Cybersecurity regulation in Czechia (2026)

NÚKIB issued a formal high-risk warning (probability 'likely to very likely') advising critical-infrastructure operators against products and services that send data to or allow remote management from the People's Republic of China — covering IP cameras, PV inverters, smart meters, connected vehicles, cloud storage, and LLMs. Entities regulated under the Cybersecurity Act must integrate this risk into mandatory risk analyses and apply commensurate controls.

The Czech Parliament enacted Act No. 264/2025 Coll. on Cybersecurity, published in the Official Gazette on 4 August 2025 and entering into force 1 November 2025. It replaces Act No. 181/2014, expands regulated entities from roughly 400 to an estimated 6,000–15,000 across 18 sectors, introduces essential/important entity tiers, mandatory supply chain risk management, executive accountability, 24-hour incident reporting, and fines up to CZK 250 million or 2% of global annual turnover.

The Czech Government formally attributed a cyber-espionage campaign active since at least 2022 to APT31, assessed with high certainty to be operated by China's Ministry of State Security, which had persistently targeted the unclassified network of the Czech Ministry of Foreign Affairs — designated critical infrastructure. The attribution was concluded jointly by all four Czech intelligence and security agencies.

The Czech MFA, alongside Germany, the EU, and NATO, formally attributed to Russia's GRU-linked APT28 a campaign exploiting a Microsoft Outlook zero-day (CVE-2023-23397) to target Czech political entities and government institutions. The EU Council issued a parallel statement condemning Russia's 'continuous pattern of irresponsible behaviour in cyberspace.'

The Czech Government adopted its second National Cybersecurity Strategy, covering 2021–2025 with an accompanying Action Plan. Built with input from dozens of public and private organisations, it established binding goals across three pillars: confidence in cyberspace, strong international alliances, and a resilient digital society — and set the institutional agenda for NÚKIB's regulatory expansion.

Hosted by the Czech Government and NÚKIB, the conference brought together representatives from 30+ countries, the EU, and NATO to address 5G supply-chain risks. The resulting 'Prague Proposals' became an internationally influential framework recommending vendor evaluation based on rule-of-law, transparency, and security — effectively providing the geopolitical and technical rationale for restricting high-risk vendors such as Huawei in critical networks.

NÚKIB issued a formal warning declaring that hardware and software of Huawei Technologies and ZTE Corporation posed a threat to national security, citing Chinese law's compelled-cooperation provisions for private companies. The warning directed critical-infrastructure operators to treat these vendors as high-risk and pre-dated similar actions by most EU partners, establishing Czechia as an early mover in the Western 5G vendor debate.

Act No. 205/2017 Coll. amended the 2014 Cybersecurity Act to separate cybersecurity functions from the National Security Authority and create the National Cyber and Information Security Agency (NÚKIB) as the dedicated central administrative body. NÚKIB assumed responsibility for regulation and audit of critical entities, national CERT/CSIRT coordination, and international cyber diplomacy — also transposing core NIS Directive obligations into Czech law.

The Czech Parliament enacted Act No. 181/2014 Coll. on Cyber Security, establishing the country's first comprehensive cybersecurity legal framework. It imposed mandatory security measures and incident-reporting obligations on operators of critical information infrastructure and important information systems, and created the National Security Authority as the supervising body — one of the earliest such laws in the EU, predating the EU NIS Directive by two years.