; and information sharing on network security trends. It also interacts with other associations and international organisations with regard to network security monitoring and security IT topics, for example, with ENISA and IT Security in Germany. One of its priority goals is to become an interregional grouping in the Czech Republic and within the EU.

Co-operation between the NSA and the universities is developing rapidly. The NCSC contributes to cyber security courses, co-operates with university CERT/CSIRTs, and makes use of university cyber infrastructure. For example, the Computer Security Incident Response Team (CSIRT-MU; https://csirt.muni.cz/; English) is a part of the Institute of Computer Science, which is responsible for the development of information and communication technologies at the university.

Overall assessment/best practices

The Czech Republic is a long-term partner of the organiser of the Czech ECSM – the National Center for Safe Internet (NCBI, Národní centrum bezpečnějšího internetu): https://ecsm.saferinternet.cz/

For the 2016 European Cyber Security Month, the country will take part in many of the events, namely the ECSM Round Table on 30 September 2016. In September it will run the technical part of the Cyber Czech 2016 Exercise, presenting the pilot of anti-cyberbullying Digital Footprint e-learning course for high schools, and also present its activities at the 2016 Future Forces international exhibition in Prague. (Source: Viktor Paggio).

CSIRT.CZ has participated in the Cyber Europe exercises since 2010. National cyber exercises include Cyber Czech, which took place in October 2015 and in March 2016, utilising the KYPO Cyber Exercise & Research Platform of the Masaryk University. Last but not least, NSA and CSIRT.CZ take part in regional CECSP Exercises.

Implementation and Monitoring

In the interview with the National Security Authority representative, Viktor Paggio explained that the implementation of the National Strategy is incorporated in the Action Plan for the National Cyber Security Strategy of the Czech Republic for the Period from 2015 to 2020 (in English).

As of October 2016, most of the goals set by the Action Plan have been accomplished.

Every year, the NSA CZ presents the status of Action Plan implementation to the Goverment along with the Annual Report on Cyber Security. On July 20 2016, the Goverment took note of the 2015 Annual Report (https://www.vlada.cz/assets/ppov/brs/cinnost/zaznamy-z-jednani/usn-31-16... Czech).

Date of last WISER analysis October 2017

 

Compliance with the GDPR and NIS Directive: Report a cyber incident

Report a cyber incident to national CERT/CSIRT

The Regulation on Cyber Security also specifies the procedures for the reporting of cyber incidents, both to GovCERT.CZ (website in Czech/ English) and to CSIRT.CZ (website in Czech only). A report is to follow a predefined form and can be submitted via an e-form on the respective website, via e-mail, data mailbox, specified interface, or on paper.

GovCERT.CZ
For the incident reports, use the address: cert.incident@nbu.cz

For the non-incident related messages, use the cert@nbu.cz

If it is not possible (or not advisable for security reasons) to use e-mail, the GovCERT can be reached by telephone at +420 725 875 205.

The GovCERT's hours of operation are generally restricted to regular business hours (09:00-17:00 Monday to Friday except holidays).

Guidance and updates 

Information about the threat landscape and related services can be found here: https://www.govcert.cz/en/government-cert/provided-services/. Most of the other updates on GovCert CZ are on events and announcements: https://www.govcert.cz/en/info/events/.

CSIRT.CZ provides information on incident reporting and guidance: https://csirt.cz/page/3399/incident-reporting/, as well as security alerts and updates: https://csirt.cz/news/security/.

Languages Czech and English
Date of last WISER analysis October 2017

 

Contact us for more info