The new Czech Cybersecurity Act has entered into force. Will it affect your company?

On 1 November 2025, the new Cybersecurity Act entered into force, implementing the European NIS2 Directive into Czech law. This legislation substantially broadens the scope of regulated entities. Entities falling within the scope are divided into two categories – a lower obligation regime and a higher obligation regime.

The new legislation is important not only in terms of achieving “paper” compliance with legislative obligations, but above all as a key tool for the actual prevention of cyber-attacks. These attacks pose a serious threat to the functioning of businesses and can cause data loss,  significant financial damage, as well as reputational damage.

The Act is accompanied by a set of implementing legal instruments. The key instrument is the Decree on Regulated Services, which defines in detail the specific services and sectors to which the new framework applies, as well as decrees specifying security measures for the lower and higher obligation regimes.

To facilitate notifications of regulated services and access to relevant information, the National Cyber and Information Security Agency (NÚKIB) has established a specialised electronic portal.

What steps need to be taken now?

  1. Based on the Decree on Regulated Services, determine whether your company falls within the scope of the regulation. The size of the enterprise and the existence of partner or affiliated enterprises also plays a role.
  2. If your company is in scope under point 1, you must notify the regulated service no later than 60 days from the date the conditions were fulfilled. The notification is submitted via a form on NÚKIB’s portal.
  3. If the conditions are met, NÚKIB will decide on the registration of the regulated service.
  4. Upon receipt of the registration decision, the company must, within 30 days, provide contact details, unless these were already provided when notifying the regulated service under point 2.
  5. No later than one year from delivery of the registration decision, your company is obliged to start reporting cybersecurity incidents and to implement the required security measures.

Overview of selected obligations under the lower and higher obligation regimes:

 Lower obligation regime

  1. The company shall implement and carry out security measures commensurate with its security needs.
  2. The company shall, at least annually, update and document its inventory of security measures, including an assessment of their effectiveness.
  3. The company shall designate a person responsible for cybersecurity who has completed professional training or can demonstrate professional competence in the field of cybersecurity.

Higher obligation regime

  1. The company shall appoint a cybersecurity manager who can demonstrate professional competence and at least three years’ experience in managing cybersecurity. Additional security roles must also be designated, such as a cybersecurity auditor.
  2. The company shall ensure testing of business continuity plans, recovery plans and processes related to the handling of cybersecurity incidents.
  3. The company shall ensure a cybersecurity audit is carried out, or, where appropriate, ensure penetration testing.

Our law firm will help you assess whether the new legal framework applies to your company. If it does, we will handle all subsequent steps from registration through to setting up processes in compliance with the Act’s requirements.

The new law may affect a surprisingly wide range of businesses. Timely action is key to legal certainty and cybersecurity resilience.