On Thursday, 26 June 2025, the President signed the long-awaited new act on cyber security (the “NZKB“). The formal publication of the NZKB in the Collection of Laws is expected to take place during August, with the act expected to come into force in early November 2025.
The NZKB transposes into Czech law the requirements of the European Directive NIS2 (Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures to ensure a high common level of cybersecurity across the Union), the purpose of which is to extend the existing range of regulated sectors and services.
With the entry into force of the NZKB, cybersecurity obligations will newly apply to thousands of entities that have so far stood outside the regulatory perimeter. Like any new legislation, the NZKB will impose new requirements, creating increased liability for managers of affected companies.
Introduction
The new cybersecurity regulation builds on DORA (Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector), which became directly applicable on 17 January 2025. However, the aforementioned regulation covers cybersecurity and operational resilience specifically for the financial sector. Member States had until 17 October 2024 to transpose the NIS2 Directive, so the NZKB comes roughly a year late.
The draft of the act and related decrees were drafted by the National Cyber and Information Security Bureau (the “NCISB“).[1] In addition to the NIS2 directive itself, the NICIB based its preparation on the original Act on Cyber Security (Act No. 181/2014 Coll., on Cyber Security and on Amendments to Related Acts, as amended) and on practical experience and handling of real incidents from its years of practice. At the same time, the NCISB acts as a general supervisory authority for cybersecurity and will continue to do so under the NZKB regime.[2]
Cybersecurity and NIS2
The NIS2 Directive represents a new EU minimum standard (the so-called “minimum-rule”) for cyber security in EU Member States, i.e. it is a minimum harmonisation where Member States can set stricter rules, but not more lenient than those in the harmonised standard. NIS2 replaces the original sectorally narrower 2016 NIS Directive (Network and Information Security Directive) and significantly expands the personal scope of regulation: the rules will now apply to eighteen sectors.
In addition to the original NIS sectors (energy, healthcare, transport, water, digital infrastructure, managed ICT service providers, financial market infrastructure and banking), sectors such as public administration, food industry, space, postal services, chemical industry and managed IT services are added. Among digital services, NIS2 will impact, for example, software service providers, cloud storage and data centre operators, online platforms including e-marketplaces, as well as companies offering managed IT or security services.
To ensure that the requirements are proportionate, the directive introduces two categories of regulated entities:
- “essential entities” are organisations that play a key role in the functioning of society and the economy, and
- “important entities” include medium-sized enterprises whose failure could also have a significant impact.
All regulated entities (both essential and important) must have a formally approved and regularly updated cybersecurity policy that covers risk management, supply chain security, multi-factor authentication and access control, systematic data backup/recovery and incident response processes, and more. At the same time, NIS2 significantly strengthens oversight mechanisms. Supervisory authorities can impose heavy fines under NIS2.
Another key innovation for senior management of organisations is that members of statutory bodies can be temporarily suspended from their duties in extreme cases.
Czech legislation is quite detailed and strict in this respect. The NZKB introduces the instrument of temporary disqualification of a member of a statutory body from exercising the function of a member of a statutory body in regulated service providers under the regime of higher obligations (so-called essential entities). The NCISB may impose this prohibition if a member of the body repeatedly or seriously breaches its obligations in the implementation of the NCISB’s countermeasures, thereby preventing the proper correction of the identified deficiencies. The sanction lasts for at least six months and ends only after the misconduct has been demonstrably corrected. This measure applies exclusively to private positions, not to public mandates filled by election or appointment. Where the statutory member is a legal person, the prohibition shall also apply to the natural person who represents the legal person in the exercise of that function. Decisions on the prohibition and on its lifting are immediately entered in the Commercial Register and published on the NCISB website, thus giving them a public and reputational impact. An appeal against the decision has no suspensive effect, so that the sanction takes effect immediately.
Cybersecurity will therefore no longer be the concern of the IT department alone. Members of governing bodies are required to undergo training to gain the necessary knowledge to understand and effectively manage risks. The combination of financial and personal penalties should greatly incentivise the management of regulated entities to view cyber security as a strategic management issue, not just a technical matter.
Significant expansion of regulated sectors
The NZKB therefore formulates a minimum mandatory level of cybersecurity in organisations operating in economically, socially or security-relevant sectors that meet specified criteria. As the NIS2 Directive expands the list of regulated sectors and services, the new law will impact a significantly wider range of entities, estimated to be in the order of several thousand newly regulated entities within the Czech Republic (approximately 5,000 – 6,000 entities).
Some sectors are defined slightly differently in the NZKB than in the NIS2, or additional areas have been added to make the regulation more relevant to local needs and existing legislation.
What do regulated entities have to fulfil according to the NZKB?
Once an organisation falls within the scope of the law and is considered a regulated entity, it faces several basic obligations under the higher (essential entity) or lower (important entity) supervision regime.
This is briefly the following process:
- Notification of the service – formal registration of the service provided by the organisation -– any company classified as an essential or important entity must perform a mandatory self-assessment and complete an electronic questionnaire to the NCISB within three months of the NZKB coming into force (in future within 60 days of fulfilling the characteristics of a regulated entity), by which the organisation will register itself in the register of regulated entities. The assessment is based on the number of employees, the amount of annual turnover and sectoral classification. If a company misrepresents its data, the NCISB may initiate an inspection ex officio and impose a fine of up to CZK 250 mil.;
- Modification of internal regulations – upon completion of self-assessment (if it is a regulated entity, of course), the organisation must update internal regulations: formally approve a security policy, implement a risk management process and ICT asset register, ensure annual compliance audits by an accredited auditor, and supplement supplier contracts with NIS2 requirements for supply chain security – specific selection criteria and security requirements must be newly enshrined in supplier contracts;
- Reporting of contact persons – passing on details of staff responsible for cyber security;
- Gradual implementation of security measures – technical and organisational measures according to the decrees for the respective regime, for example in the form of access control and necessary strong authentication, cryptography and encryption, etc., cyber hygiene and regular training, etc;
- Incident reporting – the obligation to report cyber security incidents within the prescribed deadlines, here in practice often a double obligation to report incidents arises in the case of incidents also subject to the GDPR, so it is necessary to align internal regulations in this respect as well;
- Implementation of countermeasures of the NCISB – implementation of binding instructions of the NCISB in the role of a supervisory authority in the event of serious threats, countermeasures are in the form of alerts, warnings and then retroactive measures that organizations must comply with. In case of non-compliance, the NCISB may suspend the certification of the regulated entity or, as already mentioned, impose a temporary ban on the management of the organisation from acting as a statutory body;
- Penalties – The NKZB sets penalties for failure to comply with the above indicated obligations up to CZK 250,000,000 or 2 % of the net worldwide turnover for essential entities and CZK 175,000,000 or 1.4 % of the net worldwide turnover for important entities, with the penalty always calculated on the higher amount.
Conclusion
The new Czech cybersecurity legislation in the form of the NZKB is just coming into force, but preparations are certainly in place. Self-assessment and registration set the first key deadline, and failure to meet it can expose your organisation to hefty fines before any cyber incident occurs. At the same time, the new legislation fundamentally shifts the focus of accountability directly to the highest levels of management. By placing clear obligations and penalty mechanisms squarely on management, it creates a strong incentive to actively manage cybersecurity, not just as a formality, but as a strategic priority.
The regulatory framework does not aim to punish organisations, but to prepare them for real cyber threats in an era of rocketing technological development. Consistent implementation of the required measures does not only bring about formal compliance with legal obligations, but above all, it significantly increases resilience to attacks and strengthens the trust of customers and business partners.
If you have any questions on the topic of legal regulation of cybersecurity or other areas of EU regulation and compliance, we at PEYTON legal are at your disposal.
[1] More information can be found on the dedicated NCISB website: https://portal.nukib.gov.cz/pruvodce-novym-zakonem-o-kyberneticke-bezpecnosti.
[2] The Czech National Bank will supervise the financial sector within the scope of the DORA Regulation.
Mgr. Martin Heinzel, partner – heinzel@plegal.cz
JUDr. Tereza Pechová, junior lawyer – pechova@plegal.cz
17. 7. 2025