EU NIS2 Directive and the New Czech Cybersecurity Act: What You Need to Know

Everything indicates that the new Czech Cybersecurity Act, adopted in response to the European NIS2 Directive, will enter into force on July 1, 2025. The goal of this new legislation is to enhance the cybersecurity resilience of both private and public entities. It is expected that the new duties will apply to around 6,000 entities. High penalties will also be introduced, including fines up to millions of CZK or percentages of total annual turnover, suspension of certification or authorisation, or temporary bans on members of the management bodies. Although the Act has not yet entered into force, it is crucial to get ready for the changes in advance.

Will the new Act apply to you?

If your answer to both of the following questions is "yes", it is very likely that the regulation will apply to you:

• Do you provide a regulated service? According to the upcoming regulation, 60 services across 18 sectors will be regulated, including energy, transport, healthcare, digital infrastructure and services, public administration, postal and courier services, or manufacturing industries.
• Are you a significant provider of that service? The upcoming regulation includes criteria such as the size of the business, the volume of services provided, holding certain licenses, or the number of customers dependent on services.

If you are unsure, try the practical calculator available on the Czech National Cyber and Information Security Agency (NÚKIB) website.

Who is most likely to be a regulated entity?

• Public administration and entities exercising public authority: Regional Offices and municipalities with extended powers (ORP).
• Online marketplace providers: including those in the tourism sector (e.g., online travel agencies, booking platforms).
• Managed (IT) services and data centre providers.
• Healthcare: entities providing healthcare or involved in the production of medicinal substances or medical devices.
• Manufacturing industry: entities involved in manufacturing as classified under CZ-NACE (e.g., motor vehicle production).

Who is likely not to be affected by the law?

• Micro and small businesses: according to the classification in the EU Commission's recommendation.
• Schools (excluding universities).

Lower and Higher Duties Regimes

Regulated entities will fall under one of two regimes:

• Higher duties regime for essential entities.
• Lower duties regime for important entities.

Details will be specified in the final legislation.

Key Duties under the New Act

Regulated entities in both regimes will have the following duties:

• Registration: Notification of the regulated service through an electronic form on the NÚKIB Portal.
• Data updates: Providing and continuously updating contact and other information through the NÚKIB Portal.
• Determining and implementing a cybersecurity management system through security measures as specified by relevant provisions.
• Reporting cybersecurity incidents.
• Client notifications: Duty to inform users about serious cybersecurity incidents that may affect them.
• Countermeasures: Duty to take countermeasures as ordered by NÚKIB in response to active threats.

Within the cybersecurity management system, the legislation anticipates direct responsibility for the organization and its management, setting up a risk management system within their own networks and information systems, implementing a minimum standard of security measures including supply chain security, creating a team to approve cybersecurity measures and oversee compliance, and the duty to primarily store data within the Czech Republic.

A transition period of one year from the decision upon registration is provided for regulated entities to establish a cybersecurity management system and report cybersecurity incidents.

Prohibited Technologies and Products

With the new legislation, NÚKIB is likely to have the authority to restrict or even prohibit the use of certain high-risk suppliers for regulated entities. However, this will only apply to providers of strategically significant services. Therefore, regulated entities will need to carefully monitor NÚKIB's activities and, as a precaution, build their IT infrastructure on trusted and secure technologies and products.

Recommended Steps

• Self-assessment: Try NÚKIB's calculator to see if the new Cybersecurity Act applies to you.
• Consultation: Seek assistance from IT specialists and cybersecurity experts who can prepare your organization to fulfil all duties under the new legislation.
• Asset and supply chain review: Assess your assets and the cybersecurity of key suppliers, especially those providing IT services or processing sensitive data.
• Ongoing monitoring of changes: Follow updates on NÚKIB's website.
• Don't get scammed! Be cautious if someone offers to guarantee your full compliance with the new Cybersecurity Act. This is not a one-time issue but involves many continuous processes that need to be implemented and maintained with your personal involvement.
• Don’t panic! NÚKIB has long advocated a supportive approach towards regulated entities, helping them meet their legal duties rather than focusing on sanctions.

How We Can Help

Navigating the new Cybersecurity Act can be challenging. Our law firm can provide legal advice and assist you with:

• Determining whether the new Act applies to you.
• Interpreting the requirements of the new legislation.
• Developing and implementing internal policies and procedures.
• Reviewing contracts with suppliers from a cybersecurity perspective.
• Assisting or representing you in the event of a cybersecurity incident or inspection by NÚKIB.

Feel free to contact us and discuss your specific needs and how to prepare for the new requirements.