The new Cybersecurity Act – are you ready?

Who does the law affect?

While the regulation previously applied to about 600 organisations, the new law could affect up to 6000 companies in the Czech Republic. The obligation applies to medium and large enterprises from more than 18 sectors – from energy, transport and healthcare to digital services and public administration.

Many companies do not yet realise that they will fall under this regulation. The first step is to determine whether you are one of them – and understand the impacts.

What does this mean? Specific obligations:

1. Reporting of regulated services

• Within 60 days from the act’s effective date or the fulfilment of the conditions.
• This is done via the NÚKIB Portal.

2. Reporting of contact persons

• Within 30 days of service registration.
• The names, functions and contact details of the responsible persons are provided.

3. Defining the scope of security management

• Identify which assets relate to the regulated service.
• If undefined, the regulation applies to the entire organisation.

4. Implementation of the Cybersecurity Management System (ISMS)

• Depending on the regime: higher or lower obligations.
• This includes:
  • Access management
  • Backups
  • Employee training
  • Monitoring
  • Cryptography, multi-factor authentication, logging, SIEM
  • Clear distribution of security roles
  • Regular risk analyses
  • Regular audits and documentation reviews
  • Business continuity and disaster recovery planning (BCP/DRP)

5. Incident reporting

• Higher regime: report to NÚKIB within 24 hours.
• Lower regime: report to the National CERT.
• Obligation to inform customers.

6. Response to NUKIB countermeasures

• Obligation to implement measures issued by the authority.

7. Verification of suppliers

• Security risk assessment of suppliers.
• Potential prohibition of risky suppliers.
• Supply chain security management.

8. Appointment of a Cybersecurity Manager

• Higher regime: a professionally qualified manager.
• Lower regime: an authorised person.

9. Ensure service availability from the Czech Republic

• This applies to strategically important services.

Why is this important?

The Computer Security Incident Response Team Czech Republic (CSIRT), the team that resolves cybersecurity incidents in the Czech Republic, states in its statistics that in 2024 there were a total of 2283 incidents and in 2025 there were 2217. 

The most common include: phishing, spam and malware.

The average recovery time after a serious incident (such as ransomware) ranges from 3 to 14 days, depending on the type of organisation; some cases (such as attacks on hospitals or cities) have even led to outages lasting weeks. Direct damages in the Czech Republic are not accurately quantified, but in 2024 they were estimated to be billions of crowns.

Online map of cyber-attacks: Live Cyber Threat Map | Check Point

Penalties for non-compliance with the Act

NÚKIB may impose:

• Fines of up to EUR 10 million or 2% of turnover (basic entities)
• Suspension of certifications or functions for up to six months
• Mandatory corrective actions and repeated audits

What can you do now?

• Verify if the law applies to you.
• Ensure that you have a designated a responsible person or Cybersecurity Manager.
• Conduct a basic cybersecurity audit in your organisation.

Do not wait for an attack. Prepare in advance. The law is here, and the threats are too. Stay one step ahead.

We will be happy to assist you in understanding the Act’s requirements and planning your next steps. Feel free to contact us.

Author:

Nikola Šeborová, Manager, Technology & Digital Consulting