As of the end of 2022, the balance is that the Cyber Security Act (“CSA”) has been amended a total of seven times in Slovakia. And we can foresee another, relatively extensive amendment. An amendment triggered by the new NIS Directive 2, which should see the light of day in its final version later this year.
The NIS 2 Directive will not only replace its predecessor from 2016, but will significantly expand the range of obliged persons, which we know today in Slovakia as the operator of the basic service. Obliged persons will now be distinguished into two basic groups, namely key and important entities.
However, more significant is the expansion of the areas of regulation, where the following sectors (sectors) and sub-sectors (sub-sectors) will be added compared to the current legislation of ZoKB:
- Wastewater;
- Universe;
- Courier services;
- Waste management;
- Food production, processing and distribution;
- Hydrogen;
- Remote heating and cooling;
- Manufacturing (medical devices, computer products, electrical equipment, machinery, motor vehicles, other means of transport, etc.
Some existing industries and sub-sectors are also seeing changes, with the addition of data centre service providers in the “Digital Infrastructure” sector, for example.
There is also a change in digital service providers, where cloud computing providers are being dropped. They are now becoming key players. However, the digital service providers will remain ‘three’ as the current online marketplace and search engine service providers will be joined by social network service platform providers.
It is expected that several hundred to a thousand new entities could be added in Slovakia thanks to this expansion. The resulting scope is difficult to predict, as it will be determined by the setting of identification criteria (thresholds), which the Slovak Republic will determine under the existing Decree No. 164/2018 Coll., and which will determine which entity will fall within the scope of the ZoKB and which will not. Finally, a comparison of national cybersecurity regulations in the Czech Republic and the Czech Republic speaks for itself. After the transposition of the same regulation (the NIS Directive of 2016), we have approximately 3,000 obliged persons in Slovakia, while in the Czech Republic it is ten times less.
As the transposition of the NIS 2 Directive is very likely to take place also (mainly) through the CCCTB, selected entities carrying out activities in the above-mentioned sectors will also be obliged to comply with the requirements of the CCCTB.
The extension of the scope of the ZoKB to new sectors and sub-sectors is therefore obvious. However, the NIS 2 Directive also introduces new requirements compared to its predecessor, which should be reflected in the national legislation of the Member States.
In this context, the essential question is with what specific requirements the NIS 2 Directive enters into force and to what extent and in what way it will be reflected in national law. Like its predecessor, the NIS 2 Directive only comes with a general minimum security framework, if we want ‘must have’ requirements to be mirrored in national legislation.
These are the following requirements:
- Risk analysis and information system security policies;
- Incident handling (incident prevention, detection and response);
- Business continuity and crisis management;
- Supply chain security, including the security aspects relating to the relationship between each entity and its suppliers or service providers, such as storage and processing service providers or managed security services;
- Security in the acquisition, development and maintenance of networks and information systems, including vulnerability resolution and vulnerability disclosure;
- Policies and procedures (testing and auditing) to assess the effectiveness of cyber security risk management measures;
- Use of cryptography and encryption.
From this point of view, our Slovak ZoKB can be assessed as timeless, as all the above requirements are already included in today’s ZoKB. Of course, it is not impossible that there will be further modifications or extensions to the existing legislation as part of the transposition process, but these are difficult to foresee. After all, even the current version of ZoKB was not entirely enforced by the requirements of the original NIS Directive, where the Slovak Republic went beyond the European requirements with the wording of ZoKB. Therefore, the only certainty today is that we will be able to familiarise ourselves with the intended change to the NIS Code in the legislative process, in which we plan our active participation.
The most significant change that the NIS 2 Directive brings in terms of the current wording of the CCCTB is not new obligations, but the number of new entities that will be obliged to comply with the existing and prospectively additional obligations under the CCCTB.
If I had to predict where and how ZoKB will (should) change, it would be as follows:
- Addition of a new obligation to report serious cyber threats alongside cyber security incidents;
- Addition of deadlines for handling cyber security incidents (to provide an initial notification within 24 hours of the discovery of the incident and to provide a final report on the handling of the incident no later than one month after the initial notification has been made);
- Possibility to agree with the competent authorities (e.g. CSIRT unit) on an extension of the deadlines as per point above;
- Providing a response to the initial incident report, including initial feedback on the incident from the recipient of the report;
- Obtaining guidance on the implementation of possible mitigating actions to the reported incident (at the request of the whistleblower);
- Increase in fines up to €10,000,000 or a maximum of 2% of total worldwide annual turnover.
In the context of the above possible inputs to the ZoKB, it is worth noting the following.
The first is the admittedly subtle but very important extension of notification obligations to cyber threats. The current version of the CCC only requires operators to report “up to” those serious cybersecurity incidents whose attributes (classification) are set out in a specific decree[1], under threat of penalty. A legal interpretation could lead to the nonsensical but legally consistent conclusion that the operator “waits and can wait” for the incident to reach at least the first level of severity before reporting it to the competent authority. Although the voluntary nature of reporting is not affected. The fact that obliged persons will now also have to report serious cyber threats (the classification will presumably be added later) removes this perhaps interpretatively sustainable, but from a practical, logical and not least security perspective unfortunate ‘wait and see’ interpretation of the incident reporting process.
The second is the incident handling part, where there is an explicit requirement on the part of the state (especially CSIRTs) to provide responses, feedback or guidance on reported incidents.
We know from experience that there have been situations in the past where operators of essential services have received no feedback, assistance or help on their reports. Sometimes they have not even received an acknowledgement of receipt of the notification. This is not so much a criticism, but rather a reflection of the actual state of the State’s capacity, which cannot reasonably be expected to deal individually with each reported incident.
The new obligations on the part of the state will undoubtedly contribute to faster or more qualified responses to incidents, which would be handled by the state’s designated expert forces in addition to the obliged persons. However, this will not happen without an increase in capacity as well as sufficient remuneration at least close to the market average. Indeed, relying on the sincere motivation of experts to help the state and create value in the public interest has got us to where we are today.
The impact of the NIS 2 Directive could be described as follows: extension of obliged persons, confirmation of the direction of the current ZoKB as regards requirements, and last but not least, a change in the Slovak view on the scope of CSIRT units in dealing with cyber security incidents.
Regarding the last option, the desired impact of the NIS 2 Directive could be procedures that move us from analysis and reflection to solving the long-term problem we have in Slovakia. This is building and maintaining expert capacity on the part of the state. Specifically, CSIRT units with sufficient personnel and material and technical support. Finally, the report on cyber security in the Slovak Republic in 2021 clearly shows that the total number of detected and reported incidents exceeds 600 000, so there is more than enough work in this area. We are closely following developments in our country and will be happy to pass on our experience, whether in the legislative process or otherwise.
[1] Decree of the National Security Authority No. 165/2018 Coll., which determines the identification criteria for individual categories of serious cyber security incidents and details of reporting cyber security incidents
