The National Security Authority (NBÚ) drafted an amendment to Act No. 69/2018 Coll. on Cybersecurity, which sparked widespread debate among experts. The amendment was approved and entered into force on August 1, 2021. In this article, you will learn what changes have been made and which parts have caused the most controversy.
The amendment to the Cyber Security Act was drafted based on European Union requirements, as well as on the NSA’s obligations arising from the Program Statement of the Government of the Slovak Republic. According to the NSA, the amendment is the result of implementing Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (European Union Agency for Cybersecurity) and on the certification of information and communication technology cybersecurity, and repealing Regulation (EU) No. 526/2013 (Cybersecurity Act). According to the drafters, the amendment is intended to increase the powers of national authorities, modify the cybersecurity certification process and the status of auditors, and clarify certain definitional provisions of the law. The primary purpose of the amendment is also to implement the EU 5G Toolbox (strategic and technical measures to mitigate risks, intended to strengthen the integrity and security of new networks).
What changes has the amendment brought?
The changes introduced by the amendment to the Cybersecurity Act primarily concerned the expanded powers of the authority. These amendments sparked widespread debate.
The greatest reservations among experts regarding the amendment to the Act concerned, in particular, the automated provision of information, the institution of blocking, and restrictions on the use of a product or service.
In the case of automated information provision, the Office may, by decision, impose an obligation on an operator of an essential service to automatically assess the occurrence of a cybersecurity incident and subsequently report it. In short, this involves an automated process for reporting security incidents by selected operators of essential services. In the eyes of the professional community, this authority of the Office raises numerous questions, as well as the impression that citizens’ privacy will be significantly compromised.
In its statement, the National Security Authority informed the public that it has no authority to collect any data (whether personal or sensitive) and also cannot directly interfere with any software or network communications. It further stated that it may only work with information at the level of technical identifiers, which it will issue on a regular basis; based on a decision, the selected operator will be required to check whether its systems and services contain any instances of the issued sets of technical identifiers and subsequently inform the agency of any findings. Provided that the Office’s aforementioned powers are not abused, these obligations should ensure a rapid and effective resolution of security incidents.
From the Office’s perspective, the concept of blocking is not a new invention, as the National Security Authority’s document, the so-called Rules for Blocking, was already approved by the Security Council of the Slovak Republic in 2019. This document is intended to establish a procedure regarding the blocking of cyber security attacks that is in accordance with international standards. The blocking mechanism should primarily apply to operators of essential services and was proposed by the Ministry of Economy of the Slovak Republic. Essentially, this involves implementing blocking measures when addressing a cybersecurity incident. According to the agency, the content of communications is not monitored, nor is data collected; instead, technical identifiers (e.g., IP addresses, addresses of control servers, etc.) are tracked. For the professional community, however, this is a new obligation whose purpose and scope are highly unclear, and an update to the Decree is awaited, which could, in theory, further specify the purpose and scope of this obligation. The update to the Decree is also expected to include a detailed analysis and establishment of rules for this measure, as it is closely related to interference with fundamental rights and freedoms. The NSA is fully aware of this fact and states that the blocking mechanism serves only as a last resort for resolving cyber incidents in cases where other tools are ineffective, such as a persistent attack and a threat to the end user.
Another authority of the NSA is the ability, under certain circumstances, to prohibit or restrict the use of a specific product, process, service, or third party for the provision of an essential service. This is a broad authority of the Office that, in a certain way, infringes upon property rights without the possibility of compensation. The Office may decide on such a prohibition or restriction without prior warning or discussion. This involves the NSA making a decision outside of administrative proceedings without the procedural participation of the affected operators. This means that an operator subject to a ban or restriction may be blocked without knowing the reason and without being able to take corrective action to prevent the blocking from occurring in the first place. According to the NSA, the decision is based on a risk analysis and assessment by the Security Council of the Slovak Republic. Additionally, the decision is preceded by an objection procedure; the proposal is published on the agency’s website for 30 days, and the decision is subject to review by the Constitutional Court of the Slovak Republic.
This authority applies not only to Slovak operators but may also affect foreign operators conducting business activities in Slovakia.
This measure would, for example, ensure a prompt response by the Office to attacks (e.g., DOS attacks) that could overwhelm operators’ systems. However, it is necessary to precisely define and establish the Office’s competencies regarding this authority, which have not yet been clearly communicated, to prevent its abuse.
Blocking harmful activities or content that could cause a security incident will thus depend entirely on a decision by the National Security Authority, which will be based entirely on suspicion. If we were to put these restrictions into practice, we could say that the agency could, for example, ban the use of certain services or products originating from Russia or China, or even block access to specific websites.
The amendment also introduced changes regarding the obligations of operators of essential services. The deadline for adopting and complying with general security measures has been extended from the original 6 months to 12 months from the date of notification of inclusion in the register of operators of essential services. When entering into a contract with a third party to ensure compliance with security measures and notification obligations, a risk analysis is conducted. The amendment also regulates the obligation to conclude a contract such that the obligation does not apply if the third party is an essential service operator or a digital service provider, or if the risk associated with the activity is low.
The amendment to the Act also regulates security measures to ensure cybersecurity. The security measures are more comprehensive compared to the wording of the law prior to the amendment. Given the expansion of security measures and the need for their further specification, we expect an amendment to the Cyber Security Decree.
We will keep you informed about developments and a possible amendment to the Cyber Security Decree.
Sources:
https://touchit.sk/ako-je-to-teda-s-novelou-zakona-o-kybernetickej-bezpecnosti/340655
