- Hana Skoupá
The end of the year is approaching, along with the 31 December deadline for registration in the NÚKIB portal. If you feel like you’re running out of time, you’re not alone. During our latest webinar, we received a number of questions showing that there is still a lot of uncertainty around the new Cybersecurity Act. We’ve selected the most useful questions from practice that can help you understand what needs to be done and how, even if you’re dealing with it at “five minutes to twelve”.
Common questions about registering regulated services
We’re short on time. Do we need to have all security measures in place by 1 January?
No. You do not need to have everything fully implemented by 1 January 2026. The law gives you 12 months to prepare. This one-year period starts only after NÚKIB confirms your registration of the regulated service. By the end of the year, your main priority should therefore be to register via the NÚKIB Portal, which takes roughly 10 minutes.
“The one-year deadline for implementing specific security measures starts only once the authority confirms your registration.”
What if we fail to report our regulated services on time? Are fines inevitable?
The worst strategy is to actively avoid the obligation. The authority is unlikely to inspect everyone immediately after the registration deadline, but if only a small fraction of expected entities register, that will be noticeable. If you’re unsure whether you provide a regulated service, it’s safer to register – any mistakes can be corrected later. As for sanctions, the much-discussed threat of suspension of office for statutory directors applies only to the higher-risk regime. This does not apply in the lower-risk regime.
How does registration in the NÚKIB portal work, and who should do it?
Registering regulated services in the NÚKIB Portal is a quick and administratively simple step. It must be carried out by the company’s statutory body or an authorised person, typically using a national digital identity. The goal of this initial phase is straightforward: self-identification. Even if you’re not 100% sure, we recommend registering – it shows good faith and a willingness to comply with the law, which is crucial from the authority’s perspective.
“The registration itself takes about 10 minutes. It’s a fairly short process. What matters most is that you register and show you’re not avoiding your obligations.”
We have more than 50 employees. Does that automatically mean the law applies to us?
No. Company size alone is not decisive. Being a medium or large enterprise does not automatically mean you fall under the law. The key question is whether you provide a regulated service, even if it’s not your core business.
What also matters is a group structure. Company size can be aggregated at holding level if you use shared technical assets that are essential for delivering the regulated service. It’s not enough to take a quick look, you need to verify whether your critical technical assets depend on the group.
“It’s not just about company size. Having 50+ employees doesn’t automatically mean the new cybersecurity law applies to you — just as operating in a regulated sector doesn’t automatically mean it does.”
We provide IT services only internally within our group. Does that count?
Yes, it does. From the law’s perspective, it doesn’t matter who you provide the service to. If one legal entity provides IT services (e.g. network administration) to another legal entity, it meets the definition of a regulated service. It’s irrelevant whether you charge for the service or provide it free of charge within the group. What matters is continuity. It must not be a one-off activity. If the failure of your internal service company would impact the operation of the rest of the group, the law applies.
“It doesn’t matter whether you charge for the regulated service or provide it internally for free.”
We don’t have a dedicated cybersecurity specialist. Can our IT director take the role?
In an ideal world, the roles would be separate. Cybersecurity should be independent from IT to avoid conflicts of interest. Reality, however, is often different. If there’s no other option, the role can be handled by someone from IT – provided they have the time and the backbone to do it properly. In terms of qualifications, it’s often better to have a motivated person with one year of hands-on experience who wants to learn rather than a formally appointed manager with three years on paper who just “sat through the role”.
Can ISO 27001 certification be used to meet the requirements of the Cybersecurity Act?
Yes, but not automatically. ISO 27001 is an excellent foundation and covers most of the measures required by the law, but it’s not the same thing. ISO is an international standard that provides a framework for security management. The Cybersecurity Act and its implementing decrees are binding legal regulations with specific requirements. ISO certification is therefore strong evidence that you have a security management system in place, but you still need to verify that all Czech legal requirements are met.
“ISO 27001 is great – it’s a solid framework. But having ISO doesn’t automatically mean you comply with the Cybersecurity Act.”
First steps after registration: how to start implementation?
The biggest mistake is applying the decree blindly to all systems across the company without context. After registration, you should start with asset inventory and risk analysis. The goal is not immediate 100% compliance, but understanding where your biggest weaknesses are. You need to identify which assets are critical to delivering your regulated service. Focus on systems without which your business wouldn’t survive the next day, and use the one-year window to set realistic measures and spread the budget sensibly.
What do you already have in place – and what’s still ahead?
Where to start? Verify whether the law applies to you
If you’re still unsure whether the law applies to your organisation, start by reviewing the relevant decree. If it does – register. It may help to know that the new law is designed not to punish companies, but to help them gradually introduce security measures in a way that supports their business, rather than destroy it.
