- Hana Skoupá
The draft of the new Cybersecurity Act has passed the Senate without a single amendment. All that remains now is the President’s signature – and then the rules will start to change. One of the major new obligations is so-called self-identification. This means companies must assess for themselves whether the law applies to them – and if it does, they must report this to the state. But what does this mean in practice, and where should you start?
What is self-identification?
Self-identification is the process by which an organization must assess whether it falls under the scope of the new Cybersecurity Act by providing a regulated service. If it does, it must report this within 60 days of the Act's effective date via the NÚKIB Portal. This obligation potentially affects all companies and other organizations across various sectors.
Why does it matter?
Because if you qualify as a regulated entity and fail to report to NÚKIB, you could face a fine – up to CZK 250 million or 2% of annual turnover (whichever is higher).
While these penalties are mostly a deterrent, we recommend not taking self-identification lightly. It’s worth checking whether the new law applies to you.
What should you prepare for self-identification?
Company size: When determining your size, don’t forget to include all companies in your ownership structure, including those abroad (e.g. parent or subsidiary companies). You can calculate size based on employee headcount or financial indicators.
All business activities: Don’t rely solely on your main business activity. Check what's listed in the Commercial Register. If you're not actively pursuing some activities, consider removing them. Whether the law applies may depend even on secondary business or specific services (e.g. if you hold an ERU license for photovoltaic electricity production).
Whether or not the law applies to you depends on your size, the type, and the scope of services you provide. For a quick check, you can use available tools, including our URCI.SE guide.
What to watch out for?
Don’t leave self-identification to the last minute.
Don’t assume self-identification is the end of the process – it’s the beginning.
Don’t think that “if we haven’t heard about it, it probably doesn’t apply.”. Unfortunately, it does.
Download e-book
FAQ k samoidentifikaci
What is self-identification?
Self-identification is a process in which an organization assesses on its own whether it provides a regulated service and therefore falls under the scope of the new Cybersecurity Act. It is a key first step in determining your cybersecurity obligations. The new Cybersecurity Act is expected to come into effect in autumn 2025.
Who is required to self-identify?
Self-identification must conduct all organizations, to determine whether they provide at least one regulated service. If they do, they must report it to the National Cyber and Information Security Agency (NÚKIB).
Some organizations are exempt from the self-identification process because NÚKIB registers them directly as obligated entities. These are typically companies providing very specific services (such as critical infrastructure entities).
If you operate within a corporate group, each company within the group must carry out self-identification and report its regulated services individually. In the Czech Republic, group membership does not automatically mean the same obligations apply to all group companies.
When do I have to report a regulated service?
You must report regulated services no later than 60 days after the new Cybersecurity Act takes effect. We recommend starting the self-identification process as early as possible. In larger organizations, it may take time to identify all services that could be considered regulated.
What are the steps of self-identification?
The self-identification process involves three main steps:
- Activity analysis – identifying the services you provide
- Threshold evaluation – looking at employee count, revenue, or number of service users
- Reporting regulated services – through the NÚKIB portal
The result of reporting is a decision on the registration of the regulated service, which NÚKIB will deliver to you.
How do I know if I'm subject to the new Cybersecurity Act?
To correctly assess whether the new Act applies to you, you need to know the size of your organization (either by turnover or employee count) and the sectors in which you provide services. Be aware – it’s not just your main business activity that matters, but also any secondary activities. Then, check whether your services fall under the scope of regulated services as defined by the relevant decree.
You can also use available tools and calculators, such as the guide at urci.se.
What are the penalties for not completing self-identification?
Penalties for failing to meet your obligations (including failure to self-identify) can reach up to CZK 250 million or 2% of annual turnover. Whichever is higher.
Do I need external help with self-identification?
In most cases, you can manage self-identification on your own. We recommend consulting experts if you are unsure how to interpret the law, have a complex organizational structure, operate across multiple sectors, or want to minimize the risk of incorrect assessment.
Where can I find official forms for reporting a regulated service?
Official information about the self-identification process can be found in the legislation and on the NÚKIB Portal. This portal will also be used to report regulated services. NÚKIB regularly updates information and details related to reporting.
