On 24 February 2021, the Slovak Government approved a draft amendment to the Slovak Cyber Security Act. The original act was passed on 30 January 2018 in line with EU Directive 2016/1148 concerning measures for a high common level of security of network and information systems across the EU. Under this draft amendment, the powers of the Slovak Republic’s National Security Authority (the “NSA”) will be strengthened, as it will be able to block harmful content and harmful activity.
When the original EU Directive was implemented, the NSA stated that: “networks and information systems play a crucial role in free movement and are often linked to the internet as a global tool” and therefore “any violation of the network and information systems in one member state thus affects other member states and the EU as a whole.” For this reason, according to the NSA, resistant networks and stable information systems are prerequisites for the smooth functioning of the EU internal market and credible international cooperation. At this time it was therefore decided that the country’s defence expenditure should, from then on, include expenditure on cyber defence, as in today’s technology dependent world a cyber-attack on the country is a more realistic scenario than a military attack.
The power afforded to the NSA by the proposed amendment would enable it to block harmful content and activity when dealing with cyber incidents. “Harmful content” is defined as software, a tool or data that causes or may cause a cyber-security incident, and “harmful activity” is defined as any activity that causes or may cause a cyber-security incident, such as fraudulent activity or theft of personal or sensitive data.
The reasoning behind giving the NSA this augmented power is to enable the Slovak Republic to be better prepared and defend itself against cyber-attacks on important information infrastructure systems from the external environment (internet). It is particularly aimed at combatting the spread of malicious code from networks of infected computers and the spread of malicious activity from IP addresses in the Slovak Republic.
Every entity, individual or company that operates technology infrastructure would have to comply with any request the NSA makes regarding blocking content or activities.
All decisions from the NSA requesting blocking must:
- identify the NSA;
- identify the person operating the technology/infrastructure on which the blocking needs to be performed;
- identify the harmful content or activity;
- state the reason for blocking;
- state the method of blocking;
- state the deadline and duration of blocking; and
- explain the possibilities regarding unblocking and instructions relating to this.
Blocking can also be carried out at the request of an entity defined as a special subject. The amendment refers to two acts, the Act on the Slovak Information Service, and the Act on the Slovak Gambling Regulatory Authority, implying that blocking will be within the power and scope of these two acts.
The draft amendment also proposes introducing the automated transmission of system information from networks and information systems to essential service providers. Furthermore, it would give the NSA the power to potentially ban or restrict the operator of an essential service from using a specific product, process or service due its potential threat to the security interests of the state, and therefore due to serious circumstances required by law. The ban or restriction of a product, process or service must be based on a detailed risk analysis and a statement from the Security Council of the Slovak Republic.
Finally, the amendment will introduce a general obligation to cooperate on cyber security with the NSA and related laws, such as the Act on Administrative Fees, Act on Electronic Communications and Act on Information Technologies in Public Administration, would need to be adjusted to reflect this.
The draft amendment is going through the legislative process of the National Council of the Slovak Republic and is currently having its first reading. The proposed date for it to come into effect is 15 April 2021; however, some influential NGOs have requested that the draft amendment be withdrawn. They believe that, if approved, it would give too much power to the NSA, especially in regards to blocking, automated transmission of information and the possibility to restrict the use of products and services. The NGOs are worried this could possibly open the way for the law to be misused or misinterpreted by the NSA, as they believe proper control mechanisms are missing from this draft proposal.
Should you have any questions regarding this proposed amendment or any other regulatory changes in the Slovak Republic, please contact our experts.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.