In this part, we tackle the institutional backing of cybersecurity. Any legal, technical or organizational measure is quite useless if it is not backed by relevant and capable institutions, public or private. In cybersecurity, we assume relatively poor capability of state regarding complex information systems and communication infrastructure. That is why the regulatory model of European cybersecurity uses performance-based rules. Consequently, the fundamental level of rule-making goes after the regulated subjects, in particular: 

• Essential service operators
  
• Digital service providers
  

EU member-states often work with more sophisticated structure of regulated subjects that include also other private and public institutions outside the scope of NIS Directive-based definitions of essential and digital services. In addition, the scope of national laws often includes, besides owners or controllers (operators) of respective systems and networks, also units, mostly private, that provide services or equipment to the operators on the basis of contracts. In particular, the Czech Cybersecurity Act works with the following structure (§3 of the Cybersecurity Act)

"a)  An electronic communication service provider and an entity operating an electronic communications network1), unless they are public authorities or legal or natural persons specified in letter b)

b)  A public authority or legal or natural person administrating an important network, unless they are the operator or the administrator of a communication system according to letter d)

c)  An operator and an administrator of a critical information infrastructure information system

d)  An operator and an administrator of a critical information infrastructure communication system

e)  An operator and an administrator of an important information system

f)  An operator and an administrator of an information system of essential service, unless they are the operator or the administrator specified in letters c) or d)

g)  An operator of an essential service, unless they are the operator or the administrator specified in letter f)

h)  A digital service provider"

The regulatory institutional framework consists primarily of national cybersecurity authorities. These are differently positioned in different member states – somewhere, it is a specific authority, while elsewhere this regulatory agenda is backed by an existing security authority, a law enforcement body or other governmental institution.

Another important difference among the member states is in the mere fact whether these institutions act as regulators. The NIS Directive does not envisage cybersecurity authorities to have their own regulatory powers, but individual EU member-states might entrust them with competences to issue various sub-statutory regulatory instruments.

Quite specific is the institutional framework of CSIRTs. The EU-level of this framework is explained in recital 32-33 as follows:

“ Competent authorities or the computer security incident response teams (‘CSIRTs’) should receive notifications of incidents. The single points of contact should not receive directly any notifications of incidents unless they also act as a competent authority or a CSIRT. A competent authority or a CSIRT should however be able to task the single point of contact with forwarding incident notifications to the single points of contact of other affected Member States.

To ensure the effective provision of information to the Member States and to the Commission, a summary report should be submitted by the single point of contact to the Cooperation Group, and should be anonymised in order to preserve the confidentiality of the notifications and the identity of operators of essential services and digital service providers, as information on the identity of the notifying entities is not required for the exchange of best practice in the Cooperation Group. The summary report should include information on the number of notifications received, as well as an indication of the nature of the notified incidents, such as the types of security breaches, their seriousness or their duration.”

Roles and responsibilities of CSIRTs do not only cover incident reporting, but they might also have some forensic competences, an ability to develop and use active countermeasures etc. At the seminar, we will specifically focus on cooperation of CSIRTs with national and international institutions in security, defense, law enforcement and intelligence.

Last (but not least) institutional issue that will be discussed in class relates to certification processes. The Cybersecurity Act counts with the following institutions:

• National cybersecurity cettification authorities
  
• National accreditation bodies - (EC) 765/2008
  
• Conformity assessment bodies
  
• Commission
  
• European Cybersecurity Certification Group (ECCG)
  
• Stakeholder Cybersecurity Certification Group (SCCG)

In class, we will discuss roles and responsibilities of the above institutions and bodies as well as associated legal and organizational issues.