- Hana Skoupá
You may have already read something about the new Cybersecurity Act and perhaps even thought that it’s “a topic for the big players,” that your business surely isn’t doing anything important enough to have to deal with cybersecurity. But what if we told you that this may not be true at all?
Ignorance of the (cybersecurity) law is no excuse
The new Cybersecurity Act (No. 264/2025 Coll.) has been in force since 1 November 2025 and significantly expands the number of entities that must meet the state’s cybersecurity management requirements.
From the original few hundred organisations affected by the previous legislation, the new law now applies to roughly 8 to 10 thousand organisations across 22 sectors – from energy and transport to food production, manufacturing, public administration, and more. The fact that you haven’t dealt with the new law yet, or perhaps haven’t even noticed it exists, does not mean it won’t apply to you.
If you haven’t heard about the new law yet, at least take a moment to check whether your organisation might also be among those it affects.
It’s not just about the sector – it’s about the activity
The law doesn’t tell you: “This applies to you if you are a bank or a hospital.” Instead, it looks at the services you provide – and to whom. The small catch is that you first have to look into this yourself. Somewhat unusual – organisations must identify themselves as being subject to the law.
This self-identification duty essentially applies to everyone. Organisations must assess for themselves whether they fall under the law and which regulated services they provide. And the answers are not always obvious at first glance. Besides the activities you provide, you must also take into account your size or whether you hold specific licences.
But even with the services you provide it may not be clear right away. The law doesn’t care what is key to your business, but what you actually do in practice. This can include activities you do “on the side” – things that don’t generate revenue but make operational sense. As soon as you meet certain size or other conditions, the law treats you as a provider of a regulated service. Whether you earn money from it or not plays no role.
Will the changes brought by the new law apply to you?
Use our free guide Urči.se and perform a basic self-assessment yourself.
Don’t forget to have the result verified by an expert!
Yesterday was already too late – so what now?
The law has been in force since 1 November 2025, and organisations must register themselves as subject to the law (including reporting their regulated services) no later than 31 December 2025. This means that by then you must have:
- clarity on whether the law applies to you,
- an overview of the regulated services you provide,
- and a designated person responsible for reporting them.
At first glance this may not seem difficult, but the reality tends to be different. Organisations try to handle self-identification internally – logically, who knows the operations better than people inside the company? But assessing the impact of the law means comparing real activities with legal and technical interpretation. And those often differ. You may easily find that what you consider a simple internal task is, from a legal perspective, is a regulated service – or the opposite.
Organisations must complete self-identification and report regulated services via the NÚKIB Portal by 31 December 2025. If they fail to meet this obligation, they face sanctions under the law.
How to proceed?
- Start simple: Check whether your sector is among those covered by the law. If it is, open the list of regulated services (in the decree on regulated services) and go through which of them your organisation actually provides – even partially or as part of other activities.
- Next step is size: The law applies mainly to medium-sized and large enterprises, but there are exceptions, for example in IT. And be careful about one more thing – when determining size, related companies in a group often count as well. So if your company has 40 employees and the parent company has another 30, the law will consider you a medium-sized enterprise, because you are connected not only by ownership but also operationally.
- Finally, check whether you meet other conditions of the decree: For example whether you have certain licences or other authorisations. You can compare your result with online calculators, but ideally with an expert (ideally a combination of cybersecurity and legal specialists).
How to know you "identified" yourself correctly?
There are more than enough uncertainties and pitfalls in the self-identification process. If you want to be sure you are identifying regulated services correctly, it makes sense to request a professional assessment of regulated services. You will receive a concrete output – and most importantly, peace of mind that you’re not overlooking anything important.
At this stage, it is still just about a verification – not about a major investment. A little extra certainty is probably worth it, isn’t it?
