Main Page

National Cyber and Information Security Agency

Logo NÚKIB

Selected News

The Czech Republic enters the final phase of drafting legislation to reduce the risks associated with suppliers of information and communication technology.

After initial deliberations on which and to what extent suppliers should be assessed and which infrastructure should be affected by limiting the use of high-risk suppliers, the National Cyber and Information Security Agency (NÚKIB) is now finalizing legislation that should significantly limit the influence of high-risk suppliers on the Czech Republic’s most important infrastructure.

In June 2022, the National Security Council of the Czech Republic instructed NÚKIB to prepare draft legislation introducing a supplier assessment mechanism with a deadline for submission to the government by May 2023. "I am pleased that, despite the complexity of this issue, we are succeeding in meeting the timetable for preparing the draft legislation. We are already close to being able to consult the specific wording of this extremely important legislation with partners from the public administration, as well as private and academic sectors," Lukáš Kintr, Director of NÚKIB, commented on the progress and added: "I believe that if all parties involved in the preparation are active and constructive, the Czech Republic can have a comprehensive system for reducing the state's dependence on untrustworthy foreign suppliers within two years. In the field of information technology, we hope to avoid the situation we are currently observing, for example, in connection with oil and gas supplies from the Russian Federation."

The supplier assessment mechanism should enable the state to detect untrustworthy suppliers of technological components of the most significant strategic infrastructure of the Czech Republic, assess risk associated with these suppliers, and, in case of high risk, restrict the use of such suppliers in the infrastructure.

As the term "most significant" suggests, the pending legislation should not apply to all systems and services regulated by the Act No 181/2014 Coll. on Cyber Security and change of Related Acts (Act on Cyber Security) but only to their subset with the most significant impact on the state and society. From the current division of the mandatory subjects of the Cybersecurity Act, the new legislation should impact critical information infrastructure and the information systems segment of essential services.

Nevertheless, the categorisation of regulated entities in the cybersecurity field will change due to the update of the EU Network and Information Security (NIS) Directive, the so-called NIS2.  The implementation of NIS2 into national law is carried out by NÚKIB, so the two legislative changes are being prepared together and in synergy. The resulting proposals should thus comply in full with both Czech and EU-wide needs and requirements. NIS2 will only change the concepts concerning the supplier assessment mechanism, not the scope of the entities affected.

According to the draft mechanism, the assessment should be conducted by NÚKIB in cooperation with ministries, intelligence services, and other state organizations equipped with relevant information for assessing the supplier's credibility. The basis of the mechanism, however, will be fundamental information on suppliers provided by individual administrators of the regulated infrastructure. This information shall be combined with the state’s own information and information obtained from its peer partners and will be used to assess whether specific supplier assessment criteria are met. The criteria are to examine the existence and severity of threats posed by supply chains to national security or public order through the potential of foreign state takeover of a supplier, using the supplier for state espionage, disrupting the availability of critical foreign infrastructure, etc.

The assessment itself will be conducted by the state, focusing on suppliers already delivering their services to the strategic infrastructure, as well as their subcontractors and potential suppliers. If a risk associated with a supplier is identified, the state will be able to restrict its use in the regulated infrastructure, similar to the current warning under the Act on Cyber Security, or even prohibit such supplier by the means of measures of general nature affecting all relevant infrastructure managers. There will be no entitlement to assess a supplier and it is not the state's ambition to assess them all. Only those with an indication of a possible threat, for example due to the current security situation, will be assessed.

In particular, the mechanism is intended to assess potential suppliers. Consequently, all parties should be aware of the restrictions before selecting a specific supplier and signing a contract. However, a supplier may be assessed as untrustworthy after the contract has already been concluded. In that case, the infrastructure administrator shall be given a reasonable period to replace the untrustworthy supplier with a trustworthy one so that the restriction affects their business or other activities to the least possible extent. The whole process will therefore be as transparent and protective over the rights of the infrastructure administrator and the supplier as possible. That includes the possibility for the concerned authorities and persons concerned to comment on the scope of the intended prohibition on the use of the supplier.

The community of experts will have the opportunity to comment on the draft in a public consultation in the first quarter of next year. Information on further progress, including the possibility of commenting on the draft, will be provided on the NÚKIB website.

The high-level Prague Cyber Security Conference

On Thursday 3 November 2022, the Prague Cyber Security Conference, the largest event of the National Cyber and Information Security Agency (NÚKIB) within the framework of the Czech Presidency of the EU Council, took place in the Prague Congress Centre. The conference, which took place in a hybrid format, was a successor of the traditional Prague 5G Security Conference held in previous years. In total, over 500 cyber security experts from more than 80 countries attended the event. Approximately two dozen speakers consisted of both Czech and foreign statesmen, leading EU and NATO representatives and delegates from Asia. The discussion was mainly focused on supply chain security and new technologies, as this topic is also one of the priorities of the Czech Presidency. The event was a part of the two-day EU Secure and Innovative Digital Future Conference, which NÚKIB co-organised with the Ministry of Industry and Trade, the Office of the Government and in coordination with the Ministry of Foreign Affairs.

"A secure digital future requires strong cyber defence but also much more. It requires secure infrastructure, reliable partners, and resilient supply chains. That is what Europe is working on," said the President of the European Commission Ursula von der Leyen in her opening speech. Additionally, Czech Prime Minister Petr Fiala, Estonian Minister of Entrepreneurship and Information Technology Kristjan Järvan, Australian Minister of Home Affairs and Minister for Cyber Security Clare O'Neil and NATO Deputy Secretary General Mircea Geoană spoke in a similar vein. NÚKIB Director Lukáš Kintr, as a representative of the main event’s organiser, stated in his speech: "We need to re-evaluate our thinking, clarify our European strategy and strengthen the resilience of our digital backbone in the long term. A connected Europe will only be as secure as the technologies on which it is built."

Panel discussions focused on the security of the Information and Communication Technologies (ICT) supply chain

The opening speeches were followed by a series of four panel discussions where experts from different parts of the world discussed the security of ICT supply chains, their evolution, challenges, implications and solutions. The panels followed up on the recently adopted Council conclusions, which emphasised the importance of this topic among all EU countries. To handle the challenges that this issue poses to democratic countries, the exchange of good experiences is essential. The Russian invasion of Ukraine has shown the possible consequences of dependency on unreliable suppliers, who do not share Western values and interests. Given the dependency of today's society on ICT, the consequences of such crisis in this sector would be much more serious for our society. The speakers of the conference agreed that cooperation with national and international partners, as well as between governments, academia and the private sector, is crucial for building a resilient and secure infrastructure based on trusted technologies. Furthermore, experts mentioned the need for diversity of providers to ensure their reliable and secure functioning which is absolutely essential for our society, the state and other regional actors.

The first day of the EU Secure and Innovative Digital Future Conference was concluded with speeches by the Czech Minister of Foreign Affairs Jan Lipavský, and the NÚKIB Director Lukáš Kintr, who not only thanked the participants and the organisers of the Prague Cyber Security Conference, but also stressed the need for critical information infrastructure protection, for international cooperation and for an immediate focus on the security of the entire ICT supply chain ecosystem.

Bilateral meetings were also held during the Conference

Events such as the Prague conference also present opportunities for formal and informal meetings, where it is possible to share information and practical experience with partners and allies. Among others, representatives of NÚKIB met with delegations from Australia and the United States of America. While Director Kintr discussed national infrastructure resilience and education with the Australian Minister-Counsellor of the Department of Home Affairs for Europe Jaycob McMahon, he and the U.S. Department of Homeland Security representative Irang Kahangama had a discussion about joint exercises and enhanced information sharing with the Cybersecurity and Infrastructure Security Agency. Supply chain security was a common topic for both sessions, as well as for the entire conference.

The Council of the EU adopted conclusions on strengthening the security of information and communication technology supply chains

The topic of strengthening the security of the information and communication technology (ICT) supply chain is one of the priorities of the National Cyber and Information Security Agency (NÚKIB), and indeed the Czech Republic, for the Presidency of the Council of the EU. Yesterday, all EU Member States agreed on the importance of this issue in the Council of the EU. Following the conclusions initiated and negotiated by NÚKIB representatives, steps will now be taken to strengthen the security of ICT supply chains across the EU.

The current geopolitical crisis related to the war in Ukraine clearly demonstrates the gravity of the potential consequences of the strategic dependencies of EU countries on fossil fuels from third countries, such as the Russian Federation. With unanimous adoption of the conclusions, the EU Member States agreed on the need to avoid similar serious strategic dependencies in relation to ICT, which will form the digital backbone of our society. "This is a great success for our Agency and our country in the context of the Czech Presidency of the Council of the EU. We are glad that the whole Union understands the need to learn from the current situation and that we want to work together on our cybersecurity," said Lukáš Kintr, Director of NÚKIB.

Experience with incidents, such as Solarwinds and NotPetya, has revealed that cyberattacks through the supply chain can have a widespread negative impact on our society and economy. It can be assumed that the occurrence of such attacks is highly likely to increase in the future. This growing threat needs to be actively addressed and prepared for, not only at national but also at European level. The conclusions therefore come with a range of measures to address this threat with other EU Member States in unison.

Concrete steps include the creation of an ICT Toolbox inspired by the 5G Toolbox, the development of methodological guidance on how to include cybersecurity aspects in the public procurement process and exploring of possibilities of financing the replacement of high-risk technologies.

You can also read about the conclusions of the Council of the EU here: https://www.consilium.europa.eu/en/press/press-releases/2022/10/17/the-council-agrees-to-strengthen-the-security-of-ict-supply-chains/.

 

.

Increasing the supply chain security of the state’s strategic infrastructure is in the interest of the Czech Republic

Reducing dependence on suppliers who pose a strategic threat in the field of cyber security is essential not only for the security of key entities for the state and society but also for national security in general. The National Security Council (BRS) has therefore authorized the National Cyber and Information Security Agency (NÚKIB) to prepare a bill that would enable the government to assess suppliers to the strategically important infrastructure, thereby strengthening the resilience and security of the Czech Republic.

In response to the worsening security environment, in June 2022, BRS ordered NÚKIB to submit a bill proposal by May 2023, enabling the government to assess suppliers to strategically important infrastructure. The main objective of this assessment is to increase the resilience and security of the Czech Republic.

Current developments show that the supply chain security and the trustworthiness of suppliers in the field of information and communication technologies have a fundamental impact on the security of crucial entities for the state and society and, thus, on national security. Cyber security threats arising from technology supply chains have been known for a long time. However, there is currently no comprehensive legal solution in our legal system that would enable the risks arising from these threats to strategic infrastructure to be assessed and mitigated in a targeted and effective manner. The bill in preparation aims to change this unsatisfactory situation.

The assessment mechanism will allow the government to exclude high-risk suppliers from supplies to strategic infrastructure, thereby significantly limiting the impact of undue foreign influence on the provision of essential functions of the state. It will reduce the dependence of strategic infrastructure on suppliers who pose a strategic threat in the field of cyber security and contribute to ensuring long-term sustainable security and resilience. This mechanism will help to prevent similarly undesirable dependence and subsequent negative impacts, as is currently the case with, for example, natural gas.

The bill in preparation will empower the relevant state authorities to evaluate and potentially restrict high-risk suppliers. Criteria related to areas such as the influence of a foreign state on suppliers or cases of technology misuse to disrupt strategic infrastructure will be evaluated. The specific form of the assessment process is currently being discussed across the relevant state administration bodies.

“The scope of the impact of the regulation is not yet precisely defined, but we are working intensively on it. When we talk about strategic infrastructure, we have in mind the set of systems of critical information infrastructure and essential services as defined by the Act on Cyber Security. In this area, changes await in connection with the implementation of the NIS2 directive, which will increase the number of obliged entities and persons to several thousand. However, the mechanism in preparation considers these changes and will not apply to most of these new obliged persons. The aim is to cover the set of institutions that provide or secure services with the greatest impact on the functioning of the state and society,” says Lukáš Kintr, the director of NÚKIB.

NÚKIB expects to follow the existing best practice when drafting the bill. When it is up to date, the community of experts will be given the opportunity to provide NÚKIB with suggestions for the bill beyond the scope of the standard interdepartmental comment procedure. As this is a complex and sensitive issue, NÚKIB is leading and intends to continue leading a broad, expert and, above all, constructive debate.

The mechanism is based on the principles of the Cyber Security Act (ZKB). The forthcoming legislation will complement the current approach to ensuring cyber security in the Czech Republic, according to which the system administrator is responsible for the overall security of the system. The assessment mechanism will thus introduce a new state input into the process by assessing the strategic level of security of suppliers. These are aspects that the infrastructure managers are unable to carry out. Hence the state is the appropriate entity to assess and evaluate supply chain security with its security and intelligence apparatus. Importantly, NÚKIB aims to set up an efficient assessment process that will minimize the administrative and financial burden on both obliged entities and the government to fulfil its purpose. Therefore, the assessment will concern only those supplies that are directed to clearly defined, pre-determined parts of the strategic infrastructure that are critical to the functioning of the Czech Republic. Supplies that are not relevant to the security of this infrastructure will not be assessed.

The current cyber security legislation will be valid and effective until the adoption of the new law. In the context of high-risk suppliers’ risk mitigation, the responsibility to manage risks associated with suppliers lies on the infrastructure administrators for obliged authorities and persons in accordance with the Act on Cyber Security and the Decree on Cyber Security.

Administrators and operators of critical information infrastructure and other persons subject to the Cyber Security Act are still obliged to consider warnings previously issued by NÚKIB. The “Recommendation for assessing the trustworthiness of technology suppliers of 5G networks in the Czech Republic,” prepared by NÚKIB in cooperation with other partners, can serve as a non-binding tool for assessing the riskiness of suppliers.