Implementing regulations for the New Cybersecurity Act: What has changed?

cybersecurity-law-notes-highlights-czech-flag-desk-regulations-update
  • Kateřina Kubíková
  • Petra Kovářů
The new Cybersecurity Act is entering a new phase. Draft implementing decrees and government regulations have entered inter-ministerial review. These documents begin to reveal what cybersecurity regulation will look like in practice – for both companies and public institutions. Below is a summary of the most notable changes.

Overview of decrees and regulations

On May 16, a key phase in the preparation of the new Cybersecurity Act began. Draft implementing decrees and two government regulations were released for public consultation. These will supplement the framework law with specific, actionable rules.

Drafts of 8 decrees and 2 government regulations were submitted for review. NÚKIB estimates that these may be adopted around October or November 2025. List of expected regulations:

Decree on security measures for the higher regime

  • Security measures may be waived only based on risk assessment.
  • Notification to key suppliers does not need to include supplier rules.
  • Cybersecurity committee must meet at least once a year, not just regularly.
  • Added obligation: Mandatory final report after resolving major cybersecurity incidents.
  • The role of cybersecurity architect can be combined with ICT operations responsibilities..
  • In addition to MFA multi-factor authentication, there's now an option for continuous authentication under a zero-trust model.
  • Security updates for technical assets don’t need to be applied immediately.
  • Scope of strategically significant services, will now be defined by a government regulation.
  • The annex on asset evaluation was revised – explanatory notes shortened, and rating scales slightly updated (availibility, confidentiality and integrity).
  • New threat added: disruption of availability of assets located outside Czech territory.
  • Risk assessment annex now provides example methods rather than a fixed list.
  • Several updates to improve clarity and usability of the decree.

Decree on security measures for the lower regime

  • Top management has greater responsibility: they now designate the cybersecurity lead and must support recovery priorities for primary assets.
  • Stronger emphasis on management awareness – they must follow clear development guidelines.
  • Business continuity management now focuses on technical assets, that are prioritized based on business value.
  • MFA or zero trust models now mandatory for both admins and users.
  • Expanded risk assessment – new four-tier scale from low to critical, with stricter impact evaluation.
  • Number of employees is no longer a factor in assessing incident impact.

Decree on regulated services

  • Removal of many additional conditions previously required for providers of regulated services.
  • Several terminology changes – mostly clarifications.
  • Examples of updated terminology in the electricity sector:
Original term
New term
Electricity generation
Electricity generation under the Energy Act, excluding generation from renewable sources with a total installed capacity up to 1 MW
Operation of electricity transmission system
Operation of electricity transmission system under the Energy Act
Operation of electricity distribution system
Operation of electricity distribution system under the Energy Act
Electricity trading
Electricity trading under the Energy Act
Market operator activities
Activities of the nominated electricity market operator under directly applicable EU legislation
Aggregation activities
Electricity aggregation under the Energy Act
Energy
  • The condition regarding installed capacity for the "lower obligations" regime has been removed. For most regulated services, the main criterion for determining the compliance regime will now be the size of the company.
  • Operator of public charging stations is now regulated if operating 50+ stations.
  • For gas, clarified that it applies specifically to natural gas.
Chemical industry
  • Lower regime applies to large or medium-sized enterprises, regardless of quantity of hazardous substances.
  • Higher regime and link to the Major Accidents Act have been removed.
  • Use of facility for hazardous substances remains unchanged.
Transport
  • Water transport clarified to maritime.
  • Aviation sector trimmed: 9 regulated services reduced to 4.
  • Removed regulated services:
    • Air traffic control in Czech airspace
    • Security screening of cargo or mail
    • Cargo or mail dispatch service
    • Onboard supply service
    • Ground handling services
Digital infrastructure
  • Internet exchange service providers in the higher regime must connect at least 100 independent networks with traffic of at least 1 Tbps.
  • Two new regulated services:
    • Domain name registration and management
    • Management and operation of the gov.cz domain
  • The wording has been updated – instead of: "entrepreneurs," the term now used is "customers who are not consumers,".
    • Managed services
    • Managed security services
Postal and courier services
  • Now split into two regulated services:
    • Postal service
    • Courier service
Healthcare
  • Expanded to include provision of healthcare excluding outpatient care for socially excluded individuals and excluding nursing care in social service facilities.
Food industry
  • The scope of regulated services has been clarified to cover industrial food production, food processing, and wholesale food distribution.
Science, research and education
  • Adjustments have been made to the conditions under which the services are regulated.

Final thought

Although the new Cybersecurity Act is not yet in effect, the newly published decrees and regulations already offer a clear picture of what’s coming. Final approval is expected this autumn. Now is the right time to start preparing – the sooner you begin, the smoother the transition will be when the law comes into force. No last-minute stress required.

Get ready

We continue to monitor developments and can clearly explain key changes to you and help implement them in your company. Are you interested?
Contact us

More articles

business-graphs-charts-magnifying-glass-table-financial-development-banking-account-statistics
GAP analysis: identify the gaps in your cybersecurity
GAP analýza vám pomůže zjistit, jak na tom jste s kybernetickou bezpečností – kde splňujete požadavky, kde vám něco chybí a co s tím dál.

READ MORE

green-up-arrow-bright-side-red-down-arrow-dark-side-which-print-screen-wooden-cube-block-economic-business-profit-growth-concept-copy-space
Higher and lower Regime under the new Cybersecurity Act
If you provide a regulated service, you need to identify which security tier applies to you — basic or stricter. But how do you determine your tier, and what does it actually mean in practice?

READ MORE

businesswomen-tick-mark-assessment-questionnaire-evaluation-online-survey-online-exam-choose-right-answer-exam-filling-out-online-survey-form-answer-test-questions-concept
Regulated services under the New Cybersecurity Act
What are regulated services and why does it matter? Identifying them is key to determining whether you will be affected by the new cyber law and under what regime.

READ MORE

Newsletter

Do you want to ensure your company is protected from cyber threats while also complying with applicable legislation? Sign up for our newsletter and receive practical advice from our legal consultants.

By clicking subscribe you consent to the processing of your personal data for marketing purposes.