On 27 June 2025, the President of the Czech Republic signed the new Cybersecurity Act (the “Cybersecurity Act”), which transposes Directive (EU) 2022/2555 of the European Parliament and of the Council (“NIS 2”). The publication of the Cybersecurity Act in the Collection of Laws is expected in August 2025. If published, the Act will enter into force on 1 November 2025.
What does the Cybersecurity Act bring?
The Cybersecurity Act introduces a more robust and stricter cybersecurity framework in the Czech Republic. It aims to increase the resilience of organisations across key sectors and improve the handling of security incidents.
In this article, we focus on some of the main areas that the Cybersecurity Act regulates:
- Categorisation and identification of regulated entities
- Core cybersecurity obligations
- Supply chain security and strategically important services
- Sanctions and other enforcement tools
Categorisation of regulated entities
The Cybersecurity Act follows the NIS 2 Directive and establishes two categories of regulated entities: entities under the higher obligations’ regime (essential) and entities under the lower obligations’ regime (important).
The key criteria for the categorisation of regulated entities are:
- Operation in a regulated sector
- Provision of a regulated service
- Size of the organisation or eventually fulfilment of significance parameters
Each organisation will have to individually assess whether it meets the criteria.
The exact specification of the criteria will be set out in a decree issued by the National Cyber and Information Security Agency (the “Agency”).
Core cybersecurity obligations
Under the Cybersecurity Act, regulated entities are subject to the following obligations:
1. Notification of regulated service provision
Organisations that meet the statutory criteria will be obliged to notify the Agency of this fact within 60 days. The Agency will then assess the notification and decide on the registration of the regulated service.
The format and method of notification will be laid down in an Agency decree.
2. Definition of the scope of cybersecurity management
Regulated entities will be required to define the “scope of cybersecurity management”, i.e. to identify and record assets related to the provision of the regulated service. These assets include particularly processed information, provided services, technologies, employees and suppliers.
Regulated entities will be required to regularly review and update the defined scope of cybersecurity management.
3. Implementation and maintenance of security measures
The Cybersecurity Act keeps the division of security measures into organisational and technical measures. Regulated entities will have to implement and maintain these measures within one year from the registration of the regulated service.
The scope of security measures differs depending on the obligations’ regime:
- Regulated entities under the higher obligations’ regime will be required to implement and maintain comprehensive and systematic security measures.
- Regulated entities under the lower obligations’ regime will only be required to implement and maintain selected security measures to ensure a basic level of protection.
The detailed content of the security measures will be laid down in Agency decrees.
4. Cybersecurity incident reporting
The Cybersecurity Act obliges all regulated entities to report cybersecurity incidents:
- Regulated entities under the higher obligations’ regime will be required to report all incidents related to the regulated service that originate in cyberspace and where intentional misconduct cannot be ruled out within 24 hours of detection.
- Regulated entities under the lower obligations’ regime, on the other hand, will only be required to report incidents that emerge within the scope of cybersecurity management, originate in cyberspace, with a significant impact on the provision of the regulated service, and where intentional misconduct cannot be ruled out within 24 hours of detection.
Regulated entities will be required to submit an initial notification within 24 hours of detecting the incident, and in the case of incidents with a significant impact on the provision of the regulated service or on the state’s cyberspace, they will also be required to submit an initial assessment within 72 hours of detecting the incident, followed by either a status report (if the incident is ongoing) or a final report (if the incident has been resolved) within 30 days of submitting the initial assessment.
All reports must be submitted electronically via the Agency Portal.
Details on incident reporting will be laid down in Agency decrees.
5. Implementation of countermeasures
The Cybersecurity Act enables the Agency to respond to cybersecurity threats or incidents with three types of countermeasures: warning, advisory, and reactive countermeasure.
Warning and advisory serve the purpose of informing the public or affected regulated entity about cybersecurity threats or incidents. Reactive countermeasures serve the purpose of responding to cybersecurity incidents, securing archives before incidents or to increase the protection of archives.
The Agency may issue a reactive countermeasure as an administrative decision addressed to a specific regulated entity or as a measure of a general nature binding on a defined group of regulated entities.
Supply chain security and strategically important services
Beyond the NIS 2 Directive, the Cybersecurity Act increases the emphasis on supply chain security and introduces “strategically important services”, i.e. regulated services whose disruption could have a significant effect on national security or public order.
Providers of strategically important services will be subject to additional obligations, including:
- Ensuring the availability of strategically important services to the necessary extent directly from the Czech Republic.
- Identifying and registering suppliers of “security-relevant supplies” and notifying the Agency of these suppliers and any changes within 10 days.
Providers of strategically important services will have to fulfil these additional obligations within one year from the date on which their regulated service is designated as strategically important.
The conditions for designation as a strategically important service will be set out in a government regulation.
Sanctions and other enforcement tools
Violations of the obligations under the Cybersecurity Act may be subject to significant fines:
- Regulated entities under the higher obligations’ regime may be fined up to CZK 250 million or up to 2% of their global annual turnover, whichever is higher.
- Regulated entities under the lower obligations’ regime may be fined up to CZK 175 million or 1.4% of their global annual turnover, whichever is higher.
The Agency will also be authorised to temporarily prohibit a member of the statutory body of a regulated entity under the higher obligations’ regime from performing their function, if that person has repeatedly or seriously breached their duties concerning the obligation imposed on the regulated entity to remedy identified deficiencies, as a result of which proper compliance with NÚKIB’s decision was thwarted.
If you are interested in the topic of cybersecurity and want to know more, contact your CMS client partner or our regulatory expert Jan Ježek.
