Blog

News 11/2025

Petr Hanka
Associate

Will the new Act on Cybersecurity also affect your company?

The new Act on Cybersecurity came into effect on         1 November 2025, and transposes the requirements of the European NIS2 Directive into Czech law.

The aim is to strengthen the resilience of key companies and institutions against cyberattacks, which pose a serious threat both to the functioning of individual businesses (risk of data loss, reputational risk) and, indirectly, to the functioning of the state in critical sectors.

Who falls under the scope of the new legislation

The Act now applies to a broad range of entities, which may come as a surprise to many of them. It covers providers of ‘regulated services’, meaning companies operating in sectors essential to the functioning of society or the state.

Such sectors include, for example, energy, healthcare, transport, digital infrastructure and services, finance, public administration and, in some cases, also manufacturing, food production, education and research. The specific services are defined by the Decree on Regulated Services issued by the National Cyber and Information Security Agency (NÚKIB).

Basic obligations

Regulated entities are now divided into two regimes with either basic or extended obligations (depending on their importance, size and type of service).

Regulated entities are required to implement security measures consisting of a set of technical and organisational measures defined in the accompanying decrees. Regulated entities will also be obliged to report cybersecurity incidents.

The Act also sets high penalties for its violation, which may reach up to CZK 250 million or even 2% of global turnover (for entities under the extended obligations regime).

Necessary steps

Entities must carry out ‘selfidentification’, meaning they must assess whether they provide a regulated service.

If so, the regulated service must be reported to NÚKIB within 60 days. Entities that already provide regulated services must do this by the end of this year.

NÚKIB will then issue a registration decision, and further deadlines apply from the date of its delivery – in particular, a oneyear deadline for implementing all the mandatory security measures.

We are ready to assist you in assessing whether the new Act applies to you, and can provide support with any subsequent steps.

 

With friendly regards,

Team WTS Alfery, Alfery Hrdina Advokáti