- Hana Skoupá
The new Cybersecurity Act introduces two levels of obligations – the higher and lower regime. These regimes determine how strict your cybersecurity rules need to be. The difference between them is not just formal. In the higher regime, you’re expected to do more – in both protection and responsibility. That’s why it’s crucial to determine your classification correctly. This isn’t just about your industry or organization size, but also about the services you provide.
Why are the regimes introduced?
Not all organizations and the services they operate have the same impact on society – or the state. A service outage may pose varying risks and consequences depending on the size and importance of the organization. Therefore, the law distinguishes between two regimes:
- Higher regime applies to entities whose activities are considered more critical – e.g., due to their role in public services or dependence by other organizations.
- Lower regime applies to organizations that are still regulated, but the impact of a potential outage is lower.
Who decides which regime applies to you? Largely you do – through a process called self-identification and the subsequent registration of regulated services. This must be completed within 60 days of the law taking effect.
How to determine your regime?
Ask yourself: “Do I provide a regulated service?“ If yes, the next step is to determine whether it falls under higher or lower regime. You can not choose this yourself..
The new law will apply to you if you operate in one of the regulated sectors and provide a regulated service (as discussed in more detail inthe previous article). The applicable regime will depend on the sector in which you operate, the type of service you provide, and the size of your organization. It also matters whether, for example, you are part of a critical supply chain.
It is also important to know that you cannot fall under both regimes, but you can provide multiple regulated services. If you provide more than one regulated service and at least one of them falls under the higher regime, then the higher regime automatically applies to all other services, even if they would otherwise fall under the lower regime.
Download e-book
Key differences between the regimes
Area | Lower regime | Higher regime |
|---|---|---|
Roles & responsibilities | Appoint a person responsible for cybersecurity | Clearly defined roles (manager, architect and cybersecurity auditor + asset owners) |
Risk management | Evaluate main risks | Regular analysis and documentation |
Security measures | Basic security measures | Organizational and technical measures |
Incidents | Responsibility to report significant incidents | Report all incidents + have an incident response plan |
Training | Basic training | Regular training for all relevant personnel |
Documentation | Maintain adequate documentation | Maintain and update detailed documentation |
Monitoring & Audits | Recommended monitoring | Mandatory monitoring and vulnerability management |
Supply chain | Recommended measures | Obligations also apply to suppliers |
What does this mean?
Being under the lower regime doesn’t mean you’re exempt from action. You must still implement measures, maintain documentation, and assign responsibilities. The main goal of the lower regime is to help small and medium-sized companies meet minimum cybersecurity standards – to protect what matters most without being overwhelmed by excessive bureaucracy.
The higher regime is more demanding. It requires detailed asset and risk management, systematic monitoring, regular audits, and stronger technical measures. In practice, this means more complex processes, responsibilities, and budget. The advantage is that most companies in this regime are already addressing security in some way – the new law mainly provides a clear framework for what already makes sense to do.
The difference between them is not dramatic. The foundation is the same – to protect key systems and data, understand risks, and have a plan in case something goes wrong. What differs is mainly the depth, formality, and scope of the requirements.
How to proceed?
Self-identification: Determine whether the new law applies to you and which regime you are likely to fall under.
Report your regulated services via the NÚKIB Portal within 60 days of the law taking effect.
Current state analysis: Map out what you already have in place, identify any gaps, and determine what needs to be adjusted or added to meet the new requirements.
Implementation of measures: Introduce the necessary security measures and processes.
Don’t underestimate documentation. It will serve as proof that you are complying with the rules.
FAQ on the higher and lower regimes
What are the higher and lower regimes under the Cybersecurity Act?
Higher regime refers to a category where entities are considered particularly important. These organizations must meet stricter security requirements under the new Cybersecurity Act, as their operations have a significant impact on the security and functioning of society.
Lower regime defines basic security obligations for providers of regulated services who are not classified under the higher regime. It focuses on a minimum level of protection against cyber threats and compliance with fundamental security measures.
How do I know whether I fall under the higher or lower regime?
The classification is based on a relevant decree. Key criteria include the size of the organization, the importance of the provided service, and other factors specified in the decree.
What are the main differences between the higher and lower regimes?
The higher regime imposes significantly stricter obligations, emphasizing detailed security measures and comprehensive risk management processes. The lower regime focuses on basic protective measures that are considered the minimum standard of cybersecurity today.
Can an organization’s regime change over time?
Yes, if circumstances change. For example, if your organization grows and begins to meet the criteria for the higher regime, it will be reclassified and must implement stricter security measures under the Cybersecurity Act.
What measures are required under the higher regime?
The higher regime requires organizations to implement comprehensive organizational and technical measures. A detailed overview of these measures and their descriptions can be found in the decree on security measures for the higher obligations regime. These include, for example:
Organisational measures
- Risk management
- Supplier management
- Human resource security
- Change management
- Acquisition, development, and maintenance
- Access control system
- Zvládání kybernetických bezpečnostních událostí a incidentů
- Business continuity management
- Provádění auditu kybernetické bezpečnost
Technical measures
- Event logging
- Evaluation of cybersecurity events
- Application security
- Cryptographic algorithms
- Ensuring the availability of regulated services
- Protection of industrial, control, and specific technical assets
One of the main differences is that under the higher regime, organizations are required to appoint more cybersecurity roles, implement more detailed measures, and report all relevant incidents – not just those with significant impact.
What measures are required under the lower regime?
The lower regime requires organizations to comply with the security measures defined in the decree on security measures for the lower regime. These include, for example, the following areas:
- Minimum cybersecurity assurance system
- Requirements for top management
- Asset management
- Human resource security
- Business continuity management
- Access control
- Identity and privilege management
- Detection and logging of cybersecurity events
- Handling of cybersecurity incidents
- Network communication security
- Application security and cryptographic algorithms
What incidents must be reported in the higher and lower regimes?
In the higher regime, all incidents originating in cyberspace where intentional cause cannot be ruled out must be reported. Incidents caused by normal operations do not have to be reported.This definition excludes from the reporting obligation those incidents that, by their nature, do not fall under the authority of NÚKIB.
Lower regime is more lenient in this regard, and "only" those incidents that originate in cyberspace, and have a significant impact (according to the criteria set by the decree for the lower regime), and where intentional misconduct cannot be ruled out are reported through the NÚKIB portal.
What security roles are required in the higher and lower regime?
Higher regime requires the assignment of roles such as cybersecurity manager, cybersecurity architect, and cybersecurity auditor. In addition, asset guarantors must also be designated. In lower regime, it is sufficient to appoint a person responsible for cybersecurity.
