Main Page

National Cyber and Information Security Agency

Logo NÚKIB

Selected News

Increasing the supply chain security of the state’s strategic infrastructure is in the interest of the Czech Republic

Reducing dependence on suppliers who pose a strategic threat in the field of cyber security is essential not only for the security of key entities for the state and society but also for national security in general. The National Security Council (BRS) has therefore authorized the National Cyber and Information Security Agency (NÚKIB) to prepare a bill that would enable the government to assess suppliers to the strategically important infrastructure, thereby strengthening the resilience and security of the Czech Republic.

In response to the worsening security environment, in June 2022, BRS ordered NÚKIB to submit a bill proposal by May 2023, enabling the government to assess suppliers to strategically important infrastructure. The main objective of this assessment is to increase the resilience and security of the Czech Republic.

Current developments show that the supply chain security and the trustworthiness of suppliers in the field of information and communication technologies have a fundamental impact on the security of crucial entities for the state and society and, thus, on national security. Cyber security threats arising from technology supply chains have been known for a long time. However, there is currently no comprehensive legal solution in our legal system that would enable the risks arising from these threats to strategic infrastructure to be assessed and mitigated in a targeted and effective manner. The bill in preparation aims to change this unsatisfactory situation.

The assessment mechanism will allow the government to exclude high-risk suppliers from supplies to strategic infrastructure, thereby significantly limiting the impact of undue foreign influence on the provision of essential functions of the state. It will reduce the dependence of strategic infrastructure on suppliers who pose a strategic threat in the field of cyber security and contribute to ensuring long-term sustainable security and resilience. This mechanism will help to prevent similarly undesirable dependence and subsequent negative impacts, as is currently the case with, for example, natural gas.

The bill in preparation will empower the relevant state authorities to evaluate and potentially restrict high-risk suppliers. Criteria related to areas such as the influence of a foreign state on suppliers or cases of technology misuse to disrupt strategic infrastructure will be evaluated. The specific form of the assessment process is currently being discussed across the relevant state administration bodies.

“The scope of the impact of the regulation is not yet precisely defined, but we are working intensively on it. When we talk about strategic infrastructure, we have in mind the set of systems of critical information infrastructure and essential services as defined by the Act on Cyber Security. In this area, changes await in connection with the implementation of the NIS2 directive, which will increase the number of obliged entities and persons to several thousand. However, the mechanism in preparation considers these changes and will not apply to most of these new obliged persons. The aim is to cover the set of institutions that provide or secure services with the greatest impact on the functioning of the state and society,” says Lukáš Kintr, the director of NÚKIB.

NÚKIB expects to follow the existing best practice when drafting the bill. When it is up to date, the community of experts will be given the opportunity to provide NÚKIB with suggestions for the bill beyond the scope of the standard interdepartmental comment procedure. As this is a complex and sensitive issue, NÚKIB is leading and intends to continue leading a broad, expert and, above all, constructive debate.

The mechanism is based on the principles of the Cyber Security Act (ZKB). The forthcoming legislation will complement the current approach to ensuring cyber security in the Czech Republic, according to which the system administrator is responsible for the overall security of the system. The assessment mechanism will thus introduce a new state input into the process by assessing the strategic level of security of suppliers. These are aspects that the infrastructure managers are unable to carry out. Hence the state is the appropriate entity to assess and evaluate supply chain security with its security and intelligence apparatus. Importantly, NÚKIB aims to set up an efficient assessment process that will minimize the administrative and financial burden on both obliged entities and the government to fulfil its purpose. Therefore, the assessment will concern only those supplies that are directed to clearly defined, pre-determined parts of the strategic infrastructure that are critical to the functioning of the Czech Republic. Supplies that are not relevant to the security of this infrastructure will not be assessed.

The current cyber security legislation will be valid and effective until the adoption of the new law. In the context of high-risk suppliers’ risk mitigation, the responsibility to manage risks associated with suppliers lies on the infrastructure administrators for obliged authorities and persons in accordance with the Act on Cyber Security and the Decree on Cyber Security.

Administrators and operators of critical information infrastructure and other persons subject to the Cyber Security Act are still obliged to consider warnings previously issued by NÚKIB. The “Recommendation for assessing the trustworthiness of technology suppliers of 5G networks in the Czech Republic,” prepared by NÚKIB in cooperation with other partners, can serve as a non-binding tool for assessing the riskiness of suppliers.

NÚKIB and its partners introduce the outcomes of an international project

The rising number of cyber attacks and threats against the healthcare sector remains the worriyng trend of recent years. The situation has gotten worse since the start of the COVID-19 pandemic. More needs to be done to protect this critical sector to avoid potentially devastating humanitarian consequences.

That’s why in 2021, NUKIB, Ministry of the Foreign Affairs of the Czech Republic, the CyberPeace Institute, and Microsoft partnered to run a series of workshops with foreign and domestic experts and practitioners to openly discuss the challenges the sector face, and to come up with potential solutions from legal, technical, operational and even diplomatic perspective.

We are proud to share their recommendations in a single, comprehensive document: Compendium of Multistakeholder Perspectives: Protecting the Healthcare Sector from Cyber Harm. This report provides insights and best practices ranging from how to better secure hospital IT systems to the need to implement international law and norms. Together, these multistakeholder perspectives present ways in which we can all contribute to strengthen the protection and resilience of this vital sector and improve its cyber security for the years ahead.

You can find the whole document here.

NÚKIB issued a warning

The National Cyber and Information Security Agency issues the following warning about a cyber security threat of the use of technology or software not originating from the states of the European Union, the European Economic Area, the Organisation for Economic Co-operation and Development or the North Atlantic Alliance for implementation of technologies enabling the required level of direct metering of types B, C1, C2 or C3 pursuant to Decree No 359/2020, on electricity metering.

The Agency has evaluated this threat as “High” – the threat is likely up to very likely.

The National Cyber and Information Security Agency issues the following: Warning

NÚKIB issued a warning

The National Cyber and Information Security Agency issues the following warning against a cyber security threat consisting of non-compliance with contractual obligations by suppliers of ICT services and products with significant ties to the Russian Federation. The Agency rates the threat as High – the threat is likely to very likely.

The National Cyber and Information Security Agency issues the following: Warning