Czech Cybersecurity: what lies ahead after registration

Providers who have notified their regulated services under the Act No. 264/2025 Coll., on Cybersecurity (“Cybersecurity Act”), received their registration decision from the National Cyber and Information Security Agency (“Agency”), and submitted their contact details and supplementary information have completed the initial steps. 

Now is the time to focus on what comes next: building and maintaining a robust compliance framework. This article provides a practical overview of the key post-registration obligations and steps to take to help providers plan ahead.

Key post-registration obligations

• Defining the Scope of Cybersecurity Management
  
  Providers must define their “scope of cybersecurity management”, comprising all assets related to the provision of regulated services. The Cybersecurity Act mandates a three-step procedure: identifying primary assets, assessing their relevance to service provision, and identifying supporting assets. Providers must document both included and excluded assets and regularly review and update these records.
  
  This obligation applies immediately upon registration.
   
• Implementation of Technical and Organisational Measures
  
  Providers must implement technical and organisational measures. Essential entities face comprehensive requirements covering 14 organisational and 11 technical measures. Important entities must implement a more focused set of 13 measures ensuring basic cybersecurity protection.
  
  This obligation must be fulfilled within one year of registration.
   
• Cybersecurity Incident Reporting
  
  Providers must report cybersecurity incidents via the Agency Portal. Essential entities must report all incidents within their cybersecurity management scope that originate in cyberspace and cannot be ruled out as intentional within 24 hours of detection. The same conditions apply to important entities, which must additionally report only those incidents that have a significant impact on service provision. The reporting process requires an early warning within 24 hours, followed by a detailed notification within 72 hours, and a final or progress report within 30 days.
  
  This obligation applies from one year after registration.
   
• User Notification and Threat Communication
  
  Providers must inform users without undue delay of any significant cybersecurity incident that could adversely affect service provision. They must also notify users who may be affected by significant threats of the steps users can take to minimise potential impact.
  
  This obligation applies immediately upon registration.
   
• Implementation of Agency Countermeasures
  
  Providers must respond to cybersecurity threats or incidents according to Agency countermeasures, which include warnings, advisories, and reactive measures imposed through administrative decisions or measures of general application.
  
  This obligation applies immediately upon registration.
   
• Remediation of Identified Deficiencies
  
  Providers must remedy any deficiencies identified by the Agency within the specified period and manner determined by the Agency. Where required, providers must notify the Agency of corrective measure implementation and outcomes.
  
  This obligation applies immediately upon registration.

Practical Takeaways

With the initial registration phase complete, the real work begins. Providers should focus on:

• Defining the scope of cybersecurity management by identifying primary and supporting assets related to the regulated service;
• Establishing internal governance, including top management engagement and clearly defined cybersecurity roles;
• Preparing, maintaining and enforcing security policies and procedural documentation required for the applicable regime;
• Implementing technical and organisational measures proportionate to the provider’s risk profile and in line with the applicable regime;
• Reviewing supplier arrangements to ensure that cybersecurity requirements are reflected in contracts with suppliers involved in the provision of the regulated service;
• Building capabilities to detect, record, assess and respond to cybersecurity events and incidents, and to report incidents through the required channels and within the applicable timelines; and
• Maintaining up-to-date contact and supplementary information, ensuring effective communication with the Agency, and being prepared to respond to warnings and countermeasures.

If you are interested in the topic of cybersecurity and want to know more, or if you would like our assistance, contact your CMS client partner or our regulatory expert Jan Ježek.