- Hana Skoupá
The new Cybersecurity Act applies only to certain entities – specifically, those that provide a regulated service within a regulated sector (and also meet a size or turnover threshold). At first glance, this might seem straightforward. In practice, however, this is where the largest uncertainty begins. Many companies are unsure what exactly a regulated service means – or where to look for it in their business.
What is a regulated service?
The new Cybersecurity Act applies to providers of regulated services, but to fall under the law’s obligations, it’s not enough just to operate in a regulated sector (e.g. Energy, healthcare, transportation…) and meet the company size or turnover criteria. You must be providing a service that is classified as regulated within that sector.
If you operate in these sectors, it does not automatically mean, that you provide a regulated service. But it’s a good idea to check, so you’ll know in time whether the new Cybersecurity Act affects you.
Digital infrastructure and services
Rail transport
Energy
Financial market
Chemical industry
Air transport
Maritime and inland waterway transport
Defense industry
Waste management
Postal and courier services
Food industry
Road transport
Science, research and education
Public administration
Space industry
Water management
Manufacturing
Healthcare
The most common mistake – confusing sector with service
Many entities believe that just because they operate "in the energy sector" or "in healthcare", they are automatically regulated. That is not enough. The key is to determine whether you provide a service explicitly classified as regulated, as described in detail in the relevant decree for each service.
- If you do not provide a regulated service – you likely do not fall under the new law.
- If you do provide a regulated service – you should conduct a self-identification to determine under which obligation regime you fall (higher or lower).
A list of regulated services can be found in the annex of the relevant decree.
What else should you watch out for?
Main activity ≠ regulated service: Companies often make the mistake of thinking the law only applies to their core business. But it’s not about what’s most important commercially – it’s about whether you provide any regulated service, even as a side activity. You need to identify all services in your operations that might fall under regulation. A common example is operating a photovoltaic plant or generating electricity for your own use.
Exceptions: For some entities, the law automatically applies due to specific exceptions. In such cases, you are registered directly by NÚKIB (National Cyber and Information Security Agency) and do not need to complete the self-identification and regulated service registration process. However, it’s still important to find out if you fall under one of these exceptions – and start preparing early.
Download the list of services
Key takeaways
Not every company operating in a regulated sector is automatically regulated.
A regulated service can be a minor part of your business!
What matters is the specific service you provide.
Don’t forget about exceptions and special cases.
FAQ on regulated services
What are regulated services?
Regulated services are key services (e.g., in energy, transport, healthcare, or digital infrastructure) that are considered important from a cybersecurity perspective and are therefore subject to security rules under the new Cybersecurity Act.
How many regulated services are there?
The latest version of the decree on regulated services includes 22 service areas, containing a total of 102 different regulated services (updated as of June 19, 2025).
How can I find out if the services I provide are regulated?
The decree includes an annex listing all services subject to regulation. If you provide one of these services, you likely fall under the new Cybersecurity Act. In addition to the type of service, other factors such as organization size or specific conditions (e.g. holding a certain license) may also apply.
Helpful guidance may come from the explanatory report, which details these regulated services.
Do I have to fulfill any obligations if I provide a regulated service?
The decree on regulated services does not define specific obligations – it only serves to identify providers of regulated services and their obligation regime. The obligations themselves are set out in the new Cybersecurity Act and its related decrees (especially those outlining security measures for providers in both lower and higher obligation regimes).
What if I provide multiple regulated services under different regimes?
You can have only one regime. If you provide more than one regulated service, the strictest regime applies. The regime is not determined per service, but for the entire organization, and it is based on the service with the highest obligations. In a situation where all your services fall under the lower regime, and even just one is in the higher regime, ‘the high card wins’, and you must provide all regulated services under the stricter set of obligations.
