When a company outsources its IT systems and data, any weakness in a supplier’s security becomes a problem for the entire organisation – including its management and legal department. This article explains how European and Czech cybersecurity and data protection laws are reshaping contracts with providers of cloud and software solutions, and what this means in practice for the day-to-day work of in-house lawyers and compliance managers.
Why cybersecurity needs to be addressed
Only a few years ago, it was common for contracts with IT suppliers to include a single, generic clause on “appropriate security measures”, along with a reference to a data processing agreement under the GDPR. Today, the situation is fundamentally different. A new wave of regulation – the NIS2 Directive and the related Czech Act No. 264/2025 Sb., on Cybersecurity (the “Act”), the Cyber Resilience Act, the Data Act, and the ever-present GDPR – combined with a number of major incidents caused by supply chain compromises, has driven a significant shift in contractual practice. Cybersecurity is no longer the sole domain of IT departments – it has become a matter for executive bodies, as well as compliance and legal teams.
What has changed in the regulatory landscape: A practical overview
Before turning to contracts, it is worth briefly clarifying which regulations now set the “benchmark” for the market and for regulators – from a practical perspective rather than a purely legalistic one.
NIS2 and the Act
The NIS2 Directive, transposed into Czech law by the Act, significantly expands the range of regulated entities. It now applies to medium-sized and large undertakings across a number of sectors (such as energy, transport, healthcare, digital infrastructure, and manufacturing), distinguishing between two regimes: a higher regime for “essential” entities and a lower regime for “important” ones. A key feature is the strong emphasis on supply chain security. Regulated entities are required to actively manage cybersecurity risks arising from their suppliers and partners, rather than focusing solely on their own systems.
GDPR as a constant cross-cutting framework
The GDPR does not, in itself, introduce a new wave of obligations, but it remains highly relevant in the context of cyber incidents. Any security incident involving personal data is also an incident within the meaning of Article 32 (security of processing) and Article 28 (processor obligations). As a result, such incidents may lead to sanctions not only for controllers, but also for processors.
Cyber Resilience Act
The Cyber Resilience Act will begin to apply in full as of 2027. This regulation will fundamentally reshape the liability of manufacturers of software and hardware with digital elements. Manufacturers will be required to address cybersecurity risks already at the design stage (security by design), publish a software bill of materials (SBOM), ensure patch management throughout the product lifecycle, and assume responsibility for the security of integrated third-party components. For software customers, this creates a new framework for assessing the security maturity of suppliers.
Data Act
Since 2025, the Data Act has introduced new obligations for cloud service providers. Customers must be able to switch to a competitor without undue technical, contractual or financial barriers (limiting vendor lock-in). Providers are required to contractually ensure data portability, secure deletion of data upon termination, and reasonable migration assistance. For in-house lawyers, this means that contracts lacking a genuine exit plan and properly structured portability provisions now represent, at a minimum, a significant contractual risk.
Three key trends for private companies
1. Cybersecurity as a D&O responsibility
New regulation elevates cybersecurity to the level of duty of care. Executive directors who ignore cyber risks or simply delegate them to IT without further oversight risk having to justify, in the event of an incident, why adequate governance was not in place (for example, an approved security policy, clearly defined roles and responsibilities, allocated resources, and regular reporting to the executive body).
2. “Regulation via contracts”: Even unregulated companies feel the pressure
It is increasingly common for companies that are not directly subject to NIS2 or sector-specific regulation to face requirements from their customers who are. Large corporates, banks, insurers, and public institutions are effectively passing their regulatory obligations down through RFPs and contractual terms, including areas such as certifications, audit rights, reporting, incident management and restrictions on subcontractors. Any company seeking to provide SaaS or outsourcing services to these segments must therefore be prepared to meet these standards, even if the law does not apply to them directly.
3. Supply chain security as the new normal
A significant proportion of today’s incidents do not begin with a direct attack on the target organisation, but through a compromised supplier or shared tool. Pressure to implement Third Party Risk Management (TPRM) – that is, systematic assessment and ongoing monitoring of suppliers’ security maturity – is spreading from the financial sector into mainstream commercial practice. Certifications such as ISO 27001 or SOC 2 are thus shifting from a competitive advantage to a baseline expectation in larger procurement processes.
What this means for IT supplier contracts in practice
Let’s turn to what in-house lawyers and procurement teams care about most: how these trends translate into specific contractual provisions.
Security standards and certifications
Contracts now commonly require suppliers to maintain ISO 27001 certification or an equivalent (such as SOC 2 Type II), and to provide up-to-date certificates or audit reports upon request. Loss of certification should be treated as a material change, triggering an obligation to notify the customer and potentially giving rise to rights to remediation or termination.
Vulnerability and patch management
In an environment moving towards the full application of the Cyber Resilience Act, it is no longer sustainable for contracts to remain silent on timeframes for addressing critical vulnerabilities. Good practice is to define different timeframes for critical and high-risk vulnerabilities, coupled with obligations to inform the customer and, where appropriate, to allow for extraordinary audits.
Incident management and reporting
The GDPR sets a 72-hour deadline for notifying the supervisory authority of a breach, while NIS2 and the Act introduce their own notification regimes. Contracts therefore typically require the supplier to inform the customer without undue delay – often within a matter of hours from detecting an incident – and to provide a detailed report within 72 hours, including a description of the incident, the data affected and the measures taken.
Audit rights
The right to audit (whether exercised directly or through an accredited auditor) is now standard, but its value depends on the specific wording. It is important to define the scope, frequency and conditions of audits, as well as to include a specific regime for forensic audits in the event of an incident, including access to logs and other relevant documentation. In practice, however, the key factor is that such audits are actually carried out on a regular basis – having a right that is never exercised is of little real use.
Liability, insurance and SLAs
Standard liability caps (for example, one or two times the annual contract value) often do not reflect the scale of potential damage arising from a major incident. A common approach is to carve out security breaches or gross negligence from the general cap and to require the supplier to maintain appropriate cyber insurance.
Exit and data portability (Data Act)
Exit clauses are no longer a formality at the end of a contract. The Data Act grants customers a right to data portability and limits barriers to switching providers. Contracts therefore increasingly define data export formats, timeframes for providing exports, methods for secure data deletion (including deletion certificates), and the scope of migration assistance.
Alignment with the DPA and ISMS
A key issue – often underestimated in practice – is the alignment of the security schedule, the Data Processing Agreement (DPA) under the GDPR, and internal security policies or the Information Security Management System (ISMS). Where these documents are developed separately, inconsistencies may arise (for example, differing definitions of an incident or notification timeframes). Good practice is to use consistent terminology throughout and to contractually define a hierarchy of documents so that, in the event of a conflict, it is clear which document prevails.
Conclusion: Practical steps for companies
The complexity of today’s regulatory landscape can be translated into a set of concrete, manageable steps even for “ordinary” commercial companies.
- Map your regulatory position. Verify whether you or your key customers fall within the scope of NIS2/the Act and to what extent.
- Audit existing IT contracts. Identify agreements lacking security standards, clear incident notification obligations, audit rights, flow-down obligations for subcontractors, or exit/data portability provisions in line with the Data Act.
- Update IT contract and DPA templates. Prepare a modular security annex aligned with the DPA and your internal ISMS, and treat it as a living document that evolves alongside regulation and market practice.
- Implement third-party risk management (TPRM) processes. Introduce supplier categorisation based on criticality and a systematic assessment of their security maturity – both at onboarding and on an ongoing basis.
- Test incident response with key suppliers. Ensure they know whom to contact, within what timeframe, and what data must be provided to enable you to meet your own reporting obligations.
- Embed cybersecurity risk into executive-level governance. Regular reporting on cyber risks and security measures to the executive body is now part of standard duties of care, not an optional extra.
- Prepare realistic exit strategies for critical cloud services. Verify that you can actually export data in a standard format and migrate it within a reasonable timeframe, including secure deletion at the original provider.
Over time, cybersecurity has become an integral part of standard legal diligence. Not because it is a passing trend, but because regulators, insurers, and business partners are increasingly treating it as a prerequisite for cooperation. Companies that recognise this shift early and reflect it in their contractual documentation and internal processes can significantly reduce both regulatory and reputational risk, while at the same time strengthening their market position.
The HAVEL & PARTNERS team has long been supporting private companies as well as IT solution providers in aligning cybersecurity requirements, data protection, and contractual practice in a way that is both commercially practical and defensible before regulators. If you would like to ensure that your contractual documentation and internal processes can genuinely withstand the demands of cybersecurity regulation, we would be pleased to review your existing contracts, design appropriate security and exit clauses, and help you prepare for the requirements of both your customers and supervisory authorities.
