Act No. 264/2025 Coll., on cyber security, effective from 1 November 2025, brings comprehensive regulation of rights and obligations in the field of cyber security. In this way, the Czech Republic is responding to growing threats with new legislation.
In today’s digital world, cyber security is key to protecting data, services and the overall functioning of the state and businesses. The Czech Republic is responding to growing threats with new legislation. Act No. 264/2025 Coll., on cyber security, effective from 1 November 2025, brings the comprehensive regulation of rights and obligations in this area and incorporates relevant European Union rules. The aim is to strengthen defenses against cyber attacks and ensure the continuity of key services.
Who does the new law apply to?
The Act primarily applies to providers of regulated services. Your organization falls under this regulation if it meets all three of the following conditions:
1. You operate in a regulated sector: These are selected key sectors that are important for the security of important social or economic activities or for the security of the Czech Republic. These include, for example, energy, healthcare, transport, digital infrastructure and services, the financial market, public administration, but also manufacturing and the food industry, science, research and education, postal and courier services, and the defense and space industries. A specific list of sectors and services will be determined by a decree of the National Cyber and Information Security Authority (hereinafter referred to as the “Authority”).
2. You provide a regulated service: It is not enough to operate in a given sector; you must provide a specific service listed in the annex to the decree on regulated services.
3. You are sufficiently significant: You meet the so-called significance criteria of a regulated service provider. This is assessed in particular on the basis of the size of the enterprise (within the meaning of Commission Recommendation 2003/361/EC, i.e. number of employees, annual turnover or balance sheet total). Other criteria specified in the decree may also apply. Organizations must assess their compliance with these criteria independently.
An exception is made for information or communication systems that handle classified information, which are not covered by the Act.
In addition to these conditions, the Authority may initiate proceedings if the service provided could have a significant impact on the security of the Czech Republic, cause serious disruption to the lives of more than 125,000 people, create systemic risks or disrupt the ability to provide another regulated service under a higher level of obligations, or if the provider is a critical infrastructure entity.
Two regimes of obligations: Higher and Lower
If your organization is subject to regulation, it will come under the purview of one of two regimes of obligations: higher or lower. The classification into regimes is determined by the Authority by decree.
• Higher regime of obligations: This does usually (but not exclusively) apply to large enterprises or organizations that are of significant economic, social or security importance to the Czech Republic due to their size, number of users, geographical coverage of their services, impact on the functioning of the sector or the riskiness of their operations.
• Lower regime of obligations: This does usually (but not exclusively) apply to medium-sized enterprises that provide important services but are not of fundamental strategic importance.
It is important to note that an organization can only be subject to one set of obligations. If you provide multiple regulated services and at least one of them falls within the higher regime, the obligations of the higher regime apply to all your regulated services.
Key obligations under the new law
The new law imposes a number of obligations designed to increase the protection of your services and data against cyber threats. Here is an overview of the main ones:
1. Notification of regulated services and reporting of contact and additional information: You are required to notify the Authority of your regulated service no later than 60 days after you have met the conditions for its registration. After receiving the registration decision, you must report your contact and additional information (e.g. ownership structure, technical details of the service, geographical coverage) within 30 days. All communication with the Authority takes place primarily through the Authority’s Portal.
2. Determining the scope of cyber security management: You must identify the primary and supporting assets related to the provision of the regulated service. If you do not specify the scope, it is assumed that the regulation applies to the entire organization. The specified scope must be reviewed and updated regularly.
3. Implementation of security measures: Organizational and technical security measures must be implemented within the defined scope. The scope of these measures varies for the higher and lower regimes. You must start fulfilling this obligation no later than one year from the date of delivery of the decision on the registration of the regulated service.
o For the higher regime, these measures include an information security management system, risk management, supplier management, physical security and communication network security. o For the lower regime, the measures are simpler, including, for example, a minimum cyber security assurance system, risk management, human resources security and incident response. o Providers of regulated services in the digital infrastructure and services sector (e.g. domain name translation systems, cloud computing, data centers, social networking platforms, managed security services) are subject to specific rules and implementing regulations of the European Commission.
4. Reporting cyber security incidents:
o Providers in the higher regime report to the Authority all cyber security incidents which have occurred within the specified scope, which originate in cyberspace, and which may have been the result of deliberate actions. o Providers in the lower regime report incidents with a significant impact that meet the same criteria as in the higher regime to the National CERT. Significant impact is defined as serious operational disruption, financial loss or significant harm to other persons. o Incidents shall be reported without undue delay, no later than 24 hours after detection, primarily through the Authority’s Portal. This is followed by a notification within 72 hours and a final report within 30 days of the incident being resolved. This obligation shall commence within one year of the delivery of the registration decision.
5. Informing users about incidents and threats: You may inform users about significant incidents if you deem it appropriate. However, the Authority may impose this obligation or prohibition on you. You are also required to inform users about significant threats and steps they can take to minimize the impact.
6. Implementing countermeasures issued by the Authority: You are required to respond to alerts, warnings and reactive countermeasures issued by the Authority.
o An alert is used to inform the public about an incident or breach of obligations. o A warning brings serious threats or vulnerabilities to your attention. o Reactive countermeasures impose specific steps to address an imminent/ongoing incident or to secure assets.
7. Supply chain security verification mechanism: This obligation applies only to providers of strategically important services. A strategically important service is a regulated service whose disruption could have a serious impact on the security of the Czech Republic or its internal order. Providers must verify their suppliers of security-relevant supplies (i.e. supplies intended for a critical part of the specified scope). The Authority, in cooperation with intelligence services and other authorities, collects and evaluates information on suppliers and may, based on a government decision, set conditions or prohibit the use of a risky supplier. However, mechanisms are in place to protect the rights of providers, including the possibility of commenting and taking into account the depreciation period of technologies.
8. Ensuring the availability of strategically important services from the Czech Republic: Providers of strategically important services must ensure the availability of these services to the extent necessary, at the specified time and quality, out of the territory of the Czech Republic. This means that even if the service normally operates with foreign assets, in the event of a problem, it must be able to operate exclusively from the Czech Republic without using assets outside the Czech Republic, even if that may mean providing them at a reduced quality (as defined by the provider). This capability must be regularly reviewed and tested.
Supervisory and cooperation authorities
The main central administrative authority for cyber security is the National Cyber and Information Security Agency (NÚKIB). The agency coordinates, analyzes, prevents, tests and conducts research in the field of cyber security. The National CERT acts as a point of contact for providers with lower obligations and ensures the sharing of information and methodological support. Communication with the Authority takes place primarily through the Authority’s Portal, which is designed to ensure maximum automation and self-service to reduce the administrative burden.
In the event of a serious threat, the Authority may declare a state of cyber danger, which gives it extended powers to resolve the situation, such as ordering measures even for entities outside its regulation, requesting human resources or prohibiting the use of compromised technical assets.
Supervision and sanctions
The Authority monitors compliance with the obligations and may impose corrective measures. Serious breaches of obligations may result in heavy fines of up to CZK 250,000,000 or 2% of net global annual turnover. Under the higher obligations regime, specific sanctions may also be imposed, such as suspension of the European cybersecurity certificate or temporary disqualification from serving as a member of a statutory (executive) body in the event of repeated or serious breaches. The authority may also impose administrative or coercive fines to enforce compliance with its decisions.
Summary
The new Cyber Security Act represents a major step towards strengthening the Czech Republic’s resilience to cyber threats. It is essential that the organizations concerned familiarize themselves with the new obligations and start work towards compliance with them. Further details on the implementation of the Act will be laid down in implementing regulations, i.e. decrees by the government or by the Authority. We recommend that you follow current developments and, in case of uncertainty, seek professional legal assistance, which we are of course ready to provide also in this area.
What can a lawyer do for you?
• Legal audit and risk analysis • Preparation of internal guidelines and compliance documentation • Training for management and employees • Review and amendment of contracts with contractual partners • Legal support for supply chain verification and management • Legal support in crisis situations and incident reporting • Representation during inspections and audits • Defending the client in administrative proceedings and before courts
Source: Act No. 264/2025 Coll., on cyber security
