The new Cyber Security Act has been published in the Collection of Laws and International Treaties and will come into effect on  November 1, 2025.

The Act, which is primarily aimed at implementing the European NIS 2 Directive and strengthening the Czech Republic’s protection against cyber threats, was signed by the President and published in the Collection of Laws on 4 August 2025 under No. 264/2025.

As we have already informed you in the past, the number of obligated entities that will have to implement security measures will increase significantly under the new Act compared to the previous legislation. The Act introduces obligations for service providers who provide services that are important for the security or safety of important social or economic activities. As per Act the following sectors meet the qualification: energy, food, manufacturing and chemical industries, transport, healthcare, digital infrastructure and services, and the financial market. More specific quantifiers and limits in relation to the individual sectors of activity are set out in the implementing regulations of the Act.

The Act applies to providers of mentioned regulated services if they are medium-sized or large enterprises, whereby, according to the relevant European Commission recommendation, a medium-sized enterprise is one with a maximum of 250 employees, a turnover of between EUR 10 and 50 million and a balance sheet not exceeding EUR 43 million; a large enterprise is one that exceeds the above limits. We note that, the same as in the area of subsidies, the size of the enterprise is also calculated by adding the indicators of partner and affiliated enterprises. However, this only applies if the technical assets of the provider of the regulated service and its partner or affiliated enterprises are not separated.

However, the obligations under the new Act may also apply to providers who do not meet the above conditions – NÚKIB has the power to designate specific providers of regulated services that are important for the security of important social or economic activities or for security in the Czech Republic, and to impose obligations on them under the Act.

Companies that already meet the conditions specified by Act as of  November 1, 2025 are required to register the regulated service itself by December 31, 2025 at the latest via the electronic portal of the National Cyber and Information Security Agency (NÚKIB) at https://portal.nukib.gov.cz/. Companies that meet these conditions after 1 November will be required to complete registration no later than 60 days after meeting them.

Subsequently, companies must report to NÚKIB, within 30 days of the registration at the latest, the contact details of the natural persons who are authorised to represent the provider in matters governed by the new Cyber Security Act. At the same time, it is necessary to notify NÚKIB of additional information concerning the provider’s ownership structure, technical data concerning the regulated service provided and its geographical coverage, including cross-border provision.

Following the registration of the regulated service on the NÚKIB portal, a registration certificate will be issued. Within one year of the certificate being issued, the provider of the regulated service is obliged to implement the necessary organisational and technical measures to create an appropriate level of cyber protection for its assets and data. These measures are described in detail in the implementing regulations, which NÚKIB is authorised by the Act to issue and which are to be issued any day now.

From what is already known at this stage, it can be concluded that as soon as possible after receiving the decision on the registration of a regulated service, the provider of the regulated service must determine the scope of cyber security management, which includes identifying all primary assets of the provider of the regulated service and supporting assets related to them, and subsequently assessing whether these assets are related to the provision of the regulated service.

It will then implement the necessary security measures and set up processes for detecting and reporting any cyber security incidents in accordance with the Act. This includes, for example, the obligation to train senior management in cyber security process management, the implementation of asset and risk management systems, human resources security and the use of cryptographic algorithms.

It should be noted that failure to comply with the obligations under the Act may result in very severe penalties, such as fines of up to EUR 10 million or 2 % of annual turnover. In addition, the statutory bodies of obligated entities are personally responsible for compliance with the requirements of the Act, and NÚKIB has been entrusted with the power to temporarily suspend the functions of the statutory body of a corporation that is an obligated entity under the regime of higher obligations and fails to fulfil its obligations in a significant manner or repeatedly. In extreme cases, this may lead to restrictions on the activities of the organisation in question.

……

This material is for general information on current topics only, it is not advice. It does not take into account any special circumstances, financial situations or special requirements of the addressees. Recipients should therefore always seek appropriate professional services for the information provided. Notwithstanding the careful compilation of this material, bpv Braun Partners s.r.o. advokáti, its partners, associates or co-operating solicitors and tax advisers cannot guarantee the accuracy or completeness of the information contained herein and accepts no responsibility for acting or refraining from acting on the basis of the information contained in this material