On 25 March 2022, the Government Legislation Centre published what is now the seventh version of a bill amending the National Cybersecurity System Act. The previous version of the bill, of 12 October 2021, caused much controversy among the public – especially proposals regarding the procedure for classifying a hardware or software supplier as a high-risk supplier, and the possibility of instructions being issued as security measures requiring the entities that form the national cybersecurity system to take certain kinds of action.
The most significant change in relation to the proposal for the amendment of October 2021 is inclusion of electronic communications enterprises in the national cybersecurity system. The term electronic communications enterprise proposed in the March bill matches the definition of an electronic communications enterprise proposed in the proposal for the Electronic Communications Law – telecommunications operators and entities providing publicly available number-independent interpersonal communication services. Under the proposed amendment, these entities would have an obligation to apply requirements provided for in the bill amending the National Cybersecurity System Act.
The new proposal for an amendment is an attempt to implement certain provisions in the European Electronic Communications Code on security of a network and a service, resulting in new obligations for electronic communications enterprises, such as:
- systemic assessment of risk of a particular threat occurring;
- posting information on their websites regarding possible threats related to use of electronic communications services and recommended precautions;
- taking technical and organizational measures to ensure confidentiality, integrity, accessibility and authenticity of processed data, and an adequate level of cybersecurity;
- operations related to telecommunications incidents, such as reporting them within 24 hours of discovery.
Electronic communications enterprises could face heavy fines for breach of the obligations specified in the proposed amendment, of up to 3% of the firm’s revenue in the previous calendar year.
Due to the growing public demand for the amendment to be passed soon, work on the bill can be expected to accelerate. At the same time as work on the amendment, work is also needed on the proposal for the Electronic Communications Law due to the strong connection between these bills. In addition, in view of the long history of work on these bills, it is not certain when they will come into force and whether the final versions will be the same as the current proposals.