Others

1. What are the CNA and CWE add-ons used for, and where can I verify their functionality?

The installation of the Crypto Native App (extension for operating systems) and Crypto Web Extension (extension for web browsers) add-ons is necessary for signing and decrypting operations in the NEN system (for download here). In the compatibility test, it is possible to verify the installation of these add-ons. This can be done at the bottom of the screen in the "Certificate and Signature Test" section, where the field needs to be highlighted in green. Here, you can insert and test the functionality of your qualified certificate.

After downloading the Crypto Native App application, a file with the extension .dmg is downloaded. This is not an installation file (a file with the extension .dmg (disk image) is commonly used in macOS X as a disk image format). After mounting this disk image, you will find the installation file with the .pkg extension through Finder.

If a user is interested, it is possible to provide the source code from CNA by the supplier of technical support, allowing Linux users to download and compile it themselves.

2. How to proceed in case of loss or forgotten password?

If you remember your username and the email address listed in the NEN system, use the "Forgot password" functionality directly in the login section. Otherwise, please contact the NEN System User Support (contacts provided in the header) or the entity’s administrator of your organization.

3. What is the maximum size of an attached file?

The NEN system supports attachments up to a maximum size of 2 GB per file. This limitation applies across the public, authorized, and integration part of the NEN system. Larger attachments must be split into separate files using the ZIP algorithm. When splitting into parts, the ZIP format with extensions ZIP and 001, 002, etc., is supported.

4. What is the difference between a qualified and a commercial certificate?

Qualified certificates are primarily for signing (e.g., registration forms, tender submissions, messages, etc.). Commercial certificates are intended for encrypting and decrypting public contracts (these are always arranged by the contracting authority for these purposes).

5. What is the difference between internal and external notifications?

Internal notifications are understood as all notifications delivered within the NEN system. You can access these notifications through the envelope icon located in the upper right corner. External notifications are notifications that will be delivered to the email address you provided.

6. What is a qualified timestamp in the NEN system?

It refers to a qualified timestamp automatically assigned by the NEN system to documents containing a qualified electronic signature, enabling the anchoring of the signature’s validity in time, or it refers to an electronic mark proving the document’s origin.

The purpose of this mark is solely to provide information about the origin of the document (the document was inserted to the NEN system). The validity of this electronic mark is always one year. The expiration of the validity of the NEN system's electronic mark cannot a priori be considered as making the document false or inauthentic. Legal actions cannot a priori be considered invalid.

7. Where do I obtain confirmation of delivery?

Delivery via the NEN system fully complies with the requirements of the ZZVZ and implementing regulations regarding delivery within a procurement procedure. Confirmation of the transmission of a data message through the NEN system is considered evidence of delivery of the data message to the recipient (see Section 4 (1) of the Decree 260/2016 Coll., on the establishment of more detailed conditions concerning electronic tools, electronic acts in public procurement and the certificate of conformity, as amended).

If transmission is made via the NEN system, the moment of delivery is considered the moment of sending. However, this represents the moment of completion of the whole sending process, specifically, the receipt of the submission by the NEN system, not the moment the "Send" button is pressed. Therefore, we recommend that economic operators take steps leading to such an action well in advance.

8. How is it with data archiving?

Pursuant to Section 216 of the ZZVZ, the contracting authority is obliged to retain documentation to the procurement procedure, which consists of all documents in paper or electronic form and outputs from oral communication, the acquisition of which during or after the procurement procedure is required by this law, including the full text of the original tenders from all economic operators, for a period of 10 years from the date of termination of the procurement procedure or the change of commitment from the contract to the public contract, unless another legal regulation prescribes a longer period. Therefore, the NEN system retains all structured and unstructured data (documents) related to the procurement procedure for at least this period. It will then be up to the contracting authority whether to export this data from the system and further archive it.

9. What does it mean when an electronically signed document uploaded to the NEN system displays the message “The signature is in the safeguard period. You must wait 23 hours until validity confirmation.”?

The safeguard period has been introduced to strengthen the compliance of the NEN system with the eIDAS Regulation and Decree No. 212/2012 Coll., on the Verification of the Validity of a Recognised Electronic Signature (hereinafter referred to as the “Decree”).

According to Section 4(1)(a) of the Decree, verifying the validity of a qualified certificate or a qualified system certificate requires verifying whether the qualified certificate or qualified system certificate has been revoked, and verifying the electronic seal with which the qualified trust service provider (hereinafter referred to as the “provider”) has marked the certificate revocation list or the certificate status information, as well as the provider’s qualified system certificate.

Furthermore, pursuant to Section 4(2) of the Decree, the verification of whether the qualified certificate or qualified system certificate had not been revoked at the moment for which its validity is being verified must be carried out in accordance with the certification policy of the provider that issued the certificate. If a certificate revocation list is used for verification, the decisive list is the last list issued within 24 hours from the moment for which the validity of the certificate is being verified, or any subsequent list issued before the end of the validity period of the certificate being verified. If the 24-hour period extends beyond the certificate’s validity period, the decisive lists are all lists issued from the last list published during the certificate’s validity period to the last list published within 24 hours from the moment for which the certificate validity is being verified.

Simply put, the contracting authority must be sure that the certificate was not revoked in the meantime. This certainty can only be obtained after the 24-hour period, because the authority has up to (a maximum of) 24 hours to publish the revocation list.

For signatures created through NEN, the signature icon will display information that verification of the signature’s validity requires completing this 24-hour period in order to verify the electronic signature against the most recently issued certificate revocation lists (CRLs) from the certification authorities.

After the verification is completed, the signature will be marked as valid (green signature badge) or invalid (orange exclamation mark). The signature details will again inform the user about how the certificate was evaluated and what issue was identified in case of an invalid result. The entire 24-hour verification process applies solely to certificates issued by qualified certification authorities.

10. What should I do if I enter the wrong password three times when logging in to the NEN system?

In case you enter an incorrect password three times, the NEN system will lock your user account for 15 minutes. After this period, you will be able to attempt to log in again.

11. Explanation of the necessity of transitioning to qualified electronic identification means

Information from the Ministry of Regional Development: Increasing security standards and legal certainty

The Ministry of Regional Development, as the administrator of the National Infrastructure for Public Procurement (NIPEZ) and the National Electronic Tool (NEN), is implementing key measures to enhance cybersecurity resilience and data security. For entities acting in the role of an economic operator, support for authentication using conventional login credentials (username and password) will be discontinued. The new standard for identity verification is electronic identification via the Citizen Identity (NIA), and for foreign entities, its European equivalents through the International ID Gateway (IIG), in accordance with the European eIDAS Regulation.

Legislative framework and the necessity of the change

Both the NEN system and the NIPEZ authentication component fall within the category of information systems of public administration (ISVS). This classification entails the obligation of the system administrator to ensure reliable and unambiguous identification of natural persons performing legal acts within the system. The transition to qualified identification is directly anchored in the following legal regulations:

• Act No. 250/2017 Coll., on Electronic Identification.

• Act No. 12/2020 Coll., on the Right to Digital Services.

• Act No. 264/2025 Coll., on Cybersecurity, and its implementing regulations.

• Regulation (EU) No. 910/2014 (eIDAS), which unifies identification standards across the entire European economic Area.

Transition from usernames and passwords to a Guaranteed Identity

The main pillar of this change is the replacement of an outdated login method that no longer meets the current security standards for information systems of public administration (ISVS). Static passwords constitute a vulnerable element that does not allow, with a sufficient degree of certainty, the guarantee that an action performed in the system was carried out by a specific authorized natural person.

In this context, it is necessary to emphasize that, for the purposes of the ISVS, standard two-factor authentication is not generally sufficient (e.g., a combination of a password and an SMS code sent to a telephone number). Although such methods increase protection against password misuse, they lack a key element required by effective legislation: the existence of a legally recognized identity means for which the holder’s identity has been officially verified and matched with state registers. Only qualified means within the Citizen Identity framework (NIA) provide the level of assurance required by law (“substantial” or “high”), which is mandatory for public administration systems, and which alone guarantees full legal integrity of an act in the digital environment.

Systematic elimination of the sharing of access credentials

The implementation of the new authentication method deliberately and completely eliminates the undesirable practice of sharing user accounts, which currently occurs within a certain percentage of entities. It must be emphasized that the use of shared access credentials by multiple individuals constitutes a critical security and legal risk and is impermissible even under the existing framework. While this practice is difficult to control under the current model, the transition to the Citizen Identity and eIDAS framework technically makes it impossible. Given that identity means are non-transferable and strictly bound to a specific natural person, the new system definitively removes procedural uncertainty in proving individual responsibility for specific actions. This ensures full transparency and protection of interests both on the part of the contracting authority and on the part of the economic operator.

It is necessary to warn against allowing another person to use a user’s electronic identity, as by doing so the user transfers their identity in full, and all actions performed by that person are considered actions of the user to whom the identity belongs. Users should be aware that actions other than those related solely to procurement procedures may also be performed under their identity.

Separation of personal identity and representation of an organization

It is necessary to emphasize that, in accordance with the eIDAS Regulation and the Act on Electronic Identification, identity means are held exclusively by natural persons. A legal person (company), as such, does not possess an electronic identity in this sense. The authentication process therefore always takes place at the level of a specific user who logs in as an identified natural person and subsequently performs actions on behalf of the organization based on assigned system permissions and roles.

This mechanism ensures that every act performed by a legal person is linked to a specific and traceable representative. The allocation of legal responsibility between the natural person and the employer remains fully preserved in accordance with labor law regulations and the Act on Public Procurement. The Ministry of Regional Development guarantees that the use of the Citizen Identity serves exclusively for authentication purposes (identity verification). The NIA system operates as an independent verification layer—no private information of the identity holder is made accessible to the ministry or to the employer through this process.

The use of the Citizen Identity (NIA) and eIDAS brings the following benefits:

• Legal incontestability: The creation of a unique and unambiguous link between an act performed in the system and a specific natural person in accordance with applicable legislation. This link protects all participants in the public procurement process, including the employer itself (the legal person), from legal risks associated with anonymity or challenges to the authorship of an act.

• Compliance with the eIDAS level of assurance: Qualified means (e.g., Bank Identity, the eGovernment Mobile Key, or the eID card) guarantee a high level of identification assurance that standard commercial 2FA systems (e.g., via email or SMS), without a connection to a certified identity provider, cannot provide.

• Prevention of misuse and transparency: The system technically prevents the sharing of identities among multiple individuals, thereby ensuring that every decision or submission within the NEN system is linked to a specific, traceable, and identified user.

Access for foreign economic operators (EU)

In accordance with the eIDAS Regulation, the NEN system is fully integrated with the International ID Gateway (IIG), enabling foreign users from EU Member States to use their national identity means (e.g., the Slovak eID). For these purposes, neither permanent nor temporary residence in the Czech Republic is required. The only condition is possession of an identity means that the respective Member State has notified at the “high” or “substantial” level of assurance.

Access for foreign economic operators (outside the EU)

For users of non-EU foreign economic operators, registration in NIPEZ is configured differently. It is necessary to complete registration in the NIPEZ authentication component using an official identity document confirming the identity of the registering user and an existing email account. The installation of the Microsoft Authenticator application is also required for login.

Final recommendations

All users are advised to review their identity means in a timely manner. Organizations should adapt their internal processes and ensure that each authorized employee has their own digital identity.

Through these measures, the Ministry of Regional Development fulfills its vision of a modern, secure, and transparent public administration that minimizes risks for all participants in public procurement.

For technical consultations and assistance in resolving individual situations, the NEN System User Support is available at +420 272 680 985.