Public authorities and legal or natural persons that are bound by obligations in the cyber security field are as follows:

a) An electronic communication service provider and an entity operating an electronic communications network, unless they are public authorities or legal or natural persons specified in letter b)
b) A public authority or legal or natural person administrating an important network, unless they are the operator or the administrator of a communication system according to letter d)
c) An operator and an administrator of a critical information infrastructure information system
d) An operator and an administrator of a critical information infrastructure communication system
e) An operator and an administrator of an important information system
f) An operator and an administrator of an information system of essential service, unless they are the operator or the administrator specified in letters c) or d)
g) An operator of an essential service, unless they are the operator or the administrator specified in letter f)
h) A digital service provider

Obligations given by the Act on cyber security
Four main obligations:

  • introduce and implement security measures to the extent necessary for ensuring cyber security of the information or communication system of critical information infrastructure (security measures based on ISO 27001 and ISO 27002)
    • Security measures are a set of activities with the purpose of ensuring the security of information in information systems and the availability and reliability of services and electronic communication networks in cyberspace. Security measures are organisational measures and technical measures. Extent of security measures for obliged public authorities and legal or natural persons is set by implementig legal regulation (The Decree No 82/2018 Coll. on Security Measures, Cybersecurity Incidents, Reactive Measures, Cybersecurity Reporting Requirements, and Data Disposal (the Cybersecurity Decree).
  • announce contact details
    • Contact details meanthe following:
      1. For a legal person, the trading company or the name, registered office address, identification number of the person or similar number assigned abroad.
      2. For a natural person pursuing business, the trading company or the name including a differentiating amendment or other designation, registered office address and identification number of the person.
      3. For a public authority, its name, registered office address, identification number of a person, if assigned, or an identifier of the public authority if an identification number was not assigned.
      4. Also including information about a natural person that is entitled to act on behalf of thepublic authority or the legal or natural person specified in Section 3 in issues governed by this act, i.e. his/her name, surname, phone number and email address.
  • report cyber security incidents
    • Obliged persons are obliged to report cyber security incidents in their important network, in their information or communication system of critical information infrastructure, or in their important information system immediately after their detection; this shall not affect their obligation to provide information according to another legal regulation or directly applicable European Union regulation governing personal data protection. If the cyber security incident has a significant impact on the continuity of the provision of an essential service, the essential service operator shall inform the Agency of this fact.
  • apply the warnings and reactive or protective measures imposed by the National Cyber and Information Security Agency
    • Measures are actions that are needed to protect information systems or services and electronic communication networks from a threat in the field of cyber security or from a cyber security incident, or to resolve an already occurred cyber security incident. Obliged persons are obliged to apply the measures.