The National Security Authority (NBÚ) has prepared an amendment to Act No. 69/2018 Coll. on cyber security, which has sparked widespread debate among experts. The amendment was approved and entered into force on August 1, 2021. In this article, you will learn what changes have been made and which parts have caused the most controversy.
The amendment to the Cyber Security Act was drafted based on the requirements of the European Union and the obligations of the NSA arising from the Program Statement of the Government of the Slovak Republic. According to the NSA, the amendment is the result of the implementation of Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on the establishment of the European Union Agency for the Security of Network and Information Systems (ENISA) and on certification of cybersecurity of information and communication technologies. on the European Union Agency for Cybersecurity (ENISA) and on certification of cybersecurity of information and communication technologies and repealing Regulation (EU) No 526/2013 (Cybersecurity Act). According to its author, the amendment is intended to increase the powers of national authorities, regulate the cybersecurity certification process and the position of the auditor, and clarify certain definitions in the Act. The primary purpose of the amendment is also to implement the EU 5G Toolbox (strategic and technical measures to mitigate risks and enhance the integrity and security of new networks).
What changes has the amendment brought?
The changes brought about by the amendment to the Cyber Security Act mainly concern the expanded powers of the authority. These changes have sparked widespread debate.
The professional public's biggest objections to the amendment mainly concern the automated provision of information and the institution of blocking and restricting the use of products or services.
In the case of automatic provision of information, the authority may, by decision, impose an obligation on the operator of an essential service to automatically assess the occurrence of a cyber security incident and subsequently report it. This simplifies the automated process of reporting security incidents by selected operators of essential services. In the eyes of the professional public, this competence of the authority raises a number of questions and gives the impression that citizens' privacy will be significantly infringed.
In its statement, the NSA informed the public that it does not have the power to collect any data (whether personal or sensitive) and cannot directly interfere with any software or network communications. It further stated that it can only work with information at the level of technical identifiers, which it will issue regularly, and that the selected operator will have to check, on the basis of a decision, whether its systems and services record the occurrence of issued sets of technical identifiers and subsequently inform the authority of any findings. Provided that the authority's powers are not abused, these obligations should ensure a quick and effective response to security incidents.
In the authority's view, the blocking mechanism is not a new invention, as the National Security Authority's document entitled Rules for Blocking was approved by the Security Council of the Slovak Republic in 2019. This document is supposed to set out a procedure for blocking cyber security attacks that's in line with international standards. The blocking measure should mainly apply to operators of essential services and was proposed by the Slovak Ministry of Economy. Essentially, it involves blocking in cases where a cyber security incident is being resolved. According to the authority, the content of communications is not monitored and no data is collected, but technical identifiers (e.g., IP addresses, control server addresses, etc.) are monitored. However, for the professional public, this is a new obligation, the purpose and scope of which are very unclear, and an update to the Decree is awaited, which could, in theory, specify the purpose and scope of this obligation in more detail. The update to the Decree is also expected to provide a detailed analysis and set rules for this institution, as it is closely related to the interference with fundamental rights and freedoms. The NSA is fully aware of this fact and states that the blocking mechanism is only a last resort for resolving cyber incidents in cases where other tools are ineffective, such as a persistent attack and threat to the end user.
Another power of the NSA is the possibility, under certain circumstances, to prohibit or restrict the use of a specific product, process, service or third party for the provision of an essential service. This is a broad power of the authority, which in a certain way interferes with property rights without the possibility of compensation. The authority may decide on such a prohibition or restriction without prior warning or discussion. This is a decision of the NSA outside of administrative proceedings without the procedural participation of the operators concerned. This means that an operator affected by a prohibition or restriction may be blocked without knowing the reason and without being able to take corrective action to prevent the blocking. According to the NBÚ, the decision is made based on a risk analysis and assessment by the Security Council of the Slovak Republic. Also, the decision is preceded by an objection procedure, the proposal is published on the authority's website for 30 days, and the decision can be reviewed by the Constitutional Court of the Slovak Republic.
This power does not apply only to Slovak operators, but may also affect foreign operators conducting business in Slovakia.
This measure would, for example, ensure a prompt response by the authority to attacks (e.g., DOS attacks) that would overwhelm operators' systems. However, it is necessary to precisely define and establish the authority's powers in relation to this right, which have not yet been clearly communicated, in order to prevent abuse.
Blocking harmful activities or content that could cause a security incident will thus depend entirely on the decision of the NSA, which will be based entirely on suspicion. If we were to put these restrictions into practice, we could say that the authority could, for example, ban the use of certain services/products originating from Russia or China, or even block access to individual websites.
The amendment also introduced changes concerning the obligations of essential service operators. The deadline for adopting and complying with general security measures has been extended from the original six months to 12 months from the date of notification of inclusion in the register of essential service operators. When concluding a contract with a third party to ensure compliance with security measures and notification obligations, a risk analysis must be carried out. The amendment also regulates the obligation to conclude a contract, stipulating that the obligation does not apply if the third party is an operator of an essential service or a digital service provider, or if the risk in relation to the activity is low.
The amendment also regulates security measures to ensure cybersecurity. The security measures are more comprehensive than those contained in the law prior to the amendment. In view of the extension of security measures and the need for their further specification, we expect an amendment to the Cyber Security Decree.
We will keep you informed of developments and any amendments to the Cyber Security Decree.
Sources:
https://touchit.sk/ako-je-to-teda-s-novelou-zakona-o-kybernetickej-bezpecnosti/340655
