On 25 April 2025, the Chamber of Deputies approved in its third reading the government’s draft law on cyber security, the preparation of which we have previously informed you about. The bill is now heading to the Senate for consideration.

The aim of the draft law is to implement the European Directive NIS 2,^[1] to unify cyber security requirements, and to strengthen the Czech Republic’s cyber security against cyber threats through preventive measures. These measures will have to be implemented by obliged entities, the number of which will be, compared to the current legislation, significantly enlarged by the adoption of the bill.

The bill introduces new obligations for so-called regulated service providers. Regulated services include services that are important for the safeguarding of important social or economic activities or for security in one of a total of 15 selected sectors, including: manufacturing, food industry, waste management, digital infrastructure and services, financial market, health, postal and courier services or energy.

In addition to the provision of regulated services, the bill recognizes another condition for the application of the rules to undertakings, a certain quantifier. The quantifier is almost always the size of the undertaking itself, since the law applies to medium-sized or large enterprises within the meaning of Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises. According to the Recommendation, a medium-sized enterprise is one with a maximum of 250 employees, a turnover of between EUR 10 million and EUR 50 million, and a balance sheet not exceeding EUR 43 million; a large enterprise is one exceeding the above-mentioned limits.

The implementing regulations define also additional quantifiers applicable regardless the size of the enterprise, e.g. the total installed energy capacity of the electricity producer or the fact that the chemical distributor distributes a quantity of hazardous substances that are listed in Annex 1 to the Prevention of Major Accidents Act in column 3 of Table I or II.

The new obligations will also apply to regulated service providers who, although they do not meet the above-mentioned criteria, are important for the security of important social or economic activities or for the security of the Czech Republic, while the National Office for Cyber and Information Security (NUCSIS) is given the power to designate such regulated service providers and impose obligations under the law.

The bill distinguishes between two levels of regulation, namely the lower and the higher obligation regime, higher requirements obviously being imposed on obliged entities in the higher obligation regime.^[2] The bill also distinguishes between two categories of security measures, namely organisational and technical measures. The new obligations include, for example, the training of senior management, the implementation of asset and risk management systems, the security of human resources, and the use of cryptographic algorithms.

In assessing the scope of obligations, it may not always matter whether the regulated service is the only or an important activity of the undertaking concerned. For example, irrespective of the total installed energy capacity, a large undertaking holding an electricity generation licence will be placed under the higher obligation regime, while a medium-sized undertaking holding the same licence will be placed under the lower obligation regime. This is the case even if its main activity is in a completely different market segment which is not classified as a regulated service. The decisive factor here is that it is a licensed electricity generator of a certain size. However, electricity production licences are often acquired by companies for which, for example, a rooftop photovoltaic plant is a solution to cover their own considerable consumption, and the possible sale of surpluses is a marginal activity compared to the company’s core business. Similar solutions are also available e.g. for electricity traders, aggregators and battery storage operators.

It is expected that the new law will come into force on 1 January 2026. Obliged entities will have to self-identify and register with the NUCIB within 60 days of fulfilling the conditions for registration of a regulated service and to comply with the new obligations no later than 1 year from the receipt of the registration decision issued by NUCIB in response to the application of the obliged entity.

…

[1] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures to ensure a high common level of cybersecurity in the Union and amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148.

[2] The division of providers depending on the regulated services provided is determined by the NUCIB by decree.

..

This material is for general information on current topics only, it is not advice. It does not take into account any special circumstances, financial situations or special requirements of the addressees. Recipients should therefore always seek appropriate professional services for the information provided. Notwithstanding the careful compilation of this material, bpv Braun Partners s.r.o. advokáti, its partners, associates or co-operating solicitors and tax advisers cannot guarantee the accuracy or completeness of the information contained herein and accepts no responsibility for acting or refraining from acting on the basis of the information contained in this material.