Main Page

Logo NÚKIB

After initial deliberations on which and to what extent suppliers should be assessed and which infrastructure should be affected by limiting the use of high-risk suppliers, the National Cyber and Information Security Agency (NÚKIB) is now finalizing legislation that should significantly limit the influence of high-risk suppliers on the Czech Republic’s most important infrastructure.

In June 2022, the National Security Council of the Czech Republic instructed NÚKIB to prepare draft legislation introducing a supplier assessment mechanism with a deadline for submission to the government by May 2023. "I am pleased that, despite the complexity of this issue, we are succeeding in meeting the timetable for preparing the draft legislation. We are already close to being able to consult the specific wording of this extremely important legislation with partners from the public administration, as well as private and academic sectors," Lukáš Kintr, Director of NÚKIB, commented on the progress and added: "I believe that if all parties involved in the preparation are active and constructive, the Czech Republic can have a comprehensive system for reducing the state's dependence on untrustworthy foreign suppliers within two years. In the field of information technology, we hope to avoid the situation we are currently observing, for example, in connection with oil and gas supplies from the Russian Federation."

The supplier assessment mechanism should enable the state to detect untrustworthy suppliers of technological components of the most significant strategic infrastructure of the Czech Republic, assess risk associated with these suppliers, and, in case of high risk, restrict the use of such suppliers in the infrastructure.

As the term "most significant" suggests, the pending legislation should not apply to all systems and services regulated by the Act No 181/2014 Coll. on Cyber Security and change of Related Acts (Act on Cyber Security) but only to their subset with the most significant impact on the state and society. From the current division of the mandatory subjects of the Cybersecurity Act, the new legislation should impact critical information infrastructure and the information systems segment of essential services.

Nevertheless, the categorisation of regulated entities in the cybersecurity field will change due to the update of the EU Network and Information Security (NIS) Directive, the so-called NIS2.  The implementation of NIS2 into national law is carried out by NÚKIB, so the two legislative changes are being prepared together and in synergy. The resulting proposals should thus comply in full with both Czech and EU-wide needs and requirements. NIS2 will only change the concepts concerning the supplier assessment mechanism, not the scope of the entities affected.

According to the draft mechanism, the assessment should be conducted by NÚKIB in cooperation with ministries, intelligence services, and other state organizations equipped with relevant information for assessing the supplier's credibility. The basis of the mechanism, however, will be fundamental information on suppliers provided by individual administrators of the regulated infrastructure. This information shall be combined with the state’s own information and information obtained from its peer partners and will be used to assess whether specific supplier assessment criteria are met. The criteria are to examine the existence and severity of threats posed by supply chains to national security or public order through the potential of foreign state takeover of a supplier, using the supplier for state espionage, disrupting the availability of critical foreign infrastructure, etc.

The assessment itself will be conducted by the state, focusing on suppliers already delivering their services to the strategic infrastructure, as well as their subcontractors and potential suppliers. If a risk associated with a supplier is identified, the state will be able to restrict its use in the regulated infrastructure, similar to the current warning under the Act on Cyber Security, or even prohibit such supplier by the means of measures of general nature affecting all relevant infrastructure managers. There will be no entitlement to assess a supplier and it is not the state's ambition to assess them all. Only those with an indication of a possible threat, for example due to the current security situation, will be assessed.

In particular, the mechanism is intended to assess potential suppliers. Consequently, all parties should be aware of the restrictions before selecting a specific supplier and signing a contract. However, a supplier may be assessed as untrustworthy after the contract has already been concluded. In that case, the infrastructure administrator shall be given a reasonable period to replace the untrustworthy supplier with a trustworthy one so that the restriction affects their business or other activities to the least possible extent. The whole process will therefore be as transparent and protective over the rights of the infrastructure administrator and the supplier as possible. That includes the possibility for the concerned authorities and persons concerned to comment on the scope of the intended prohibition on the use of the supplier.

The community of experts will have the opportunity to comment on the draft in a public consultation in the first quarter of next year. Information on further progress, including the possibility of commenting on the draft, will be provided on the NÚKIB website.