- Barbora Arnold
- 13 min čtení
With the new Cybersecurity Act, responsibility for cybersecurity has gradually shifted to where the EU's NIS2 Directive says it belongs – to the level of an organization's leadership. For statutory bodies, managing directors, and top management, this means one essential thing. The performance of certain activities can be delegated to the IT department or to suppliers, but responsibility for cybersecurity remains with management. What requirements does the Cybersecurity Act place on management, and how do they differ depending on the regime of obligations?
Why is cybersecurity addressed at the management level
The term "senior management" itself is also important. The implementing decrees of the Cybersecurity Act interpret it more broadly than just the statutory body. It includes the statutory body, but also any other person or group of persons in a comparable managerial position. The obligations therefore do not target only the managing director listed in the register, but everyone who actually runs the organization.
A shared foundation: management obligations for both the lower and higher regimes
Under the lower-obligation regime, the requirements for senior management are set out in Section 4 of Decree No. 410/2025 Coll. This is a complete foundation that is the same for the higher regime as well; the higher regime merely adds further obligations to it. The lower-regime obligations that the higher regime then elaborates on include:
Completing security training
Management must demonstrably undergo training focused on its obligations under the act and on the organization's security policies. It should understand how risks, measures, and their impacts on the organization's operations relate to one another. The goal is not to turn management into technicians. The goal is to enable it to make informed decisions. Training should not be a one-off – ideally it is repeated at least once a year.
Designating a person responsible for cybersecurity
Management must designate a person responsible for cybersecurity. This person serves as management's main support for the entire agenda. They handle the management and development of cybersecurity, oversee its status, and communicate with senior management. This may be an employee of the organization, a trained colleague, or a supplier.
What matters is that they have the necessary expertise as well as the authority without which they cannot fulfil this role. In practice, this also means having a process in place for regular communication with management. It is through this person that information about threats, risks, the status of measures, and changes that may affect security reaches management.
Ensure availability of resources
Management is to ensure the resources needed for cybersecurity. This is not only about money; it also includes people, tools, technologies, and time. The scope of resources should correspond to the services the organization provides, how important they are to it, and what impact their outage would have. The minimum will look one way for a smaller support service and quite another for a service on which the entire organization's operations depend.
In practice, this means a budget for adequate measures, the capacity of people who actually handle the agenda, the tools needed to manage security, and also time for training employees, regular evaluation, and decision-making.
Demonstrably staying informed of the status of measures being implemented
The decree does not require management to design or implement individual security measures itself. It requires management to know their status and be able to make decisions about them. This includes measures that have been implemented, those that are planned, and those the organization has not yet implemented, including the reason why. The supporting materials are usually prepared by the person responsible for cybersecurity. It is up to management to evaluate them, decide on priorities, and demonstrably stay informed of them.
Demonstrability can take the form of meeting minutes, an approved overview of measures, or another list that makes clear that management genuinely addressed the state of security. This is precisely one of the main ways an organization demonstrates that management is not just a formality in the whole agenda.
Supporting continuous improvement of cybersecurity
Cybersecurity cannot be set up once and then set aside. Organizations change; new systems, suppliers, services, and risks emerge. Management's task is therefore to support continuous improvement. In practice, this means removing obstacles that prevent the implementation of needed measures, approving priorities and deadlines, and responding to changes that may affect security. Typically, this would include acquisitions, mergers, the introduction of new technology, a change of a major supplier, or changes in the organization's leadership.
Setting recovery priorities for key assets
Management is to set recovery priorities for primary assets. In practical terms, this is a decision about what must be restored first after an incident or outage, because the provision of the regulated service depends on it. These decisions are not made in a vacuum. Management should make them together with people who understand operations, technologies, contractual obligations, and the impacts on the customers or users of the service.
The result should be a clear answer to the questions: which services and processes are most important to the organization, how long an outage it can afford, and how much data loss would already mean a problem for operations, finances, or contractual obligations. These obligations are logically interconnected. They begin with management knowing what the organization rests on and who is to manage security.
Lower regime | Higher regime | |
|---|---|---|
Management framework | Ensuring minimum cybersecurity | Information security management system (ISMS) integrated into processes |
Governing body | Person responsible for cybersecurity | Cybersecurity management committee and cybersecurity manager |
Security roles | Not addressed separately | Defining roles and ensuring they can be covered by representatives |
Management oversight | Staying informed of the status of security measures | Plus audits, risk assessments, and impact analyses |
Continuity | Recovery priorities for primary assets | Testing of continuity and recovery plans |
Lower vs. higher regime – how they differ. The higher regime builds on the same foundation; it simply formalizes it more, develops it further, and adds requirements for management, oversight, and continuity.
Management obligations under the higher regime
The higher-obligation regime applies to organizations of the greatest social and economic significance. Here the requirements for management are governed by Section 4 of Decree No. 409/2025 Coll. They are more detailed than in the lower regime: they break the same basic areas down into more sub-points and add further obligations on top. Which obligations are additional under the higher regime?
An information security management system (ISMS) as a framework
Whereas the lower regime speaks of ensuring minimum cybersecurity, the higher regime is built on a formal information security management system. Management ensures that the security policy and objectives of this system are defined, that they align with the organization's strategic direction, and that the entire ISMS is integrated into routine processes.
A cybersecurity management committee
This is one of the most visible differences. Management must establish a cybersecurity management committee and appoint its members. The committee must include at least one member of management, or a person appointed by management, along with the cybersecurity manager. The committee meets at least once a year, records are kept of its meetings, and its members must have appropriate authority and professional competence.
Security roles and the ability to cover them with representatives
The higher regime envisages defined security roles. Management sets the rules for designating administrators and persons in security roles, provides them with the necessary authority and resources – including a budget – and ensures they can be covered by representatives. This also includes the obligation to ensure the confidentiality of relevant persons, typically administrators, persons in security roles, and suppliers.
Broader management oversight of the state of security
In the lower regime, management demonstrably stays informed of the status of measures being implemented. In the higher regime, the list is more specific. It includes the report on the review of the information security management system, the risk assessment report, the risk treatment plan, the results of the impact analysis, and the results of audits and inspections. Management also participates directly in preparing the impact analysis. In practice, this means that management should not receive only general information along the lines of "we're handling security." It needs materials from which it can see where the main risks lie, what the organization plans to do, what it has already done, and where an open problem remains.
Testing of continuity and recovery plans
Zatímco v nižším režimu vedení stanovuje priority obnovy primárních aktiv, ve vyšším režimu k tomu přibývá povinnost tyto plány pravidelně testovat. Vedení zajišťuje testování plánů kontinuity činností, plánů obnovy a procesů pro zvládání incidentů. Cílem je ověřit dopředu, jestli nastavené procesy opravdu fungují. Při skutečném výpadku už bývá pozdě zjišťovat, že plán obnovy existuje jen v dokumentu, nikdo neví, kdo má co dělat, a klíčový dodavatel není dostupný.
How the Act addresses failure to meet obligations
The purpose of the act is not to punish organizations. It is to guide them toward having cyber risks under control and being prepared to handle incidents. Even so, it is worth knowing what can happen when an organization fails to meet its obligations.
For serious breaches, the authority can impose a fine. Under the lower regime, up to 175 million CZK or 1.4% of net worldwide annual turnover; under the higher regime, up to 250 million CZK or 2% of turnover. The higher amount always applies. The specific amount depends on the severity of the breach and its impacts. The authority also takes into account whether the organization actively manages risks and whether management is involved in that management.
One tool is aimed directly at members of the statutory body: a temporary ban on holding office under Section 58 of the Act. It applies only to the higher regime and comes into consideration only when an organization repeatedly or seriously breaches its obligations in a way that frustrates compliance with a decision of the authority. The ban lasts until the deficiencies are remedied, but for no less than six months. This penalty does not exist under the lower regime.
Key takeaways
Cybersecurity belongs to an organization's management just as much as finance, operations, or legal matters. Top management sets priorities, ensures resources, oversees the state of security, and steps into decision-making during incidents. Through its approach, it also shapes the security culture of the entire organization. Employees are very good at sensing whether management treats security as a genuine part of management or merely as another obligation on paper.
If you would like to go through management's obligations in more detail and place them in the context of your organization, we have prepared training for top management – for the lower obligations regime and the higher obligations regime. Both draw on experience from real projects and incidents. In them, we cover what is expected of management, what questions it should ask, and how to put its role into practice.
- This content was prepared with the help of AI and subsequently underwent thorough human editing and fact-checking.
