Cybersecurity · Czechia
Cybersecurity - Czechia
Czechia enacted a new, standalone Cybersecurity Act (No. 264/2025 Coll.) that entered into force on 1 November 2025, replacing the prior cybersecurity regime and fully transposing the EU NIS2 Directive. The law significantly expands the scope of regulated entities across 15 sectors, establishes a two-tier classification (essential / important entities), and imposes risk-management, incident-reporting, and supply-chain obligations enforced by NÚKIB. Some secondary implementing regulations (e.g., on essential functions and strategically significant services) remained pending into 2026.
The Chamber of Deputies passed the act on 25 April 2025; it was signed by the President on 26 June 2025, published in the Collection of Laws on 4 August 2025, and entered into force on 1 November 2025, missing the EU's 17 October 2024 deadline. It replaces the earlier cybersecurity act entirely.
The act covers entities with ≥50 employees or annual turnover/balance sheet >€10 million operating in 15 sectors (energy, healthcare, transport, finance, digital infrastructure, food, manufacturing, etc.), classified as either 'essential entities' (higher obligations) or 'important entities' (lower obligations). Entities had 60 days from 1 November 2025 to self-assess and register with NÚKIB.
Essential entities must report to NÚKIB all cybersecurity incidents affecting their regulated service that originate in cyberspace and where intentional conduct cannot be excluded; important entities must report incidents with a significant impact on service provision, with reports directed to the national CSIRT. The act goes beyond the NIS2 minimum by requiring reporting of all (not only significant) incidents for essential entities.
Regulated entities must implement technical and organisational cybersecurity measures, ensure top-level management oversight and cybersecurity training, conduct supply chain risk assessments, and maintain business continuity plans for serious cyber incidents. NÚKIB may request extensive supply-chain information and prohibit or restrict use of specific suppliers deemed security risks.
Essential entities face fines of up to CZK 250 million or 2% of global annual turnover (whichever is higher); important entities face up to CZK 175 million or 1.4% of global annual turnover. NÚKIB may also impose coercive fines up to CZK 10 million, suspend operations, require remediation, and in cases of repeated serious management failures, take action affecting corporate bodies.
As of early 2026, several Government regulations implementing the act — particularly on essential functions and strategically significant services with enhanced supply-chain resilience requirements — remained pending. NÚKIB was processing entity registrations submitted by the December 2025 deadline; once confirmed, a one-year transitional compliance period begins before full enforcement of all security controls and reporting obligations.
Machine-assisted translation · verified 5/24/2026 · orientation, not legal advice. English version →