New Czech Cybersecurity Act: Are you Concerned?

The new Cybersecurity Act replaces the previous framework with a service-based scope (“regulated services”) and brings thousands of additional entities into regulation. Most in-scope entities must notify their regulated services via the NÚKIB Portal .

Who Is in Scope

Scope is no longer based on entity labels alone. An entity is in scope if it provides a regulated service in sectors defined by law (e.g., energy, finance, healthcare, transport, digital infrastructure, public administration) and meets the relevant size or significance thresholds. The specific list of regulated services and regime thresholds will be set by NÚKIB decrees. 

Two Regimes of Obligations (Higher vs. Lower Regime)

The Act introduces two regimes of obligations aligned to the criticality and risk of the regulated service: a higher and a lower regime. Detailed security measures will be specified in implementing decrees and guidance, but expect obligations across at least these areas:

• Risk management and asset scope (define the in-scope assets and processes and key dependencies)

• Business continuity and incident response (plans, testing, exercises)

• Supplier/third-party security (onboarding, contractual controls, monitoring)

• Access control and identity management

• Training and awareness for relevant staff and management

• Monitoring, logging and detection proportional to risk

• Documentation and governance (roles, accountability, board reporting)

• Contact points and cooperation with NÚKIB/CERT (keeping contacts up to date)

• Incident reporting: timely notifications via the NÚKIB Portal (and/or CERT).

Key Dates and Deadlines

• 1 November 2025 – the new Cybersecurity Act becomes effective. In-scope entities have 60 days to notify their regulated services

• Implementation window – after registration, companies generally have up to one year to implement required measures 

Penalties and Governance

For serious breaches, authorities may impose penalties of up to CZK 250 million or to 2 % of worldwide turnover, whichever is higher. The new Act also strengthens board-level accountability for cyber-risk governance. 

What This Means for Businesses

A practical approach to the new regulation includes:

• Scope assessment – compare current activities to the (upcoming) list of regulated services and determine whether you fall under the higher or lower regime

• Notification preparation – compile service descriptions, contacts, and incident channels for submission within the 60-day deadline

• Implementation planning – prepare a 12-month roadmap covering policies, risk assessments, supplier controls, training, and incident playbooks

• Governance alignment – assign executive accountability and update contracts and procurement to reflect security and incident-sharing obligations.

By Mgr. Bc. Andrea Lančová

Download

Author