The Cybersecurity Act implementing the European NIS 2 Directive[1], which will bring new cybersecurity obligations for an estimated 6 000 entities doing business in selected sectors, was approved by the Senate on 11 June 2025!

The aim of the Cybersecurity Act (the “Act”), which represents a new comprehensive legal regulation, is to strengthen the cybersecurity of the Czech Republic, through the introduction of preventive steps to strengthen cybersecurity by important organisations, in particular. To meet the stated objective, the proposed law introduces large number of obligations, including the obligation to implement certain security measures or to report cyber security incidents to the National Office for Cyber and Information Security (NÚKIB).

Will the new obligations also apply to you?

The new obligations will affect so-called essential service providers[2]. So, who is considered a provider of essential services, and which services will be regulated? A comprehensive list of essential services is set out in the forthcoming Decree on essential services. Essential services include those services that are important for the safeguarding of important social or economic activities or for security in one of a total of 15 selected sectors, namely: public administration and the exercise of public authority, energy, manufacturing industry, food industry, chemical industry, water management, waste management, transport, digital infrastructure and services, financial market, health, science, research and education, postal and courier services, defence industry and space industry.

Medium-sized or large enterprises as defined in the Commission Recommendation[3] , which provide regulated services, are always considered to be obliged entities under the Act. A medium-sized undertaking is thus considered to be an undertaking employing between 50 and 249 persons with a turnover or balance sheet total exceeding EUR 10 million and whose annual turnover does not exceed EUR 50 million and/or whose annual balance sheet total does not exceed EUR 43 million; a large enterprise is an enterprise exceeding the above values. However, in addition to the enterprise itself, linked and partner enterprises must also be taken into account and their ‘values’ added when assessing the size of the enterprise. However, this is only on the assumption that their technical assets are inter-connected to those of the enterprise under assessment. If the technical assets are in full separate, the values of the partner or linked enterprises are not added.

In addition to medium and large enterprises, the new obligations may also apply to regulated service providers that are important for the security of important social or economic activities or for the security of the Czech Republic, regardless of the size of their enterprises.

What measures will essential service providers have to take?

The draft law distinguishes two regimes of obligations, namely the regime of milder and higher duty regimes[4] and distinguishes two categories of security measures, namely organisational and technical measures. Service providers under the stricter obligation regime will be subject to more comprehensive list of requirements than service providers under the milder obligation regime, but there is some overlap. Also, the penalties for enterprises under the stricter regime are of course more considerable, as is, for example, the scope for reporting security incidents. The security incidents reported by entities in the higher duty regime are dealt with directly by the NÚKIB, while those reported by entities in the milder duty regime will be dealt with by the national CERT team, which is CZ.NIC. 

In view of the fact that the scope and intensity of the organisational and technical measures that the obliged entities must implement differ for both regimes, they will be described in detail in sub-legislative regulations to be issued for each regime separately. However, for both regimes, a comprehensive security strategy will need to be put in place, including:

• Identification and assessment of technical assets (e.g. in terms of confidentiality, integrity, availability)
• Identifying and assessing cyber risks
• Regular analysis of cyber risks and improvement of security measures based on this analysis.
• Protection against ransomware, phishing and social engineering.
• Monitoring network traffic and protecting critical systems.
• Secure data storage and encryption.
• Strict access control and deployment of multi-factor authentication.

In the regime of higher duty, both organisational and technical measures are more stringent, e.g. in the organisational area, it will be necessary to define individual security roles (manager, architect, cybersecurity auditor, asset guarantor), appoint a cybersecurity management committee, develop and approve a security policy and security documentation, regularly analyse the impact of potential incidents, manage business continuity (in case of attacks), establish a recovery plan for such situations, etc. Similarly, it is necessary to set up a process for reporting incidents to NÚKIB and ensuring cooperation in dealing with situations that arise, and to regularly educate both management and company employees in the field of cybersecurity so that they can identify threats and respond correctly to potential incidents.

Technical measures include stricter requirements for user authentication, the obligation to use a tool for detecting and recording security attacks and other relevant events, and the management and monitoring of the use of removable devices and data carriers. Requirements for e.g. application security or cryptographic algorithms are also mentioned, among others.

It should also be mentioned that in many cases the security level of suppliers and other contractors will also need to be checked.

When will providers have to comply with the new obligations?

The bill is currently heading for the signature of the President of the Czech Republic and will become effective on the first day of the third month after its promulgation. Therefore, if the Act is promulgated by the end of June, it would become effective on 1 September 2025.

Obliged entities must assess for themselves whether they are subject to the regime of the Act, and in what regime, and to register themselves with NÚKIB within 60 days of the Act’s entry into force. They must then report their contact details via the NÚKIB portal no later than 30 days after they have received a decision confirming their registration under the Act.

Entities will have to comply with the new obligations no later than 1 year from the receipt of the decision confirming their registration under the Act.

It should be noted that non-compliance with the obligations under the law can result in very severe penalties, such as fines of up to €10 million or 2% of annual turnover. In addition, statutory bodies of obliged entities are personally liable for compliance with the requirements of the Act, and NÚKIB is granted the power to temporarily prohibit the statutory body of a corporation that is an obliged entity under the higher duty regime and fails to substantially or repeatedly comply with its obligations. In extreme cases, this may result in the restriction of the activities of the organisation.

We will of course keep you informed of further developments, particularly the effective date of the Act.

..

 [1] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures to ensure a high common level of cybersecurity in the Union and amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148

[2] within the meaning of Article 4(1)(b) of the draft law on cyber security

[3] Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises

[4] the distribution of providers depending on the regulated services provided is determined by the NUCIB by decree

…

This material is for general information on current topics only, it is not advice. It does not take into account any special circumstances, financial situations or special requirements of the addressees. Recipients should therefore always seek appropriate professional services for the information provided. Notwithstanding the careful compilation of this material, bpv Braun Partners s.r.o. advokáti, its partners, associates or co-operating solicitors and tax advisers cannot guarantee the accuracy or completeness of the information contained herein and accepts no responsibility for acting or refraining from acting on the basis of the information contained in this material.