New Cyber Security Act getting to the finish line: What to prepare for?

Who is affected?
The New Cybersecurity Act, which implements the EU NIS2 Directive, went through the third reading in the Chamber of Deputies. It is now awaiting approval by the Senates and the President’s signature. After the law comes into effect, companies will have 60 days to register on the NÚKIB portal and one year to comply with the new obligations.

The new Act expands the scope of regulated entities from the original few hundred to approximately 10,000 (some sources state 8,000 or even 12,000) across 22 different industries, including energy, transportation, healthcare, food industry, and many others.

In each industry, regulated services are precisely listed – more than 100 in total. These services are considered the most critical and require enhanced protection in the field of cybersecurity.

Whether the new law affects you depends on the size, type, and scale of services that you provide. For quick verification, you can use publicly available tools, including our guide URCI.SE.

Timeline
Cyber Security Act comes into effect
Expected between September 1 2025 and January 1 2026.
Registration on the NÚKIB Portal
Within 60 days of the law's effectiveness.
Complying with the obligations
Within 12 months of the law's effectiveness.
Key obligations

Self-identification and registration: All companies must assess whether they fall under the regulation and register on the NÚKIB Portal within 60 days of either the law’s effectiveness or upon discovering that they provide a regulated service.

Implementation of security measures: Implement security measures to ensure cybersecurity under higher or lower levels of requirements. The implementation of basic security measures should take from 3 to 12 months.

Risk and Incident Management: Conduct risk analyses, establish information system security policies, report incidents, and ensure the security of the supply chain. 

Roles and Documentation: Fill security roles, manage and update documentation, and establish systems for event monitoring.

Engage Leadership in Cybersecurity: Top management will need to take responsibility for cybersecurity. This means knowing key information, understanding the impacts of their decisions, supporting security, and undergoing regular training.

READ MORE ABOUT NEW OBLIGATIONS
What are the penalties?

Failure to comply with the obligations can lead to fines of up to CZK 250 million or up to 2 % of the company's total annual turnover.

Further recommended steps
Self-identification
Find out if your company falls under regulation.
Go to urci.se
Registration on the NÚKIB Portal
Prepare to register within 60 days of the law's effectiveness.
Go to the NÚKIB Portal
Current State Analysis
Map out what you already have in place, what you are missing, and what will need to be adjusted or added to meet the new requirements.
Implementation of Measures
Implement the necessary security measures and processes.
Employee Training
Ensure training and awareness in the field of cybersecurity.

Get ready

We will help you navigate the new requirements and set up step-by-step procedures – clearly, efficiently, and in a way that makes sense for your company.
CONTACT US

More articles

business-graphs-charts-magnifying-glass-table-financial-development-banking-account-statistics
GAP analysis: identify the gaps in your cybersecurity
GAP analýza vám pomůže zjistit, jak na tom jste s kybernetickou bezpečností – kde splňujete požadavky, kde vám něco chybí a co s tím dál.

READ MORE

green-up-arrow-bright-side-red-down-arrow-dark-side-which-print-screen-wooden-cube-block-economic-business-profit-growth-concept-copy-space
Higher and lower Regime under the new Cybersecurity Act
If you provide a regulated service, you need to identify which security tier applies to you — basic or stricter. But how do you determine your tier, and what does it actually mean in practice?

READ MORE

businesswomen-tick-mark-assessment-questionnaire-evaluation-online-survey-online-exam-choose-right-answer-exam-filling-out-online-survey-form-answer-test-questions-concept
Regulated services under the New Cybersecurity Act
What are regulated services and why does it matter? Identifying them is key to determining whether you will be affected by the new cyber law and under what regime.

READ MORE

Newsletter

Do you want to ensure your company is protected from cyber threats while also complying with applicable legislation? Sign up for our newsletter and receive practical advice from our legal consultants.

By clicking subscribe you consent to the processing of your personal data for marketing purposes.