Since 1 November, a new law on cyber security has been in force, which implements the changes introduced by the NIS Directive2.
Who is affected by the law
The legislation will affect entities that provide any of the regulated services. A list of these services and other criteria is set out in the Annex to the Regulated Services Ordinance. If you provide any of the listed services and meet the necessary criteria, you are a regulated service provider and are subject to the obligations under the Cybersecurity Act and the relevant regime.
The law further distinguishes special entities to which it adds some special obligations. These are entities providing domain registration services and providers of strategically important services (services whose disruption could have a serious impact on the security of the Czech Republic or internal order). The strategically important services will be defined by a government decree.
Two modes of obligation
The law distinguishes two regimes of obligations: 1. the regime of higher obligations and 2. the regime of lower obligations. The criteria for inclusion in the scheme are also set out in the Annex to the Regulated Services Ordinance. The basic criterion is the size of the undertaking, but other factors may also apply.
However, the Act lists providers who will always be in the higher duty regime. These are:
- poskytovatele regulované služby, kteří splní dvě výše popsaná kritéria, a kteří
- jsou jediným poskytovatelem této služby v ČR,
- provide a service, the disruption of which could have a significant impact on the security of the Czech Republic, internal order or life and health,
- provide a service, the disruption of which could create significant systemic risks,
- are essential for a specific sector because of their specific importance at regional or national level;
- service provider, the disruption of which may cause a serious interference in the lives of more than 125 000 persons, through a threat to the security of the Czech Republic, internal order, life and health, property value or the environment;
- of the service provider, the disruption of which may cause a serious interference with the ability to provide another regulated service of the provider under the regime of higher obligations;
- critical infrastructure entities.
Duties
a) Registration
The first obligation that a provider of a regulated service must fulfil is registration. Registration of the regulated service is required within 60 days of the conditions for registration being met (if they are already met before the Act comes into force, this will be 60 days after the Act comes into force). Registration is carried out via the NUCIB Portal. The provider is subsequently served with a decision on registration, which is particularly important for the calculation of the deadlines for the fulfilment of further obligations.
(b) Reporting of contact details
The provider must report the contact and additional information within 30 days of receipt of the registration decision. Reporting is again done through the NCIP Portal.
(c) Cybersecurity incident reporting
No later than 1 year from the delivery of the registration decision, the provider is obliged to start reporting cyber security incidents.
A Provider in a higher duty regime must report to the NUCIB all cyber security incidents where intentional culpability cannot be ruled out. A provider in the lower duty regime shall report to the National CERT those incidents that have a significant impact and for which intentional culpability cannot be excluded. Reports will be made via the NCIB Portal.
This also entails the obligation to keep records of data on cyber security incidents, events, threats and vulnerabilities.
(d) Security measures
Security measures must be in place within the same timeframe, i.e. within 1 year, and these vary according to the duty regime. The law lists the areas of security measures, the specific obligations are set by the NUCIB in decrees for the respective regimes (for the higher obligation regime here, for the lower obligation regime here).
(https://portal.nukib.gov.cz/storage/uploads/2025/11/11/harmonoram-nzkb-v2_uid_69136221347c6.png)
Sanctions
for non-compliance, the provider is liable to fines of up to CZK 250 million under the higher obligations regime. CZK 250 million, while a provider in the regime of lower obligations may be subject to up to CZK 175 million. CZK 175.
If you would like more information in this regard, please do not hesitate to contact us.
This article is for informational purposes only and does not constitute legal advice or guidance for any particular case.