November 2019 – The Slovak Cyber Security Act (Act No. 69/2018 Coll., the "Act") defines the minimum requirements to ensure cyber security in Slovakia. The Act applies to operators of essential services, i.e., to entities in key sectors, including banking, electronic communications, energy and healthcare1, and to digital service providers.

While the Act focuses on providers of services that are essential for the proper functioning of society and the economy, its measures may also apply to smaller companies in certain sectors. For instance, in healthcare the Act applies to (1) healthcare providers listed in Annex 1 of the Act, defined as "any persons or any other entity legally providing healthcare in the territory of a Member State" and (2) administrators and operators of networks and IT systems that form an element of critical infrastructure.2

Decree No. 164/2018 Coll., laying down identification criteria for operated services (essential services criteria) sets out the specific sector and impact criteria for healthcare. These include setting out the minimum number of emergency beds in last three calendar years at 500, the status of highly specialised traumatology care centres under separate legislation3 and the provision of laboratory services.4

In principle, operators of essential services have primarily the obligation (1) to take the prescribed security measures, and (2) to address and immediately report security incidents. However, they are also obliged:

  1. to report to the National Security Authority (the "NSA") that the company should be registered in the register of essential services operators (and to inform the provider of electronic communication services of this);
  2. to take and comply with security measures to the extent prescribed;
  3. to address cyber security incidents (including providing appropriate evidence to be used in prosecution);
  4. to enter into an agreement on compliance with safety measures and notification duties with providers of those services that directly relate to the operation of networks and information systems; and with
  5. various notification duties:
    1. to report each substantial cyber security incident through a uniform cyber security information system,5
    2. to notify the providers listed above about any reported cyber security incident;
    3. to inform the law enforcement authorities if a crime related to a cyber attack was committed.

Impact criteria are defined in the Decree as the consequences of a cyber security incident involving the functionality of an IT system or network upon which the provision of service depends. Potential consequences of a cyber security attack in healthcare can include an economic loss higher than 0.1% of GDP, an economic loss or material damage of more than EUR 250,000 suffered by at least one user, more than 100 injured persons requiring medical treatment, or the loss of one life6, and also includes disruption of public order or public security.

Another important obligation is to carry out a cyber security audit within two years from registration in the list of essential services operators. The cyber security audit seeks to evaluate compliance with adopted security measures and with other obligations under the Act. A Decree laying down the rules and scope of the cyber security audit and details of the accreditation of bodies verifying compliance is currently under discussion in the intradepartmental comments procedure. Current wording of the draft Decree provides for a cyber security audit each two years and after each change with a significant effect on the implemented security measures. The audit is to be carried out by an individual—an auditor who is certified by an accredited certification body. Such certification is to be made based on an application that contains the requirements prescribed by law, and the certificate is to be issued with a validity of no more than three years with a renewal option. The auditor's authority includes establishing the duration of the audit so as to sufficiently verify if adopted security measures are effective. At the end of the audit the auditor issues a final audit report with an assessment of the audit results and the evidence used to make the assessment. Essential service operators are obliged to present to the NSA within 30 days of completion of the cyber security audit the final audit report and the rectification measures, including specific time limits. Costs of the audit are to be borne by the essential service operator.

In the area of cyber security, the National Security Authority also carries out inspections, issues decisions imposing measures, and imposes sanctions for minor or other administrative offences. The NSA may impose a penalty from EUR 300 up to 1% of overall annual turnover for the preceding financial year, but no more than EUR 300,000. In a future Decree the NSA will define requirements for the accreditation of compliance verification bodies, for the expertise and qualifications to be held by auditors, for the content and scope of the final audit report, and for the outcome of cyber security audit.

Footnotes

[1] The Act also applies to the following sectors: transport, post, industry, information and telecommunications technologies, water and air.

[2] https://www.nbu.gov.sk/wp-content/uploads/kyberneticka-bezpecnost/prevadzkovatelia-ZS.htm

[3] Though this term was used in a number of documents that were discussed as part of the legislative process, Slovak healthcare legislation uses only the term "trauma centre" - please also see Decree No. 44/2008 of the Ministry of Healthcare of the Slovak Republic laying down minimum requirements for staffing, material and equipment of individual types of healthcare units.

[4] This is again an unclear term as Slovak healthcare legislation again uses only the term "in vitro diagnostic centre". Captured under this type of centres is, in addition to laboratory examinations of biological material, also examination using CT/MR imaging technologies and similar, which are currently almost exclusively digitalised with these providers. Laboratory operators frequently use electronic services to inform about test results.

[5] https://www.nbu.gov.sk/kyberneticka-bezpecnost/jednotny-informacny-system-kybernetickej-bezpecnosti/index.html

[6] It can be very difficult to identify the requirement of the potential loss of one life in connection with healthcare provision, as it will be very hard to tell when there is a risk of loss of life during a cyber security incident.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.