Of interest.
Menu

New Critical Infrastructure Act

On 19 August 2025, Act No. 266/2025 Coll., on the Resilience of Critical Infrastructure Entities and on Amendments to Related Acts (the Critical Infrastructure Act) entered into force. The Act transposes Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC (hereinafter the “CER Directive”).

What does the new Critical Infrastructure Act bring, and how does it relate to the new Cybersecurity Act? We will take a closer look at this below.

The CER Directive
The CER Directive replaces Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (hereinafter the “ECI Directive”).

The subject matter of the ECI Directive had previously been regulated in Act No. 240/2000 Coll., on Crisis Management and Amendments to Certain Acts (hereinafter the “Crisis Management Act”).

Given the scope of the changes introduced by the CER Directive, the legislator decided to remove the issue of critical infrastructure from the Crisis Management Act and establish a new stand-alone piece of legislation.

Fundamental Principles
The legal regulation of critical infrastructure generally operates with sectors of critical infrastructure, whose activities are considered essential for the functioning of the state. The new Critical Infrastructure Act expands the existing sectors and subsectors, while excluding some from its scope.

In addition, the Act abandons the previous system of critical infrastructure focused on physical facilities and installations. Instead, critical infrastructure is newly defined through the prism of essential services, essential service providers, and critical infrastructure entities, which will be discussed below.

The previous regulation of critical infrastructure had a fundamental shortcoming – it did not provide for any sanctions in the event of non-compliance by a critical infrastructure entity. The new Critical Infrastructure Act remedies this deficiency by distinguishing between offences committed by essential service providers and those committed by critical infrastructure entities.

Essential Service Provider
The defining concept is that of a so-called essential service, understood as a service necessary to ensure the basic functions of the state, the economy, security, or the health of the population.

These services are provided in specifically defined sectors and subsectors, including:

  • energy(electricity, district heating and cooling, oil, natural gas, hydrogen);
  • transportation(air, rail, water, road, public);
  • banking;
  • financial market infrastructure;
  • healthcare;
  • potable water;
  • wastewater;
  • digital infrastructure (trust services and electronic identification, public communication networks and publicly available electronic communications services, other digital services and infrastructure);
  • public administration;
  • space;
  • food production, processing, and distribution (food production, storage and distribution);
  • security (fire protection and civil protection, public order, state material reserves, hydrometeorological warning services).

An entity providing such a service and meeting at least one significance criterion laid down in a separate government regulation[1] becomes an essential service provider.

The essential service provider is obliged to, no later than three (3) months after commencing the provision of the essential service[2], to provide information concerning the essential service provided and the fulfilment of the significance criterion, its critical infrastructure located in the Czech Republic or in another EU Member State, and the essential services it provides in the territory of another EU Member State. This information must be submitted to the relevant ministry, another central administrative authority, or the Czech National Bank (hereinafter the “CNB”), as well as to the Ministry of Internal Affairs of the Czech Republic (hereinafter the “MIA”).[3]

Critical Infrastructure Entity
The relevant ministry, another central administrative authority or the CNB assesses the information provided and submits a proposal to the MIA for a decision on including the essential service provider in the list of critical infrastructure entities.

The MIA shall decide on the proposal without undue delay. An appeal (administrative review) may be lodged against the decision but will not have suspensive effect. The list of critical infrastructure entities will not be public.

As of the date of delivery of the decision on inclusion in the list, the entity becomes a critical infrastructure entity and is obliged to comply with the relevant duties.

Duties of a Critical Infrastructure Entity

The key obligations of a critical infrastructure entity under the new Act are:

  • reporting changes in the provision of essential services– in particular, if the scope changes, a new service is added, or a service is discontinued;
  • carrying out a risk assessment of the critical infrastructure entity– within 9 months from the date of inclusion in the list of critical infrastructure entities; *
  • providing documentation for the preparation of the national risk assessment for the Czech Republic;
  • preparing a resilience plan setting out technical, security, and organisational measures to ensure resilience, and adopting measure to maintain resilience – within 10 months from inclusion in the list of critical infrastructure entities, with updates required at least every 4 years; *
  • appointing a critical infrastructure manager and creating conditions for fulfilling their duties – within 10 months of inclusion and notifying the MIA without undue delay;
  • participating in resilience testing exercises;
  • identifying critical suppliers and providing their identification data to the MIA and the relevant ministry, central authority, or the CNB;
  • reporting incidents through the critical infrastructure portal, which is also used for all communication with public authorities;
  • verifying the reliability of key personnel responsible for providing or coordinating the provision of essential services – by means of a criminal record extract and the proof of eligibility for sensitive activities under the Act on the Protection of Classified Information.

At first glance it may seem that the Act will impose a considerable administrative burden. However, the legislator anticipates that many entities have already introduced similar measures under other regimes – for example, under the Cybersecurity Act, the Crisis Management Act, or sector-specific regulations.

The Critical Infrastructure Act explicitly states in Section 26 that if existing documentation prepared by the critical infrastructure entity meets the requirements of a risk assessment or resilience plan under the Critical Infrastructure Act, the obligation shall be deemed fulfilled.

Similarly, if EU regulations or national legislation transposing EU directives impose obligations on critical infrastructure entities with a comparable effect, the duties under the Critical Infrastructure Act will not apply – in other words, entities will not have to fulfil comparable obligations twice.

European Critical Infrastructure Entities
A special category is the European critical infrastructure entity, which refers to a critical infrastructure entity that provides the same or a similar essential service in at least six EU Member States and has been notified by the European Commission (hereinafter the “EC”) that it has been designated as a critical entity of a particular European significance.

In addition to the duties of a standard critical infrastructure entity, a European critical infrastructure entity must:

  • provide the EC, upon request, with its risk assessment and a list of measures adopted to ensure its resilience;
  • allow an advisory mission of the EC access to relevant information and infrastructure and provide the necessary cooperation;
  • adopt remedial measures to address identified shortcomings.

Sanctions and Supervision
Supervision in the field of critical infrastructure is carried out by the competent ministry or other administrative authority. In the event of a breach of obligations by a critical infrastructure entity, fines may be imposed up to:

  • CZK 25 million or 0.3 % of annual turnover, or
  • CZK 50 million or 1,5 % of annual turnover

Failure of an essential service provider to meet its information duty may be subject to a fine of up to CZK 50 thousand.

The Act also provides for the possibility of remedial measures, which the competent authorities may impose if deficiencies are identified.

Relation to the cybersecurity
The Critical Infrastructure Act also provides that all critical infrastructure entities will be subject to the rules of the new Cybersecurity Act, which we have analysed in our previous article.

For instance, it provides that information on inspections of critical infrastructure entities will also be shares with the National Cyber and Information Security Bureau (hereinafter the “NCISB”). The NCISB may, at the request of the MIA, carry out inspections itself.

Conclusion
The Critical Infrastructure Act entered into force on 19 August 2025. Essential service providers may comply with the prescribed information duty until 1 March 2026. Affected entities should therefore have sufficient time to internally assess whether they meet the relevant criteria (note: subject to the timely adoption of the government regulation laying down such criteria) and prepare for the obligations arising from inclusion in the list of critical infrastructure entities.

The new Act provides a comprehensive and practical framework for strengthening the security of the state and its core functions. In the view of modern threats, including hybrid attacks and disruptions to supply chains, this is a measure that can significantly contribute to the resilience of both Czech and European society.

If you have any questions regarding the obligations of critical infrastructure entities, the criteria for providing essential services, or critical infrastructure in general, please do not hesitate to contact us.

[1] As of 19 August 2025, the draft of the relevant government regulation is at the stage following the completion of the inter-ministerial comment procedure.

* The particulars and the method of preparing the resilience plan and the risk assessment of a critical infrastructure entity shall be laid down by an implementing legal regulation – a decree of the MIA.

[2] An essential service provider that commences the provision of an essential service no later than 30 November 2025 shall submit the information referred to in Section 9(1) to the ministry, another central authority, or the CNB by 1 March 2026.

[3] The relevant ministry or central administrative authority shall be determined in accordance with the annex to the Critical Infrastructure Act.

 

Mgr. Jakub Málek, managing partner – malek@plegal.cz

Mgr. Ondřej Růžička, attorney at law – ruzicka@plegal.cz

Mgr. Nikola Tomíčková, junior lawyer – tomickova@plegal.cz

 

www.peytonlegal.en

 

21. 8. 2025

 

Back

Related articles

14. 08. 2025

What will the uniform monthly employers’ report bring?

Read more
07. 08. 2025

Exiting the company: what to do when an agreement is not possible

Read more