The Cyber Security Strategy for the Czech Republic covers the years 2015 to 2020. The Cyber Security Council (CSC) came into being through the Decision of the Government of the Czech Republic n. 781 (19 October 2011). The CSC advises the Prime Minister on cybernetic security. It also supports the NSA CZ, which is a body responsible for the cybernetic security on the issues demanding co-operation with other state bodies and operators of critical information infrastructures.
- Protection of fundamental human rights and freedoms and of the democratic rule of law principles.
- Comprehensive approach to cyber security based on principles of subsidiarity and cooperation.
- Trust building and co-operation among public and private sector, and civil society.
- Cyber security capacity building.
- Efficiency and enhancement of all relevant structures, processes, and of cooperation in ensuring cyber security.
- Active international cooperation.
- Protection of national CII and IIS.
- Cooperation with private sector.
- Research and development / Consumer trust.
- Education, awareness raising and information society development.
- Support to the Czech Police capabilities for cybercrime investigation and prosecution.
- Cyber security legislation (development of legislative framework). Participation in creation and implementation of European and international regulations.
The Action Plan 2015-2020 sets out two actions on risk assessment with the aim of developing a methodology at the state level. The two actions are:
- Choose a risk and a threat assessment methodology for the cyber security field at the state level.
- Assess, on a continuous basis, cyber security risks and threats at the state level.
WISER interview: Viktor Paggio, Národní bezpečnostní úřad - National Security Authority, Národní centrum kybernetické bezpečnosti - National Cyber Security Centre (October 2016).
NATIONAL CYBER SECURITY STRATEGY - NIS Capacities
|Year of adoption||
2011: The Cyber Security Strategy of the Czech Republic for the Period 2011-2015 was adopted in 2011. The strategy provides general cybersecurity principles and clearly stated goals.
In 2015 a new strategy was published, Czech Republic - National Cyber Security Strategy 2015-2020 (in English): https://www.enisa.europa.eu/topics/national-cyber-security-strategies/nc...
|Updates and revisions||
The Czech Republic’s National Cyber Security Strategy (NCSS) and the associated Action Plan (AP) were drafted by the Czech National Security Authority (NSA) and adopted by the Government in 2015.
Both cover the years 2015 to 2020. The previous NCSS and AP covered the years 2012 to 2015.
During the WISER interview with the National Security Authority representative, Viktor Paggio outlined the priorities for 2016:
Annual reports and progress checks are part of the Action Plan: https://www.govcert.cz/en/info/publications/.
|Operational capacity building||
The Czech Republic has two response teams: 1) a Government Computer Energency Response Team (GovCERT.ZE) and 2) a national Computer Security Incident Response Team (CSIRT.CZ).
The Government CERT (GovCERT.CZ), https://www.govcert.cz/ (Czech); https://www.govcert.cz/en/ (English), is based in Brno. Its main task is to collect reports of cyber incidents from specified entities, analyse them and provide assistance.
CERT & CSIRT Capacity Building Strategy defined in the Action Plan 2015-2020.
Efficiency and enhancement of all relevant structures, processes, and of cooperation in ensuring cyber security
Develop a national coordinated incident handling procedure that will set acooperation format, contain a communication matrix, a procedure protocol and define each actor’s role.
Based on interview with Viktor Paggio.
CSIRT.CZ English version: https://csirt.cz/. Its role co-operate with the global community of CERT/CSIRT teams as well as with organisations supporting the community; various entities across the country – ISPs, content providers, banks, security organisations, institutions in the academic sphere, public authorities and other institutions, as well as to provide security services.
A National Cyber and Information Security Agency is also part of the national strategy. The expansion is scheduled to be carried out between 2018 to 2023 with the aim of establishing a new laboratory, training centre and data protection centres as well as increasing the office's workforce.
Following the EU NIS Directive adoption, on September 30 2016, the NSA CZ proposed to the Goverment an ammendment to the Cyber Security Act, which constitutes the basic legal framework of our action (source: Viktor Paggio). It should be noted that the Czech Repblic followed the examples of Estonia and Hungary in adopting a separate Cyber Security Act even prior to the EU NIS Directive.
The current legislation for the national Cyber Security Centre Legislation is outlined here: https://www.govcert.cz/en/legislation/legislation/
2015, 1 Jan: The Law No. 181/2014 Coll. on Cyber Security entered into force together with implementing regulations.
On 19 December 2014 the regulations implementing the Law No. 181/2014 on Cyber Security were published in the Collection of Laws:
The Act Coll. on the Cyber Security and on the Amendments of the Related Acts: no. 181/2014: 29 Aug. 2014.
Decision No. 781 of 19 October 2011, the Government of the Czech Republic established the NSA to be the body responsible for cyber security and the national authority in this field.
The Cyber Security Strategy of the Czech Republic for the period 2011-2015 was published in 2011. The strategy provides general cybersecurity principles and clearly stated goals. On 1 January 2015, the Act on Cyber Security came into force. This law includes comprehensive provisions on most aspects of cybersecurity and is complemented by several important regulations.
The country has also established a national CERT, CSIRT.CZ, as well as a CERT dedicated to government agencies: GOVCERT.CZ.
The National Cyber Security Centre was launched on 1 January 2015 to promote public-private partnerships. Furthermore, the Czech Republic is conducting a sector-based security risk assessment in cooperation with the academic and private sectors. The project is the first such assessment that addresses cybersecurity.
In September 2017, the Ministry of the Interior of the Czech Republic published a bill to replace the current Act No. 101/2000 Coll., on the Protection of Personal Data.The bill is not only a response to the EU General Data Protection Regulation (GDPR) but also the EU Directive on the processing of personal data in connection with the investigation and prevention of criminal offences. A separate part of the bill then deals with the processing of personal data in the course of the defence and security of the state.
List of main provisions:
|Businesses and Public Private partnerships||
Within the NCSC's constituency there are only businesses of stategic importance regulated by the Cyber Security Act. The NCSC helps them to safeguard their critical information infrastructure, provides them with security information and assistance, and enhances their knowledge about internet security. Most of the Czech businesses, including internet service providers, deal with the National CSIRT Team of the Czech Republic (CSIRT.CZ), https://www.csirt.cz/ (Czech) and https://www.csirt.cz/ (English), run by CZ.NIC. (Source: Viktor Paggio).
The NSA has an ‘agreement on government security programme’ with Microsoft, under which the parties are able to share and exchange cyber security information, which means that the NSA has access to Microsoft products’ source codes and documentation. A similar information exchange agreement has been concluded between NSA and Cisco. Based on this memorandum of understanding, these two entities share cyberthreat information and exchange information on current cyber security trends and best practices.
Beyond these measures, there are currenlty no public-private partnerships for cyber security and no sector-specific security priorities established through government agencies.
A private cyber security cluster operates through the Network Security Monitoring Cluster (NSM Cluster; http://www.nsmcluster.com/en/; English), a co-operative industrial cluster focusing on the network security and security in IT. It currently counts 21 members together with Mararyk University in Brno. Its activities include networking and know-how sharing; education and training about network security monitoring; and information sharing on network security trends. It also interacts with other associations and international organisations with regard to network security monitoring and security IT topics, for example, with ENISA and IT Security in Germany. One of its priority goals is to become an interregional grouping in the Czech Republic and within the EU.
Co-operation between the NSA and the universities is developing rapidly. The NCSC contributes to cyber security courses, co-operates with university CERT/CSIRTs, and makes use of university cyber infrastructure. For example, the Computer Security Incident Response Team (CSIRT-MU; https://csirt.muni.cz/; English) is a part of the Institute of Computer Science, which is responsible for the development of information and communication technologies at the university.
|Overall assessment/best practices||
The Czech Republic is a long-term partner of the organiser of the Czech ECSM – the National Center for Safe Internet (NCBI, Národní centrum bezpečnějšího internetu): https://ecsm.saferinternet.cz/
For the 2016 European Cyber Security Month, the country took part in many of the events, namely the ECSM Round Table on 30 September 2016. In September it will run the technical part of the Cyber Czech 2016 Exercise, presenting the pilot of anti-cyberbullying Digital Footprint e-learning course for high schools, and also present its activities at the 2016 Future Forces international exhibition in Prague. (Source: Viktor Paggio).
CSIRT.CZ has participated in the Cyber Europe exercises since 2010. National cyber exercises include Cyber Czech, which took place in October 2015 and in March 2016, utilising the KYPO Cyber Exercise & Research Platform of the Masaryk University. Last but not least, NSA and CSIRT.CZ take part in regional CECSP Exercises.
|Implementation and Monitoring||
In the interview with the National Security Authority representative, Viktor Paggio explained that the implementation of the National Strategy is incorporated in the Action Plan for the National Cyber Security Strategy of the Czech Republic for the Period from 2015 to 2020 (in English).
As of October 2016, most of the goals set by the Action Plan have been accomplished.
Every year, the NSA CZ presents the status of Action Plan implementation to the Goverment along with the Annual Report on Cyber Security. On July 20 2016, the Goverment took note of the 2015 Annual Report (https://www.vlada.cz/assets/ppov/brs/cinnost/zaznamy-z-jednani/usn-31-16... Czech).
|Date of last WISER analysis||October 2017|
GDPR and NIS Directive: Compliance and Notification
National Computer Security Information Response Team (CSIRT)
Computer Emergency Response Team (CERT)
Notification obligations in the event of a data breach
NIS Directive (operators of essential services and digital service providers): actual, adverse and significant impact on the continuity of essential services. Actual, adverse and substantial impact on the provision of enumerated digital services.
GDPR (any organisation dealing with the data of EU citizens): accidental or unlawful destruction, loss, altercation, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
The Regulation on Cyber Security also specifies the procedures for the reporting of cyber incidents, both to GovCERT.CZ (website in Czech/ English) and to CSIRT.CZ (website in Czech only). A report is to follow a predefined form and can be submitted via an e-form on the respective website, via e-mail, data mailbox, specified interface, or on paper.
For the non-incident related messages, use the firstname.lastname@example.org
If it is not possible (or not advisable for security reasons) to use e-mail, the GovCERT can be reached by telephone at +420 725 875 205.
The GovCERT's hours of operation are generally restricted to regular business hours (09:00-17:00 Monday to Friday except holidays).
|Guidance and updates||
Information about the threat landscape and related services can be found here: https://www.govcert.cz/en/government-cert/provided-services/. Most of the other updates on GovCert CZ are on events and announcements: https://www.govcert.cz/en/info/events/.
|Languages||Czech and English|
|Date of last WISER analysis||October 2017|