NUKIB has issued a warning about Russia-related economic sanctions

The threat lies in the effects of economic sanctions on and from the Russian Federation, which can lead to non-compliance with contractual obligations by ICT providers who have a significant relationship with the Russian Federation.

NÚKIB recommends that organizations subject to cybersecurity law take precautionary measures to ensure that possible non-compliance with contractual obligations by suppliers with a significant relationship with the Russian Federation does not limit the functionality of the systems that ‘they manage. It also recommends that this threat be taken into account in business continuity plans so that the provision of services can be ensured even if the threat persists.

“We are issuing this warning as a precaution. We are warning of the heightened level of threat that those obligated under cybersecurity law face on a regular basis. There is a risk that one of their major vendors of ICT does not provide the necessary products or services. NÚKIB warns of the level of this threat, which is linked to suppliers who, due to the current economic sanctions, are more likely not to be able to meet their obligations, “says the director of NÚKIB, Karel Řehka.

NÚKIB rates this threat in terms of probability at High, ie the threat is likely to very likely. In connection with this threat, it recommends performing the actions described in the WARNING.

Administrators and operators of systems governed by cybersecurity law must deal with the alert, in particular they must take it into account in the risk analysis and take the appropriate measures. The proposal of possible measures contains the warning issued. Persons not covered by the Cyber ​​Security Act may also be encouraged to consider taking the actions recommended by the warning if they deem it relevant to their needs.

The full text of the warning can be found Warning NÚKIB and on this link: https://www.nukib.cz/en/uredni-deska/.

Questions and answers

  1. Why did NUKIB issue a warning?

NÚKIB issues warnings in accordance with § 12 of the Cybersecurity Act (ZKB) if it becomes aware of a threat in the area of ​​cybersecurity.

In accordance with ZKB, NÚKIB will issue a warning if it learns, in particular from its own activities, on the initiative of the national CERT operator or authorities operating in the field of cybersecurity abroad, the threat in the field of cyber security. In view of the above, NUKIB must issue an alert if it becomes aware of a cybersecurity threat. Based on this, NÚKIB issued a warning.

Specifically, NÚKIB is a precautionary measure, as the threat of breach of contractual obligation by suppliers with a significant relationship with the Russian Federation increases. This is mainly due to the economic sanctions imposed on and by the Russian Federation. In addition, some private ICT companies in the Russian Federation are ceasing to provide services and support. As a result, there is a risk that in the event of dependence on ICT products and services from suppliers with a significant connection to the Russian Federation, the continuity of these dependent information and communication systems will be in danger.

In accordance with the law, the warning is published on the official notice board of NÚKIB, and its publication is then also informed by the organizations required by ZKB, which must continue to work with it.

  1. What does the warning mean?

The warning primarily warns of the threat, or rather its increased level.

In accordance with § 12 of the ZKB, by means of the NÚKIB warning, it draws attention to the existence of a threat in the field of cybersecurity. The threat may concern an indeterminate number of obliged entities and these entities must respond appropriately. The warning also contains recommendations on how to deal with the threat.

  1. Is the warning binding? For who?

The disclaimer is binding on the range of organizations required by ZKB. These organizations are required to assess threats associated with their ICT systems and respond to those threats. For other organizations, the procedures it contains can be used as recommendations. Citizens are not obliged to reflect this threat, but they can use its content, which may have general information value for them.

  1. What is the threat?

The threat highlighted by the warning is the possible non-compliance of suppliers with a significant connection to the Russian Federation. In other words, due to economic sanctions imposed on the Russian Federation by states, there is a risk that ICT providers with a significant relationship with the Russian Federation may not be able to provide their services and products. ICT as before. This situation can in some cases disrupt the continuity of the information and communication systems that depend on these supplies. The situation described above may be further aggravated by the restrictions imposed on the services of multinational corporations in the Russian Federation (for example, manufacturers of ICT components and platforms).

If this threat were to materialize, it could have an impact on maintaining the functionality of information and communication systems that are important for the functioning of the Czech Republic or to meet the needs of its citizens.

  1. So what should subjects do?

Persons obligated according to ZKB must take the threat into account in their risk analysis, i.e. increase the value of the threat of the type “non-fulfilment of contractual obligation by the supplier” to suppliers who identify a significant relationship with the Russian Federation at the value determined by the warnings and adjust subsequent information security management processes accordingly.

The warning contains recommendations on how to prevent situations in which key ICT services or products are not provided. However, there may also be an instance where this threat cannot be effectively prevented. In such a case, it is necessary to prepare for a situation where the service will have to be provided in an alternative way, i.e. without the use of systems that depend on the provision of ICT services or products. by suppliers linked to the Russian Federation.

  1. Meaning the threat is rated as high i.e. likely to very likely?

The indication that the threat is high in Cyber ​​Security Act terminology indicates that it is likely to very likely. This is the third level of the four-point scale used by the Cyber ​​Security Act to assess threats. It is a quantification of the value of the threat for the purpose of its assessment in the risk analysis, which must be carried out by persons obliged by law. It thus provides guidance to persons obliged under the Cybersecurity Act on the severity of their threat and also on the value to be used in the risk assessment in accordance with Article 5 of the Cybersecurity Decree.

  1. Are ICT products and services from companies linked to the Russian Federation now banned?

They are not. The warning only draws attention to the increased threat of unavailability of ICT products and services, dependent on suppliers with a significant relationship with the Russian Federation. If an information or communication system dependent on these products is important for the functioning of the State or the provision of services to citizens, this must be taken into account and appropriate measures must be taken. Suggesting possible measures is part of the warning.

  1. Is the reason for this warning the legislative environment of the Russian Federation, which obliges private companies governed by Russian law to meaningfully cooperate with the state and provide it with information about their customers?

The legislative environment of the Russian Federation is not a direct reason for issuing this warning. The warning is based on the objective fact that economic sanctions by or against the Russian Federation may affect the reliability of the supply of ICT services or products by suppliers having a significant relationship with the Russian Federation.

Regarding the nature of the Russian legal environment, NÚKIB has published a notice on its website. What it contains continues to apply. Alerts are available HERE.

  1. What is a “supplier with a significant connection to the Russian Federation”?

Defining a supplier with a significant connection to the Russian Federation is not straightforward. In general, one or more characters must be taken into account. Here is a demonstrative list of them in the warning:

  • The Supplier is based in the Russian Federation or depends on deliveries from the territory of the Russian Federation.
  • An ICT product or service essential to the functionality of a managed or operated information or communications system is provided through the provider’s branch in the Russian Federation.
  • An ICT product or service essential to the functionality of a managed or operated information or communications system has its development or production located in the Russian Federation.
  • Can I use the disclaimer in public procurement?

Persons obligated under cybersecurity law are required to take the increased threat level into account in their risk analyses. If they later found out about the risk of unacceptable suppliers versus suppliers who have a significant relationship with the Russian Federation, they would have to remedy this situation. This can also be reflected in the requirements placed on suppliers in public procurement. It is for this procedure that the warning is a legally binding basis. Thus, as is apparent from the warning itself, taking into account the requirements of the warning to the extent necessary cannot be regarded as an unlawful restriction of competition or an unjustified impediment to competition.

You can also support the writing of PL by taking out a subscription. We do not show ads to subscribers.

Are you a politician? Publish whatever you want without modification. Register here.
Are you a reader and want to communicate with your representatives? Register here.

advertising

author: Press release

Leave a Comment