The most common hidden "gotchas" that put you under the new Cybersecurity Act

young-successful-businessman-sitting-workplace-office-background
  • Veronika Beňová

Do you feel confident that you know exactly what your organisation does and that the new Cybersecurity Act definitely cannot apply to you? Because you don’t operate in any of the 22 regulated sectors, you don’t have hundreds of employees, or you’re not a critical infrastructure? The truth is, problems rarely arise in places everything is obvious – they arise where no one would expect them. So in what situations can the law apply to you, even if you wouldn’t anticipate it at a first glance?

Your “side activity” may be crucial from the law’s perspective

Companies often skim the list of regulated sectors, compare it with their primary business activity, and stop there. But the law doesn’t ask what generates your revenue – but at what you actually do. Even “incidentally.” A regulated service can be hiding exactly where you don’t expect it. It pays to look closely at the details and ask yourself questions such as:

  • Do you use or produce chemicals? Could you fall under the Major Accident Prevention Act?
  • Do you provide IT support to another legal entity (another company ID)?
  • Do you operate a photovoltaic power plant above 1 MW – even just for your own use?
  • Are you planning, as part of your ESG initiatives, to install more than 50 publicly accessible EV chargers?
  • Do you develop software and later provide support to other companies?
  • Do you transport waste for someone? Do you trade in waste? Waste management includes four regulated services – could you fall under one of them?
  • What activities do you perform in the food sector? Did you know that primary production, distribution or processing of food can be a regulated service?

With these questions we want to highlight that your “secondary activity,” may be something you might run almost unintentionally, but can be crucial from the perspective of the Cybersecurity Act.

It’s important to keep this in mind, because many organisations have no idea that they may fall under the law simply because they carry out certain activities as part of their normal operations. Whether it’s a photovoltaic installation above 1 MW for internal use, a plan to install public EV chargers, a public railway siding, logistics for another entity, or IT services within a corporate group – all of these can turn an ordinary organisation into a provider of a regulated service.

Don’t underestimate digital services

One of the most problematic areas is Managed services (in Decree on Regulated Services you’ll find it under number 16.13). For this service, it is enough to be a medium-sized enterprise and to manage another organisation’s servers, hardware, networks, applications, or security – and voilà, you are providing a regulated digital service.

It doesn’t matter whether this is for a company in your group, a long-term business partner, or just a small "friendly favour". If you perform these tasks for another legal entity, you meet the definition of a managed service and fall under the Cybersecurity Act.

A typical example: Within a corporate group, one company manages IT for nine other subsidiaries or sister companies. Nothing complicated, nothing that looks like a major business line – but this alone makes it a provider of a regulated digital service.

zakon-o-kyberneticke-bezpecnosti

Will the changes brought by the new law apply to you?

Use our free guide Urči.se and perform a basic self-assessment yourself.
Don’t forget to have the result verified by an expert!

The size of the organisation isn’t just about a headcount

Another surprise – and a common source of mistakes – is determining organisational size. Companies often consider themselves small enterprises. But if they have a parent company with 300 employees, they cease to be “small” in legislative terms solely because of that connection, and their obligations change significantly.

Employees of connected companies count toward the total size. A company with 30 people may therefore be classified as a medium-sized or even large enterprise simply because it is part of a group. Sometimes it is enough that you share systems and infrastructure with a foreign parent company with hundreds of employees.

In addition, the law works with FTEs (full-time equivalents), so two half-time employees = one employee. We recommend keeping this in mind when calculating the size.

Shared technical assets determine "connection"

For companies connected by ownership, their sizes are newly not automatically added together – only if they share technical assets. This means shared IT equipment, infrastructure, servers, applications, or similar technologies. In practice, it can look like this:

  • If the parent company provides IT support to the subsidiaries, the assets are considered connected and the number of employees is combined.
  • If each company manages its own IT independently, the assets are not connected and the companies are assessed separately.

The difference between “falling into the higher regulatory regime” and “not falling under the law at all” can come down to a single decision – such as where your server is hosted.

Questions you should be asking yourselves

To ensure you carry out self-identification correctly, it pays to start with some simple but very practical questions::

  • What activities do we actually perform – including those that are not part of our core business?
  • What do we do internally, and what do we do for other companies?
  • Do we manage IT for anyone else?
  • Do we operate technologies that fall under other regulations (Energy Regulatory Office, chemicals, waste management licences)?
  • Are we planning investments that could bring us into scope of the law (photovoltaics, expanding production)?

These questions are often the first hint that a regulated service may be hiding somewhere you would never expect it. This is precisely why self-identification is the most deceptive – yet the most important – part of the entire process.

If you want to be sure that you are identifying regulated services correctly and not overlooking any “hidden regulated service,” it makes sense to request a professional assessment of regulated services. You will receive a clear output – and, most importantly, peace of mind that you’re not missing anything essential.

We can help verify your obligations

Not sure whether your organisation falls under the new Cybersecurity Act? We offer a professional assessment of regulated services under the new Cybersecurity Act.
Contact us

More articles

businessman-illustrating-cybersecurity-concepts-office-setting
7 lessons from 2025: how cybersecurity can go wrong
Real incidents from 2025 showed us that cybersecurity problems aren’t caused only by hackers. Sometimes, ordinary process and human failures are all it takes.

READ MORE

Customer care and support concept background faq question mark icon on a wooden cube closeup view laptop on a white office table photo
SOS: “We’re dealing with the new cyber law at the last minute” – 8 questions that actually help
Dealing with the new Cybersecurity Act at the last minute and looking for answers? We’ve answered the most common questions to help you understand the new obligations and figure out what actually applies to you.

READ MORE

How to report a regulated service: A step-by-step guide
Does the new Cybersecurity Act apply to you and you are trying to figure out how to report your regulated services? Here’s a step-by-step guide to help you meet this obligation.

READ MORE

Newsletter

Do you want to ensure your company is protected from cyber threats while also complying with applicable legislation? Sign up for our newsletter and receive practical advice from our legal consultants.

By clicking subscribe you consent to the processing of your personal data for marketing purposes.