There has been quite a lot of noise in recent months regarding the new draft Cybersecurity Act implementing the EU NIS2 Directive. After the publication of the initial draft of the new Act, the National Cyber and Information Security Agency (NCISA) received more than a thousand comments from government agencies and private entities. Many of them justified.
Despite a fairly broad consensus on the text relating to the NIS2 Directive, the mechanism for assessing risk critical infrastructure suppliers is of greatest public concern. Thanks to this, the NCISA would gain the power to “arbitrarily” assess and identify entities that pose a risk to the critical infrastructure of the State.
While this measure is primarily aimed at companies such as Huawei and ZTE, which the NCISA identified as a threat as early as in 2018, it could however affect up to 150 other entities using technology from Chinese (and other) companies. If the proposed draft were passed, there have already been indications from some entities that they will seek compensation for their lost investments through the courts.
Right intention, “hasty” implementation
At present, the Czech legal system lacks a mechanism that would enable the assessment of the security reliability of a supplier and, if necessary, the complete exclusion of untrustworthy suppliers of technological elements from the critical infrastructure.
While the good intention of protecting the Czech Republic from suppliers threatening its security can be applauded, the implementation itself seems problematic for a number of reasons. The fundamental argument is that it will depend on the NCISA’s purely own assessment of the entity concerned, which goes against the basic principles of transparency and predictability, not to mention the concentration of quite substantial powers affecting the business environment in the hands of one authority.
However, it should be noted that the NCISA has been mandated directly by the National Security Council to establish the risk mechanism and thus has a very strong ally. The National Security Council did so in particular in connection with the ever-increasing cyber threats and the war conflict in Ukraine.
It is now up to the NCISA to respond to the comments received and, if necessary, to modify the draft Act accordingly. One option is to separate the section on the regulation of supply chains into a separate procedure and focus the amendment in question only on the implementation of the NIS2 Directive. It is of course possible that the draft will go straight to the inter-ministerial comment procedure.
However, one thing is certain - we will continue to monitor the new Cybersecurity Act and its implementing regulations for you and will bring you our insights on the latest developments.