Obligations under the amended Cybersecurity Act

28. jan 2025

 

The amendment to the Cybersecurity Act, following the transposition of the NIS2 Directive into national legislation, has introduced many obligations effective from January 1, 2025. These obligations mainly apply to new operators of essential services.

They should be fulfilled within specified time intervals:

  • Within 60 days (no later than 2 March 2025) Within 60 days (no later than 2 March 2025) from the effective date of the amended Act, the entity must submit a Notification of Registration in the Register of Operators of Essential Services and at the same time appoint a Cybersecurity Manager, who must not have a conflict of interest and should meet the knowledge standards in the field of cybersecurity as stipulated by Decree No. 492/2022 Coll., pursuant to Section 17(2) of the Act.

 

  • Within 12 months from the date of registration in the Register of Operators of Essential Services (OES), and depending on the conducted risk analysis, the operator must adopt, comply with, and implement general security measures in the scope defined in Section 20 of the Act, and document these adopted security measures in the form of security documentation.

 

  • Within 24 months from the date of registration in the Register of OES , the operator of essential services is obliged to verify the effectiveness of the adopted security measures and compliance with the requirements set out by the Act by conducting a cybersecurity audit. The cybersecurity audit must be performed by a certified cybersecurity auditor. The operator of essential services that is not an operator of critical essential services may fulfill the obligation to conduct a cybersecurity audit by performing a self-assessment through the unified cybersecurity information system. The self-assessment is conducted by the Cybersecurity Manager. However, such an operator of essential services is required to undergo a cybersecurity audit by a certified auditor within five years of the date of its inclusion in the register of operators of essential services.

For entities already registered in the Register of Operators of Essential Services, not much changes. However, additional obligations have been introduced that these entities must also fulfill. First and foremost, it is necessary to carry out a risk analysis so that they are able to adopt security measures in accordance with Section 20 of the Act. A list of these measures can be found at the end of this article.

They are also required to continue complying with the audit periodicity that was established prior to the amendment of the Act, which is once every two years. If they previously fell into Category I or II, they may, in 2025 and 2026, carry out the audit again through self-assessment, even if they would otherwise fall into a category with a high level of criticality. This mainly applies to public administration entities. The classification of sectors by level of criticality can be found in the annexes to the amended Act.

Sectors with a high level of criticality: https://www.zakonypreludi.sk/disk/zz/file/2018/2018c000z0069_p01.pdf

Other critical sectors: https://www.zakonypreludi.sk/disk/zz/file/2018/2018c000z0069_2024c000z0366p002.pdf

 

Security measures pursuant to Section 20 of the Act and security documentation 

  • organization and management of information security and cybersecurity,
  • vulnerability management and management of cyber threats,
  • asset management and cyber threat and risk management,
  • management of events and cybersecurity incidents,
  • business continuity management, backup, disaster recovery, and crisis management,
  • security in the acquisition, development, and maintenance of networks, information systems, applications and configurations,
  • procedures for assessing the effectiveness of measures, compliance management, and control activities,
  • cryptographic measures and principles for the use of cryptography,
  • security and competence of human resources,
  • identity and access management,
  • security in the operation of networks and information systems,
  • protection against malicious code and unwanted content,
  • system security, network security, and communication security,
  • monitoring, logging and incident reporting,
  • physical security, environmental security, and endpoint device management,
  • records protection, privacy and information classification,
  • supply chain security,
  • procurement and use of certified ICT products, ICT services, and ICT processes.

 

RNDr. Daniel Schikor

Cybersecurity Manager