Reducing dependence on suppliers who pose a strategic threat in the field of cyber security is essential not only for the security of key entities for the state and society but also for national security in general. The National Security Council (BRS) has therefore authorized the National Cyber and Information Security Agency (NÚKIB) to prepare a bill that would enable the government to assess suppliers to the strategically important infrastructure, thereby strengthening the resilience and security of the Czech Republic.
In response to the worsening security environment, in June 2022, BRS ordered NÚKIB to submit a bill proposal by May 2023, enabling the government to assess suppliers to strategically important infrastructure. The main objective of this assessment is to increase the resilience and security of the Czech Republic.
Current developments show that the supply chain security and the trustworthiness of suppliers in the field of information and communication technologies have a fundamental impact on the security of crucial entities for the state and society and, thus, on national security. Cyber security threats arising from technology supply chains have been known for a long time. However, there is currently no comprehensive legal solution in our legal system that would enable the risks arising from these threats to strategic infrastructure to be assessed and mitigated in a targeted and effective manner. The bill in preparation aims to change this unsatisfactory situation.
The assessment mechanism will allow the government to exclude high-risk suppliers from supplies to strategic infrastructure, thereby significantly limiting the impact of undue foreign influence on the provision of essential functions of the state. It will reduce the dependence of strategic infrastructure on suppliers who pose a strategic threat in the field of cyber security and contribute to ensuring long-term sustainable security and resilience. This mechanism will help to prevent similarly undesirable dependence and subsequent negative impacts, as is currently the case with, for example, natural gas.
The bill in preparation will empower the relevant state authorities to evaluate and potentially restrict high-risk suppliers. Criteria related to areas such as the influence of a foreign state on suppliers or cases of technology misuse to disrupt strategic infrastructure will be evaluated. The specific form of the assessment process is currently being discussed across the relevant state administration bodies.
“The scope of the impact of the regulation is not yet precisely defined, but we are working intensively on it. When we talk about strategic infrastructure, we have in mind the set of systems of critical information infrastructure and essential services as defined by the Act on Cyber Security. In this area, changes await in connection with the implementation of the NIS2 directive, which will increase the number of obliged entities and persons to several thousand. However, the mechanism in preparation considers these changes and will not apply to most of these new obliged persons. The aim is to cover the set of institutions that provide or secure services with the greatest impact on the functioning of the state and society,” says Lukáš Kintr, the director of NÚKIB.
NÚKIB expects to follow the existing best practice when drafting the bill. When it is up to date, the community of experts will be given the opportunity to provide NÚKIB with suggestions for the bill beyond the scope of the standard interdepartmental comment procedure. As this is a complex and sensitive issue, NÚKIB is leading and intends to continue leading a broad, expert and, above all, constructive debate.
The mechanism is based on the principles of the Cyber Security Act (ZKB). The forthcoming legislation will complement the current approach to ensuring cyber security in the Czech Republic, according to which the system administrator is responsible for the overall security of the system. The assessment mechanism will thus introduce a new state input into the process by assessing the strategic level of security of suppliers. These are aspects that the infrastructure managers are unable to carry out. Hence the state is the appropriate entity to assess and evaluate supply chain security with its security and intelligence apparatus. Importantly, NÚKIB aims to set up an efficient assessment process that will minimize the administrative and financial burden on both obliged entities and the government to fulfil its purpose. Therefore, the assessment will concern only those supplies that are directed to clearly defined, pre-determined parts of the strategic infrastructure that are critical to the functioning of the Czech Republic. Supplies that are not relevant to the security of this infrastructure will not be assessed.
The current cyber security legislation will be valid and effective until the adoption of the new law. In the context of high-risk suppliers’ risk mitigation, the responsibility to manage risks associated with suppliers lies on the infrastructure administrators for obliged authorities and persons in accordance with the Act on Cyber Security and the Decree on Cyber Security.
Administrators and operators of critical information infrastructure and other persons subject to the Cyber Security Act are still obliged to consider warnings previously issued by NÚKIB. The “Recommendation for assessing the trustworthiness of technology suppliers of 5G networks in the Czech Republic,” prepared by NÚKIB in cooperation with other partners, can serve as a non-binding tool for assessing the riskiness of suppliers.