Cybersecurity · Czechia
Cybersecurity law in Czechia: NIS2 compliance (2026)
Czechia shaded by its cybersecurity status
Cybersecurity in Czechia: comprehensive law, anchored by Act No. 264/2025 Coll. on Cybersecurity (Zákon o kybernetické bezpečnosti), in force 1 November 2025, transposing EU NIS2 Directive (2022/2555); supervised by NÚKIB (National Cyber and Information Security Agency).
Czechia enacted a new, standalone Cybersecurity Act (No. 264/2025 Coll.) that entered into force on 1 November 2025, replacing the prior cybersecurity regime and fully transposing the EU NIS2 Directive. The law significantly expands the scope of regulated entities across 15 sectors, establishes a two-tier classification (essential / important entities), and imposes risk-management, incident-reporting, and supply-chain obligations enforced by NÚKIB. Some secondary implementing regulations (e.g., on essential functions and strategically significant services) remained pending into 2026.
NIS2 & cybersecurity law in Czechia
In Czechia, baseline cybersecurity obligations come from the EU NIS2 Directive, transposed into national law, which sets risk-management and incident-reporting duties for essential and important entities.
- Framework
- the NIS2 Directive (EU) 2022/2555, transposed into national law
- Approach
- cybersecurity risk-management measures plus mandatory incident reporting for in-scope entities
- Applies to
- medium and large entities in critical sectors: energy, transport, banking, health, water, digital infrastructure, ICT and public administration
- Incident reporting
- an early warning within 24 hours and a full notification within 72 hours to the national CSIRT
- Maximum fine
- up to €10 million or 2% of global annual turnover for essential entities
- Oversight
- the national competent authority and CSIRT designated under NIS2
NIS2 is a directive, so Czechia implements it through national law; exact scope and deadlines can vary slightly by transposition.
NIS2 in Czechia: FAQ
Yes. As an EU member, Czechia has transposed the NIS2 Directive (EU) 2022/2555 into national law, covering essential and important entities in critical sectors.
Medium and large organisations in sectors such as energy, transport, banking, health, water, digital infrastructure and public administration.
An early warning within 24 hours of becoming aware and a fuller incident notification within 72 hours to the national CSIRT.
Up to €10 million or 2% of global annual turnover for essential entities, with lower ceilings for important entities.
Key points
The Chamber of Deputies passed the act on 25 April 2025; it was signed by the President on 26 June 2025, published in the Collection of Laws on 4 August 2025, and entered into force on 1 November 2025, missing the EU's 17 October 2024 deadline. It replaces the earlier cybersecurity act entirely.
The act covers entities with ≥50 employees or annual turnover/balance sheet >€10 million operating in 15 sectors (energy, healthcare, transport, finance, digital infrastructure, food, manufacturing, etc.), classified as either 'essential entities' (higher obligations) or 'important entities' (lower obligations). Entities had 60 days from 1 November 2025 to self-assess and register with NÚKIB.
Essential entities must report to NÚKIB all cybersecurity incidents affecting their regulated service that originate in cyberspace and where intentional conduct cannot be excluded; important entities must report incidents with a significant impact on service provision, with reports directed to the national CSIRT. The act goes beyond the NIS2 minimum by requiring reporting of all (not only significant) incidents for essential entities.
Regulated entities must implement technical and organisational cybersecurity measures, ensure top-level management oversight and cybersecurity training, conduct supply chain risk assessments, and maintain business continuity plans for serious cyber incidents. NÚKIB may request extensive supply-chain information and prohibit or restrict use of specific suppliers deemed security risks.
Essential entities face fines of up to CZK 250 million or 2% of global annual turnover (whichever is higher); important entities face up to CZK 175 million or 1.4% of global annual turnover. NÚKIB may also impose coercive fines up to CZK 10 million, suspend operations, require remediation, and in cases of repeated serious management failures, take action affecting corporate bodies.
As of early 2026, several Government regulations implementing the act, particularly on essential functions and strategically significant services with enhanced supply-chain resilience requirements, remained pending. NÚKIB was processing entity registrations submitted by the December 2025 deadline; once confirmed, a one-year transitional compliance period begins before full enforcement of all security controls and reporting obligations.
Timeline - major decisions & events
NÚKIB issued a formal high-risk warning (probability 'likely to very likely') advising critical-infrastructure operators against products and services that send data to or allow remote management from the People's Republic of China, covering IP cameras, PV inverters, smart meters, connected vehicles, cloud storage, and LLMs. Entities regulated under the Cybersecurity Act must integrate this risk into mandatory risk analyses and apply commensurate controls.
NÚKIB ↗The Czech Parliament enacted Act No. 264/2025 Coll. on Cybersecurity, published in the Official Gazette on 4 August 2025 and entering into force 1 November 2025. It replaces Act No. 181/2014, expands regulated entities from roughly 400 to an estimated 6,000-15,000 across 18 sectors, introduces essential/important entity tiers, mandatory supply chain risk management, executive accountability, 24-hour incident reporting, and fines up to CZK 250 million or 2% of global annual turnover.
NÚKIB ↗The Czech Government formally attributed a cyber-espionage campaign active since at least 2022 to APT31, assessed with high certainty to be operated by China's Ministry of State Security, which had persistently targeted the unclassified network of the Czech Ministry of Foreign Affairs, designated critical infrastructure. The attribution was concluded jointly by all four Czech intelligence and security agencies.
NÚKIB ↗The Czech MFA, alongside Germany, the EU, and NATO, formally attributed to Russia's GRU-linked APT28 a campaign exploiting a Microsoft Outlook zero-day (CVE-2023-23397) to target Czech political entities and government institutions. The EU Council issued a parallel statement condemning Russia's 'continuous pattern of irresponsible behaviour in cyberspace.'
Czech Ministry of Foreign Affairs ↗The Czech Government adopted its second National Cybersecurity Strategy, covering 2021-2025 with an accompanying Action Plan. Built with input from dozens of public and private organisations, it established binding goals across three pillars: confidence in cyberspace, strong international alliances, and a resilient digital society, and set the institutional agenda for NÚKIB's regulatory expansion.
NÚKIB ↗Hosted by the Czech Government and NÚKIB, the conference brought together representatives from 30+ countries, the EU, and NATO to address 5G supply-chain risks. The resulting 'Prague Proposals' became an internationally influential framework recommending vendor evaluation based on rule-of-law, transparency, and security, effectively providing the geopolitical and technical rationale for restricting high-risk vendors such as Huawei in critical networks.
Czech Government ↗NÚKIB issued a formal warning declaring that hardware and software of Huawei Technologies and ZTE Corporation posed a threat to national security, citing Chinese law's compelled-cooperation provisions for private companies. The warning directed critical-infrastructure operators to treat these vendors as high-risk and pre-dated similar actions by most EU partners, establishing Czechia as an early mover in the Western 5G vendor debate.
NÚKIB ↗Act No. 205/2017 Coll. amended the 2014 Cybersecurity Act to separate cybersecurity functions from the National Security Authority and create the National Cyber and Information Security Agency (NÚKIB) as the dedicated central administrative body. NÚKIB assumed responsibility for regulation and audit of critical entities, national CERT/CSIRT coordination, and international cyber diplomacy, also transposing core NIS Directive obligations into Czech law.
NÚKIB ↗The Czech Parliament enacted Act No. 181/2014 Coll. on Cyber Security, establishing the country's first comprehensive cybersecurity legal framework. It imposed mandatory security measures and incident-reporting obligations on operators of critical information infrastructure and important information systems, and created the National Security Authority as the supervising body, one of the earliest such laws in the EU, predating the EU NIS Directive by two years.
NÚKIB ↗Czechia - other topics
Cybersecurity in other countries
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →