Blog
EU NIS2 Directive and the New Czech Cybersecurity Act: What You Need to Know

Everything indicates that the new Czech Cybersecurity Act, adopted in response to the European NIS2 Directive, will enter into force on July 1, 2025. The goal of this new legislation is to enhance the cybersecurity resilience of both private and public entities. It is expected that the new duties will apply to around 6,000 entities. High penalties will also be introduced, including fines up to millions of CZK or percentages of total annual turnover, suspension of certification or authorisation, or temporary bans on members of the management bodies. Although the Act has not yet entered into force, it is crucial to get ready for the changes in advance.
Will the new Act apply to you?
If your answer to both of the following questions is "yes", it is very likely that the regulation will apply to you:
- Do you provide a regulated service? According to the upcoming regulation, 60 services across 18 sectors will be regulated, including energy, transport, healthcare, digital infrastructure and services, public administration, postal and courier services, or manufacturing industries.
- Are you a significant provider of that service? The upcoming regulation includes criteria such as the size of the business, the volume of services provided, holding certain licenses, or the number of customers dependent on services.
If you are unsure, try the practical calculator available on the Czech National Cyber and Information Security Agency (NÚKIB) website.
Who is most likely to be a regulated entity?
- Public administration and entities exercising public authority: Regional Offices and municipalities with extended powers (ORP).
- Online marketplace providers: including those in the tourism sector (e.g., online travel agencies, booking platforms).
- Managed (IT) services and data centre providers.
- Healthcare: entities providing healthcare or involved in the production of medicinal substances or medical devices.
- Manufacturing industry: entities involved in manufacturing as classified under CZ-NACE (e.g., motor vehicle production).
Who is likely not to be affected by the law?
- Micro and small businesses: according to the classification in the EU Commission's recommendation.
- Schools (excluding universities).
Lower and Higher Duties Regimes
Regulated entities will fall under one of two regimes:
- Higher duties regime for essential entities.
- Lower duties regime for important entities.
Details will be specified in the final legislation.
Key Duties under the New Act
Regulated entities in both regimes will have the following duties:
- Registration: Notification of the regulated service through an electronic form on the NÚKIB Portal.
- Data updates: Providing and continuously updating contact and other information through the NÚKIB Portal.
- Determining and implementing a cybersecurity management system through security measures as specified by relevant provisions.
- Reporting cybersecurity incidents.
- Client notifications: Duty to inform users about serious cybersecurity incidents that may affect them.
- Countermeasures: Duty to take countermeasures as ordered by NÚKIB in response to active threats.
Within the cybersecurity management system, the legislation anticipates direct responsibility for the organization and its management, setting up a risk management system within their own networks and information systems, implementing a minimum standard of security measures including supply chain security, creating a team to approve cybersecurity measures and oversee compliance, and the duty to primarily store data within the Czech Republic.
A transition period of one year from the decision upon registration is provided for regulated entities to establish a cybersecurity management system and report cybersecurity incidents.
Prohibited Technologies and Products
With the new legislation, NÚKIB is likely to have the authority to restrict or even prohibit the use of certain high-risk suppliers for regulated entities. However, this will only apply to providers of strategically significant services. Therefore, regulated entities will need to carefully monitor NÚKIB's activities and, as a precaution, build their IT infrastructure on trusted and secure technologies and products.
Recommended Steps
- Self-assessment: Try NÚKIB's calculator to see if the new Cybersecurity Act applies to you.
- Consultation: Seek assistance from IT specialists and cybersecurity experts who can prepare your organization to fulfil all duties under the new legislation.
- Asset and supply chain review: Assess your assets and the cybersecurity of key suppliers, especially those providing IT services or processing sensitive data.
- Ongoing monitoring of changes: Follow updates on NÚKIB's website.
- Don't get scammed! Be cautious if someone offers to guarantee your full compliance with the new Cybersecurity Act. This is not a one-time issue but involves many continuous processes that need to be implemented and maintained with your personal involvement.
- Don’t panic! NÚKIB has long advocated a supportive approach towards regulated entities, helping them meet their legal duties rather than focusing on sanctions.
How We Can Help
Navigating the new Cybersecurity Act can be challenging. Our law firm can provide legal advice and assist you with:
- Determining whether the new Act applies to you.
- Interpreting the requirements of the new legislation.
- Developing and implementing internal policies and procedures.
- Reviewing contracts with suppliers from a cybersecurity perspective.
- Assisting or representing you in the event of a cybersecurity incident or inspection by NÚKIB.
Feel free to contact us and discuss your specific needs and how to prepare for the new requirements.
More articles:

What EU Businesses Need to Know about the U.S. Corporate Transparency Act
Suppose you are considering expanding your business to the United States or have already entered the U.S. market. In that case, you may need to comply with the Corporate Transparency Act (CTA), which came into effect on January 1, 2024... → continue
Jasper Brinkman
Jasper Brinkman
"Following a devastating hotel fire in Prague, the law firm Holubová advokáti, led by attorney Klara Dvorakova, successfully represented our extended family as a group of victims. The firm navigated complex international insurance and compensation laws to defend our rights.
I would like to acknowledge the extraordinary efforts the firm had to make to bring our case to a successful compensation under extremely difficult circumstances."
Stewarts
Stewarts
"A visit to her daughter in London turned Eva's life upside down when she says she stepped into a crossing on a green light but was hit by a car. Despite her remarkable bravery, she faced a long treatment due to fractures in her pelvis, and the associated limitations and pain are likely to persist for the rest of her life. Regular headaches and impaired concentration compound her challenges.
Eva contacted us through an organization temporarily helping her manage her difficult living situation. At that time, she was destitute, relying only on subsistence payments. We were able to assist her because we specialize in personal injury and have contacts with proven colleagues abroad.
We worked with Stewarts, a UK law firm, on this case. Attorneys Klára Dvořáková and Rebecca Huxford helped Eva with the documentation in her case, explaining her options and the differences between the Czech and British systems of healthcare and social benefits reimbursement. Within a few months, thanks to the professional cooperation between the two offices, an offer of compensation from the insurance company of approximately CZK seven million was achieved. The client accepted this settlement because she did not want to deal with courts in the United Kingdom.
Subsequently, we assisted the client with related tax issues and contacted Auditone, a tax consultancy firm, which arranged for the filing of a tax return. Compensation for lost income is taxable, unlike most personal injury compensation.
'No one has done as much for me as you,' Eva said.
The fact that we were able to help Eva gives our work meaning and brings us great joy. We are very happy that, thanks to our many years of active involvement in the international professional organization PEOPIL, we can cooperate on such cases."