As of 1 November 2025, Act No. 264/2025 Coll., on Cybersecurity (the “Cybersecurity Act” or “NZKB”) enters into force in the Czech Republic. The Act transposes Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (the “NIS2 Directive”) into Czech law and represents a significant milestone in the development of the Czech cybersecurity regulatory framework.
Introduction
Its adoption aligns national legislation fully with the NIS2 Directive and introduces an entirely new regulatory regime based on the provision of “regulated services.”
A comprehensive set of implementing decrees enters into force on the same day. These decrees further elaborate the core mechanisms of the Cybersecurity Act and set out, in detail, the structure of obligations applicable to regulated entities. In particular, the following decrees are of key importance:
- Decree No. 334/2025 Coll., on the NÚKIB Portal and Requirements for Certain Actions (the “NÚKIB Portal Decree”);
- Decree No. 408/2025 Coll., on Regulated Services (the “Regulated Services Decree”);
- Decree No. 409/2025 Coll., on Security Measures under the Higher Obligations Regime;
- Decree No. 410/2025 Coll., on Security Measures under the Lower Obligations Regime.
In the related area of public administration, Decree No. 411/2025 Coll., on Security Levels of Public Administration Information Systems, and Decree No. 412/2025 Coll., on Security Rules for Public Administration Bodies Using Cloud Computing Services, also take effect.
If you are looking for a general introduction to the new cybersecurity regulations, we would like to refer you to our previous article: Cybersecurity as a managerial responsibility: Thousands of companies await a new regime.
This article examines one of the key obligations under the Cybersecurity Act that applies as of the date the Act enters into force: the obligation to notify the provision of a regulated service pursuant to Section 6 of the Cybersecurity Act. Under this provision, regulated entities must notify NÚKIB of the regulated service within 60 days of meeting the conditions for registration.
Potential regulated entities therefore have a very limited period to determine whether they fall within the scope of the Act and, where applicable, to comply with their notification duty to the National Cyber and Information Security Agency (the “NÚKIB“).
In the first weeks after the NZKB comes into effect, the most important thing for registration to be correct and feasible is the obligation of entities to properly self-identify, i.e., to determine whether they are providers of regulated services and for what level of obligations (lower or higher regime according to the NZKB and relevant decrees[1]).
Self-identification process under the NZKB
In order for a potential provider of a regulated service to determine whether it falls under NZKB and related subordinate legislation, it must assess several criteria. The key factor is whether it provides a service in one of the 15 regulated sectors, which are public administration, energy, manufacturing, food industry, chemical industry, water management, waste management, transport, digital infrastructure and digital services, financial sector, healthcare, science, research and education, postal and courier services, defence industry, and space industry.
It is then necessary to consult the Regulated Services Decree, which specifies the specific regulated services for each sector and defines their content. The decree also lists CZ-NACE codes as a guideline to help determine more precisely whether the provider’s activity actually corresponds to one of the regulated services in the sector.
Only by combining classification in the correct sector and verification of the specific regulated service according to the decree can it be reliably concluded whether the entity is subject to the obligation to notify the regulated service under the NZKB to NÚKIB, i.e., in terms of classification in the regulated sector.
Furthermore, the size of the enterprise is assessed in accordance with European Commission Recommendation 2003/361/EC[2], whereby the NZKB (as a rule) applies to medium-sized and large enterprises. The size of the enterprise is determined by two types of indicators, namely i) the number of employees (in annual work units – AWU) and ii) financial indicators (annual turnover or balance sheet total).
- Under this regime, a medium-sized enterprise has fewer than 250 employees and a turnover ≤ EUR 50 million or a balance sheet total ≤ EUR 43 million (and is not a micro or small enterprise).
- A large enterprise is one that employs at least 250 people, or an enterprise with fewer than 250 employees but which exceeds the financial limits, i.e., annual turnover of EUR 50 million or balance sheet total of EUR 43 million.
When determining size, partner or linked enterprises are also taken into account. Partner enterprises (with an equity interest of 25-50% where there is no actual control) are included on a pro rata basis according to the size of the shareholding, while linked enterprises (50% or more or decisive influence) are included in full as if they were a single enterprise. The only exceptions are companies whose technical assets are completely separate from the assets used to provide regulated services.
The size criteria are assessed on the basis of two consecutive approved annual financial statements. Regulation thus begins to apply when an undertaking meets the parameters of a medium-sized or large undertaking in two consecutive periods. The significance of the service itself, i.e., its critical impact on society or the state, is further specified in the Regulated Services Decree, which determines whether a particular activity actually falls under regulation.
At the same time, however, it should be noted that even if you do not fall within the above-mentioned 15 regulated sectors or do not meet the size criteria, the NZKB also allows for other ways in which an entity can be designated as a regulated entity.
The first of these is determination by official authority pursuant to Section 5 of the NZKB, whereby NÚKIB may designate a provider of a regulated service on its own initiative if the specific conditions of significance set out in Section 5 are met (e.g., systemic risk, unique provider, impact on more than 125,000 persons, or provision of a service linked to critical infrastructure).
Regulated entities under the NZKB will therefore also include entities that are part of critical infrastructure under Act No. 266/2025 Coll., on the resilience of critical infrastructure entities (hereinafter as the “Critical Infrastructure Act“), if the organization is included in the list of critical infrastructure entities maintained by the Ministry of the Interior, thereby meeting the conditions for registration of a regulated service under Section 5(d) of the NZKB, and NÚKIB will register it ex officio as a provider of a regulated service, regardless of its size or other parameters.
The third group consists of providers of strategically important services pursuant to Section 25 of the NZKB. The specific scope of these services will be determined by government decree, which is currently in the legislative process at the time of writing this article. The proposals indicate that this will mainly concern selected activities in public administration, energy, transport, and digital infrastructure, but the final definition will only be clear after the government decree is published in the Collection of Laws of the Czech Republic.
It follows from the above that even if a company does not appear at first glance to fall within the regulated sectors or size criteria, there are situations where it may be included in the NZKB regime because of its importance, impact, or strategic role for the functioning of the state and society.
Notification and registration with NÚKIB
If a potential provider of a regulated service concludes that it meets the conditions for registration pursuant to Section 4 of the NZKB, it is obliged to notify this service to NÚKIB. Notifying is a key first step in the entire registration process and must be carried out within the time limit set by law.
As previously mentioned, providers of regulated services are required to notify regulated services to NÚKIB no later than 60 days from the date on which they meet these conditions. For entities that meet the conditions as of November 1, 2025, the 60-day period runs from that date, so the notification should be made no later than December 31, 2025. For entities that meet the conditions later (e.g., due to the growth of the company), the 60-day period runs from the moment the conditions are met. Proceedings for the registration of a regulated service under Section 5 of the NZKB may only be initiated ex officio by NÚKIB.
Submission via the NÚKIB Portal
The NÚKIB Portal Decree stipulates that the notification of a regulated service shall be made electronically via the NÚKIB Portal, which determines the format and method of submission. The NÚKIB Portal is therefore now the official interface that enables and determines the method of notification and registration, the requirements for the electronic identity of the notifying person, the formal and technical requirements for notification and registration, and the mandatory information that a potential provider of a regulated service is required to fill in.
Providers of regulated services should be able to submit at least the following via the portal: i) identification of the entity, ii) identification of the regulated service, iii) determination of the sector and characteristics of the service, and iv) contact details of the responsible persons.
The portal also provides electronic case management, delivery of official documents, and functionality for verifying the completeness of notifications and registrations. This makes the entire process digital and centralized.
Conclusion
Although most of the obligations will only become fully effective after a one-year transition period, at least self-identification and subsequent notification to NÚKIB are requirements that organizations must not postpone. It is the quick and correct implementation of self-identification that will be decisive for a smooth transition to the new cybersecurity regime.
It is certainly important to note that self-identification is not merely a formal administrative obligation, but a process that requires qualified legal assessment. Organizations must correctly assess whether their activities meet the characteristics of a regulated service under the Regulated Services Decree and whether they meet the size or significance criteria set by NZKB. These considerations can often be quite legally complex (for example, consider linked and partner entities and their impact on self-identification), and incorrect self-identification can have significant implications for regulated entities.
We therefore recommend that providers approach self-identification systematically and with sufficient professional care, and in case of uncertainty, seek the support of a reliable legal partner who is familiar with the legal regulation of cybersecurity and critical infrastructure. A high-quality legal assessment at the beginning of the process minimizes the risk of errors, incorrect conclusions, or additional complications and ensures that organizations enter the new regulation in an informed manner and in accordance with the law.
If you have any questions about self-identification and new obligations in the area of cybersecurity regulation or other areas of EU regulation and compliance, we at PEYTON legal are at your disposal.
[1] Decree No. 409/2025 Coll., on Security Measures under the Higher Obligations Regime; Decree No. 410/2025 Coll., on Security Measures under the Lower Obligations Regime
[2] Commission Recommendation 2003/361/EC of May 6, 2003, concerning the definition of micro, small and medium-sized enterprises
Mgr. Jakub Málek, managing partner – malek@plegal.cz
Mgr. Martin Heinzel, partner – heinzel@plegal.cz
JUDr. Tereza Pechová, junior lawyer – pechova@plegal.cz
20. 11. 2025