Cybersecurity Act (according to NIS2)

Q: What is NIS2 and how is it related to the Cybersecurity Act?

NIS2 je zkratka pro evropskou směrnici o kybernetické bezpečnosti, kterou musí všechny členské země EU promítnout do svého právního řádu.Nový český Zákon o kybernetické bezpečnosti je naším způsobem implementace směrnice NIS2. Jeho cílem je zvýšit odolnost společností proti kybernetickým útokům. Proto zavádí povinnosti pro zajišťování bezpečnosti informačních systémů, klade odpovědnost na vedení společností, přináší povinnost řídit aktiva a rizika a mnoho dalšího.

Q: When will the law come into effect?

Zákon bude účinný na podzim 2025. Společnosti pak musí dodržet dvě klíčové lhůty:Do 60 dnů od účinnosti zákona – ohlášení regulované službyDo 1 roku od potvrzení registrace regulované služby – implementace bezpečnostních opatření a povinnost hlásit incidenty.S přípravou na změny doporučujeme začít co nejdříve, zejména kvůli rostoucím kybernetickým hrozbám, nedostatku odborníků a potřebě racionálního plánování výdajů společnosti.

Q: Who will be affected by the new obligations?

Nový zákon se bude týkat i společností, které dřív žádné požadavky plnit nemusely. Odhaduje se, že dopadne na 8–10 tisíc českých organizací napříč 22 vybranými odvětvími. Pro posouzení bude klíčové, jestli poskytujete tzv. regulovanou službu nebo patříte mezi výjimky stanovené NÚKIBem. Jestli bude Vaše společnost spadat pod nový zákon si můžete jednoduše ověřit v našem bezplatném průvodci URCI.SE.

Q: What is self-identification and how does it work?

Samoidentifikace je proces, při kterém společnost sama posuzuje, jestli poskytuje regulovanou službu a spadá tak pod nový zákon. Pokud ano, má povinnost do 60 dní od účinnosti zákona regulovanou službu nahlásit na NÚKIB a začít plnit požadavky.Ve většině případů zvládnete samoidentifikaci sami. Konzultaci s odborníky doporučujeme, pokud si nejste jisti interpretací zákona, máte komplexní organizační strukturu, poskytujete služby ve více sektorech nebo chcete minimalizovat riziko chybného posouzení.

Q: What do the obligation regimes mean?

Vyšší a nižší režim povinností si můžete představit jako dva stupně obtížnosti. S nižším režimem se pojí méně povinností, rozsah vyžadované dokumentace je sotva poloviční a je třeba obsadit jednu bezpečnostní roli. Pokud máte šikovné IT, možná nebudete muset ani přijímat nového člověka. Teoreticky jen potřebujete někoho, kdo Vám vysvětlí obsah nových povinností.Společnosti spadající pod režim vyšších povinností oproti tomu musí obsadit minimálně tři bezpečností role, řídit rizika, spravovat a pravidelně aktualizovat více než 20 dokumentů, zavést a udržovat systémy pro monitorování sítě a mnoho dalšího.

In autumn 2025 a new Cybersecurity Act based on the European NIS2 directive will come into effect. It will affect thousands of Czech companies across various sectors and will introduce stricter cybersecurity requirements, new obligations, and increased management accountability.

If your business falls under the new legislation, you will be required to secure your operations under either a higher or lower obligation regime. This includes risk management, implementation of security measures, and assigning cybersecurity roles. We can help you with everything – from determining whether the law applies to you, through implementation of measures, to long-term outsourcing.

Who does the new law apply to?

The new Cybersecurity Act expands the range of companies subject to cybersecurity obligations. It will affect even those that previously had not met any requirements. The key criteria is whether you provide what is called a regulated service.

The assessment takes into account primarily: company size, business sector (such as telecommunications, energy, healthcare, water management, transportation, or digital services), and the specific type of services provided. It’s not just about your core business—what matters is what services you actually deliver, even as part of operations.

In some sectors, precise criteria are also considered, such as the number of customers, possession of specific licenses (e.g. from the Energy Regulatory Office), or the number of acute care beds in healthcare.

The law may also apply to you even if you don’t provide any regulated service, but the National Cyber and Information Security Agency (NÚKIB) includes you among the obligated entities based on defined exceptions.

The new cybersecurity legislation introduces a number of obligations for affected entities. The most significant include:
Self-identifying whether the company is a provider of a regulated service
Accountability of company management for adopted cybersecurity measures
Obligation for top management to attend regular training sessions.
Obligation to implement security measures.
Implementation of countermeasures and many others.
For some entities, measures should also include the assessment and management of security risks arising from supply chains and supplier relationships.

Will the changes brought by the new law apply to you?

Find out for free in our guide

What duties will the new law bring?

Duties for top management

The purpose of this obligation is to ensure that those in decision-making positions understand the consequences of their decisions and their impact not only on the cybersecurity of the company, but on its overall functioning. This will require managers to be familiar with key documents or attend regular training sessions.

Repeated breaches may result in the suspension of a member of senior management.

Human resource security

In cybersecurity, employees need to be educated first and foremost. And record that you have educated them. The most advanced (and expensive) technical cybersecurity solution can fail if your employees are not properly trained and open a phishing email.

Training plans, the training itself, and evidence of the training are key responsibilities in this duty.

Access control system

Only carefully selected people should have access to important information about your company. The creation and registration of user accounts and the control of their access serve this purpose. An HR employee should not have access to company business data, unlike an economist. Conversely, an economist should not have access to employee data.

Business continuity management

The continuity of your company’s operations will help anticipate the consequences of cyberattacks and other disasters. What would the response be in the event of a critical information system outage? How quickly can it be restored? How much will it cost if I want it restored faster?

It’s better to know the answers to these and related questions before an incident occurs. At that moment, it is crucial to have all procedures thoroughly planned and documented in advance – that’s what business continuity management is for.

Security of communication networks

You can ensure the security of a communication network, for example, by separating the individual parts of the network using logical units. The mischief will then remain only in the sub-part and will be ended.

Remote access and the introduction of VPNs are also related to communication network security. Its implementation is related to the ability to verify the identity of those accessing the network using MFA and to keep records of them.

Cryptographic algorithms

The purpose of using cryptographic algorithms is to secure communications, technical assets and other tools. It is important, for example, to choose appropriate communication protocols and to establish rules for the handling of cryptographic algorithms.
The National Cyber and Information Security Agency actively monitors and informs about this area. The document 'Minimum requirements for cryptographic algorithms' is posted on its official board. If you follow it, you can't go wrong.

Application security

For any software in use, it is important whether the manufacturer or supplier supports it. For those that are not supported, it is not possible to ensure their security. Application security requires, for example, maintaining a list of unsupported software and other assets and scanning for internal network vulnerabilities.

Asset management

An asset is anything that has value to your company. It is usually information, systems or processes.

By evaluating your assets, you will know which ones are most important to you, what they depend on and who is responsible for them.

Risk management

Risk management is an activity that needs to be repeated regularly. A company must establish a methodology that describes how it assesses risk, identifies threats and vulnerabilities. The goal is to make it clear how to manage risks going forward.

Other security measures will apply to your company depending on whether your business will be in the lower or higher regime according to the new Czech regulation on cybersecurity. Want to find out which regime you fall into? Use our guide Urči.se ↗

Important deadlines

Cyber Security Act comes into effect

The new Cybersecurity Act is expected to take effect in autumn 2025.

Reporting regulated services

Obligated entities must notify their regulated service via the NÚKIB Portal no later than 60 days after the Act comes into effect.

Reporting of contact details

After receiving the registration decision for the regulated service, you must report the contact details of the responsible persons through the NÚKIB Portal. The deadline is 30 days from the date of delivery of the registration decision.

Complying with the obligations

Within 1 year of the registration decision of your regulated service, you must implement security measures according to your assigned regime and report security incidents.

Autumn 2025

+ 60 days after the Act comes into effect.

+ 30 days from the date of delivery of the registration of regulated service

+ 1 year from the registration of the regulated service

Frequently asked questions

What is NIS2 and how is it related to the Cybersecurity Act?

NIS2 is an abbreviation for the European directive on cybersecurity, which all EU member states are required to transpose into their national legislation.

The new Czech Cybersecurity Act is our way of implementing the NIS2 directive. Its goal is to increase the resilience of companies against cyberattacks. That’s why it introduces obligations for securing information systems, places responsibility on company leadership, mandates the management of assets and risks, and much more.

When will the law come into effect?

The law will come into effect in autumn 2025. Companies will then have to meet two key deadlines:

Within 60 days of the law’s effective date – notification of a regulated service
Within 1 year of the confirmation of regulated service registration – implementation of security measures and obligation to report incidents

We recommend starting preparations for the changes as soon as possible, especially due to growing cyber threats, a shortage of specialists, and the need for rational planning of company expenses.

Who will be affected by the new obligations?

The new law will also apply to companies that previously had no obligations. It is estimated to affect 8–10 thousand Czech organizations across 22 selected sectors. The key factor for assessment will be whether you provide a so-called regulated service or fall under exceptions defined by NÚKIB. You can easily check whether your company will be subject to the new law using our free guide at URCI.SE.

What is self-identification and how does it work?

Self-identification is the process by which a company assesses whether it provides a regulated service and is therefore subject to the new law. If so, it is required to report the regulated service to NÚKIB within 60 days of the law taking effect and begin meeting the requirements.

In most cases, you can handle self-identification on your own. However, we recommend consulting with experts if you're unsure about interpreting the law, have a complex organizational structure, provide services across multiple sectors, or want to minimize the risk of misjudgment.

What do the obligation regimes mean?

You can think of the higher and lower obligation regimes as two levels of difficulty. The lower regime comes with fewer obligations, the required documentation is about half the volume, and you only need to assign one security role. If you have a capable IT team, you may not even need to hire a new person. In theory, you just need someone to explain the content of the new obligations to you.

By contrast, companies in the regime of higher obligations need to fill at least three security roles, manage risk, manage and regularly update more than 20 documents, implement and maintain network monitoring systems, and much more.

How long does implementation take?

Implementing the new legislative requirements typically takes 6–12 months, depending on the size of the company and its current level of cybersecurity. We recommend starting preparations as early as possible.

How can we help?

We start with self-identification – together we will determine whether the new Cybersecurity Act applies to you and under which regime. Then we will map your assets, processes, and current cybersecurity status (what you already have in place and where there are gaps).

Based on interviews with responsible staff, we will prepare a detailed plan for implementing all required measures. We will create or supplement your documentation to meet the new law’s requirements.

The outcome of our cooperation will be clearly structured materials ready for potential NÚKIB inspections as well as for internal information security management. We’ll tailor the documentation to your obligation regime and your company’s actual setup.

By doing a gap analysis, we will verify your company’s current state and prepare a plan for the next steps.
We will conduct analysis of assets and risks
We will assess the security risks of your supply chains
We will explain the content of the new obligations and provide training for top management
We will prepare business continuity plan and other necessary documentation
We will provide outsourced cybersecurity managers and other roles

How will we proceed?

Determining your regime and obligations

We'll help you identify whether and to what extent the new law applies to you, and clearly explain what you'll need to comply with.

Current state analysis

By conducting a gap analysis, we'll assess the current state of cybersecurity in your company and compare it against the new legal requirements.

Security measures

We'll propose technical and organizational measures tailored to your operations, ensuring compliance with the law while remaining practical.

Document creation and updates

We'll create or revise your security documentation so that it meets legal requirements and is understandable for your team.

Employee Training

We'll train your management and employees, help define responsibilities, and raise cybersecurity awareness across your organization.

Outsourcing and ongoing support

We also provide continuous support – reviews, incident reporting, legal updates. If needed, we can handle the outsourcing of security roles.

Contact us and get your umbrella against cyber threats!

We will help you create the foundations, principles and documentation for the effective security. We will teach you how to understand and rely on your security in case of incidents, so that it is preventive and does not limit the operations.