Czech FDI Alert: Cybersecurity Alignment Expands Screening Scope

The definition of a "sensitive asset" in the Czech Republic has shifted significantly from its former focus on critical infrastructure or military defense.  An amendment to the Foreign Investment Screening Act (the "FDI Act") introduces technical but far-reaching changes that warrant close attention from the international investment community.

The pivotal development is the complete alignment of FDI screening with the newly adopted Cybersecurity Act. Previously, mandatory FDI clearance was reserved for traditional critical infrastructure targets. Under the new regime, mandatory screening applies to any target entity falling under the "Regime of Higher Obligations".

The scope of these "regulated services" now includes sectors that were previously considered standard commercial activities.

Expansion of Regulated Sectors

Qualified foreign investors must now rigorously assess whether a target entity provides a "regulated service" under the Higher Obligations regime. The most notable expansion affects the manufacturing industry and digital supply chain.

Mandatory screening is now likely to apply if the target operates in:

• Advanced Manufacturing (CZ-NACE 26–30): This broad category covers the manufacturing of computers, electronic and optical products, electrical equipment, machinery, motor vehicles, and other transport equipment.

• Chemical & Pharmaceutical Industry: Entities involved in the production and distribution of key chemical substances and pharmaceuticals.

• Digital Infrastructure: Providers of cloud computing services, data center services, and trust services.

• Managed Services (MSP/MSSP): B2B providers of IT security and management services.

• Energy & Utilities: Beyond traditional generation, this now captures entities managing digital control systems for water and waste management.

Implications for Cross-Border M&A

The classification of a target under the Regime of Higher Obligations triggers a strict suspensory obligation for non-EU investors (including those from the UK, US and Switzerland). The transaction cannot be closed until approval is granted by the Ministry of Industry and Trade.

The assessment of whether a target falls under this regime is no longer a mere formality but a critical item for early-stage due diligence. The complexity arises because the "sensitivity" of the asset is now defined by technical cybersecurity standards rather than purely economic or strategic factors.

Navigating this intersected regulatory regime - where investment law meets cybersecurity classifications - requires precise legal analysis. Market participants are advised to map the target’s regulated activities at the onset of the transaction to ensure deal certainty and avoid unexpected regulatory delays.

By Mgr. Radek Werich LL.M.

Download

Author