A public contracting authority procuring a new information system or cloud service is now facing a challenge that did not exist just a few years ago. It must not only conduct the procurement procedure correctly but also comply with the obligations imposed by the Cybersecurity Act. At first glance, these two dimensions can appear to be at odds: security requirements tend to restrict the pool of potential suppliers, while public procurement rules demand open competition and equal treatment. If this tension is not managed properly, the contracting authority risks either regulatory sanctions for insufficient protection, or challenges to the procurement procedure on the grounds of discrimination between bidders. In this article, we explain precisely where this tension arises, how it can be navigated safely, and what specific provisions must be included in contracts with IT suppliers to ensure they withstand scrutiny on both fronts.
A dual role public contracting authorities must learn to live with
Cybersecurity is no longer solely a technical concern for IT departments. It is a regulatory obligation with potential sanctions, accountability for executive bodies, and a direct impact on how ICT projects are procured and contractually structured. A public contracting authority (for example, a regional authority, a hospital or an operator of critical infrastructure) thus finds itself in a dual role: it must procure IT supplies in a fair and non-discriminatory manner, while at the same time actively managing the security risks associated with its suppliers. These two roles, however, can pull in different directions.
The new Cybersecurity Act (No. 264/2025 Sb., the “Act”) fundamentally changes the rules of the game for public contracting authorities. At the same time, they must continue to procure IT contracts in accordance with the strict requirements of the Public Procurement Act (the “PPA”). How can these two worlds be reconciled in practice without ending up with either an unenforceable contract or a successful challenge by a bidder before the supervisory authority?
What the Act now requires of contracting authorities
The new Cybersecurity Act implements the European NIS2 Directive and introduces a structured system of obligations. For public contracting authorities, two concepts are particularly important.
First, the distinction between a higher and a lower regime. Entities falling within the higher regime (typically large providers of essential or important services) are subject to more stringent obligations – they must register with the National Cyber and Information Security Agency (NÚKIB), implement comprehensive security measures, and report incidents within shorter timeframes. Entities in the lower regime face less onerous, but still binding, requirements
Second, supplier management is expressly included among the statutory security measures. It is therefore no longer sufficient to have internal processes in order. Contracting authorities must also maintain control over who has access to their infrastructure, data or operational systems, and under what conditions.
In practice, it is no longer enough to “simply comply with the PPA”. A contract with an IT supplier that ignores the requirements of the Act may expose the contracting authority not only to regulatory liability, but also to operational risks in the event of a cybersecurity incident.
What an IT supplier contract must contain
A well-structured contract with an IT supplier for a regulated entity should cover at least the following five areas:
- Allocation of responsibilities. The contract must clearly define which security measures are ensured internally by the organisation and which fall to the supplier. A proven tool is a RACI matrix or a clear schedule of obligations attached as an annex to the contract—this helps prevent disputes in the event of an incident.
- Audit and incident reporting. The contracting authority must have a contractual right to audit (ideally including the right to appoint a third party), clearly defined time limits for reporting security incidents, and an obligation on the supplier to provide forensic support. These timeframes must be consistent with the authority’s own reporting obligations towards the National Cyber and Information Security Agency.
- Supply chain. Security obligations must extend to subcontractors as well. The contract should include an obligation for the supplier to notify changes in the subcontracting chain, a mechanism for responding to warnings issued by the National Cyber and Information Security Agency, and, where justified, even a prohibition on specific technologies or components.
- Access to data and operational information. The contracting authority must have access at all times to information on the state of its infrastructure and to operational logs. Without this, it cannot fulfil its own obligations under the Act or respond effectively to any intervention by the regulator.
- Exit and continuity. A change of supplier must not in itself create a security risk. The contract should address the handover or secure disposal of data, documentation of the system architecture, cryptographic keys, and an obligation to provide cooperation during migration to a successor system.
What it looks like in practice: Two approaches, one outcome
Consider a model example: a regional authority procures the operation of a Security Operations Centre (SOC) as a service.
In the first scenario, security requirements are included in the contract “at the end” as a standard annex carried over from a previous project. They are not aligned with the system architecture, and they lack specific timeframes for incident reporting or clear audit mechanisms. In such cases, it often becomes apparent after the first serious incident that the supplier is under no obligation to provide logs within the timeframe required by the National Cyber and Information Security Agency, and responsibility for the failure remains unclear.
In the second scenario, the contracting authority carries out a risk analysis before launching the procurement procedure and uses it as the basis for the tender documentation. Security requirements are then reflected both in the qualification criteria and in the award criteria. The contract itself includes structured annexes covering the allocation of responsibilities, incident reporting timeframes and an exit protocol. The result is a situation in which the authority can demonstrate compliance with the Act and respond swiftly in the event of an incident.
The difference between these two approaches does not lie in the length of the contract. It lies in when and how security is considered. If it is addressed only “at the last minute”, the result is very often an ineffective setup – one whose shortcomings typically become apparent only when a critical incident occurs, at which point it is already too late. Taking a comprehensive approach from the outset may be more time-consuming, but it delivers exactly what cybersecurity regulation is intended to achieve: preventing cyber incidents and minimising their impact on the functioning of the state, businesses and individuals.
Conclusion: Key takeaways
The new Cybersecurity Act does not merely add another layer of compliance. It changes how public contracting authorities must approach the entire lifecycle of ICT projects – from preparation of procurement documentation through supplier selection to contractual arrangements and their regular review.
Practical recommendations:
- Carry out a risk analysis before launching the procurement procedure, not only when drafting the contract.
- Reflect security requirements in qualification conditions and award criteria – not only in contract annexes.
- Review existing IT supplier contracts in light of the Act, especially if concluded before its effectiveness.
- Ensure security obligations apply across the entire supply chain.
- Prepare exit scenarios before you need to change supplier.
The HAVEL & PARTNERS team has long supported public contracting authorities and IT suppliers in aligning cybersecurity requirements, procurement procedures and contractual practice. If you are addressing procurement strategy design, drafting contractual templates or reviewing existing agreements to ensure they are both functional and defensible before regulators and the Office for the Protection of Competition, we would be pleased to work with you on it.
