Authors
Contact
UK flag Czech flag
Decorative page background
Blog Competition Czech Republic widens mandatory FDI screening

Czech Republic widens mandatory FDI screening

Czech Republic widens mandatory FDI screening
Martin Rott
Martin Rott

Foreign investors looking at the Czech Republic should be aware of a major shift in the country’s FDI landscape. Starting from 1 November 2025, the new FDI legislation reform significantly broadens the scope of transactions subject to mandatory screening. Acquisitions of many businesses, particularly in the digital, technology, healthcare and energy sectors, are more likely to be subject to notification. Czech FDI approval is becoming a routine part of deal planning.

Since its entry into force in May 2021, the Czech Foreign Direct Investment Act has been a relatively modest instrument. Only a single-digit number of transactions each year required mandatory screening by the local FDI authority (Ministry of Industry and Trade) low dozens were notified voluntarily, and there has been only one prohibition decision to date.[1] For most foreign investors, Czech FDI analysis was merely a brief tick-box exercise, with only a limited number choosing to notify voluntarily to avoid the risk of a potential post-closing review.

This is now likely to change. The amendment to the FDI Act, linked to two new legislative measures, the Act on Cybersecurity and the Critical Infrastructure Act, significantly expands the range of transactions subject to mandatory Czech FDI notification.

The Czech FDI framework continues to distinguish between:

  • a mandatory regime, applying to investments in predefined sensitive targets; and
  • a call-in regime, under which the FDI authority may review any other foreign investment that may raise national security concerns, coupled with a voluntary consultation regime, which investors may use to obtain fast-track, binding clearance.

The amendment, effective from 1 November 2025, affects only the mandatory regime. While the voluntary consultation mechanism remains unchanged, the pool of targets automatically captured by mandatory review expands substantially, particularly through the new link between the FDI Act and the Act on Cybersecurity.

HOW THE NEW CYBERSECURITY ACT DEFINES SENSITIVE TARGETS FOR MANDATORY FDI SCREENING

A central feature of the reform now in force is the link between the FDI Act and the new Act on Cybersecurity, which implements the EU NIS2 Directive. Under the amendment, the FDI Act now relies on the Cybersecurity Act to determine whether a Czech business is considered sensitive and therefore subject to mandatory notification (in addition to the existing categories of military material, dual-use goods and critical infrastructure).

The Cybersecurity Act introduces a new category of regulated entities: “providers of a regulated service under the regime of higher obligations” (in Czech: poskytovatelé regulované služby v režimu vyšších povinností).

These providers are designated by the National Cyber and Information Security Agency (NÚKIB) based on statutory criteria and sector-specific thresholds set out in an implementing decree. Once designated, they are automatically treated as sensitive targets under the FDI Act. These entities must register with NÚKIB no later than 30 December 2025. 

The regulatory cross-reference between the Cybersecurity Act and the FDI Act is logical: both laws aim to identify entities whose activities are essential to the functioning, security or resilience of the state, particularly in areas involving digital infrastructure, essential services or critical data. By connecting these frameworks, companies already subject to heightened cybersecurity obligations are also brought within the scope of foreign investment scrutiny.

At the same time, the reference ensures that the criteria for mandatory FDI notification are clear and predictable for foreign investors – if the target is registered with NÚKIB as a provider of a regulated service under the regime of higher obligations, the transaction requires FDI approval.

As a result, many businesses that historically fell outside any national-security perimeter will now be classified (through their NÚKIB designation) as requiring mandatory FDI screening, including for minority acquisitions starting at a 10% shareholding.

HOW THE CYBERSECURITY ACT EXPANDS THE POOL OF SENSITIVE TARGETS

The list of “providers of a regulated service under the regime of higher obligations” covers a wide array of operators, many of whom have not been considered national-security-sensitive from an investment-screening perspective.

The implementing decree lists the specific sectors and activities that require registration with NÚKIB. For many categories, the size of the target company (in particular, whether it qualifies as an SME or a large enterprise under EU criteria) determines whether it is an operator with higher obligations (and therefore subject to mandatory FDI review) or only lower obligations (in which case the mandatory regime does not apply).

Sectors (and examples of operators) in scope include, in particular:

  • Digital infrastructure and ICT services (telecommunications operators, internet service providers, cloud computing providers, internet exchange points, and data-centre operators);
  • Energy and utilities (operators in electricity generation and distribution, and gas and oil transmission and storage);
  • Transport and traffic management (including air carriers, airport operators, and rail transport operators);
  • Healthcare and life sciences (providers of healthcare services, manufacturers of pharmaceuticals and medical devices, MAHs, distributors, clinical-trial sponsors);
  • Chemicals and major-accident hazard facilities;
  • Financial services and market infrastructure (credit institutions and operators of trading systems).

This represents a significant shift from the previous regime, where only a narrow group of the most sensitive digital-infrastructure operators qualified for mandatory FDI notification.

THE NEW CRITICAL INFRASTRUCTURE ACT: REFINING, NOT REDEFINING, THE MANDATORY REGIME

Alongside the new Cybersecurity Act, the amendment also linked the FDI regime with the new Critical Infrastructure Act. Its impact on the mandatory FDI regime is more limited.

Under the previous framework, only specific facilities or assets could be classified as critical infrastructure. Under the new system, entire operators of these infrastructures may be designated as critical-infrastructure entities. The legislation thus shifts the focus from individual critical assets to the operator as a whole. However, the implementing decree setting out the designation rules has not yet been issued.

We expect this adjustment to modestly expand the group of companies treated as critical-infrastructure operators under the FDI Act. The Czech concept of critical infrastructure will, however, remain comparatively narrow. As a result, the practical impact of this reform on deal planning is far less significant than the changes introduced by the Cybersecurity Act.

CONCLUSION – IMPACT OF THE 2025 AMENDMENT FOR FOREIGN INVESTORS

The 2025 FDI amendment is the most significant evolution of the Czech FDI regime since its introduction. By linking the FDI Act to the new Cybersecurity Act and complementing it with refinements in the Critical Infrastructure Act, the Czech mandatory regime has shifted from a narrowly focused screening system to one capturing a much broader segment of the economy.

The Cybersecurity Act is the main driver of this expansion. Through the designation of providers of regulated services under the regime of higher obligations, a wide range of targets are brought into the mandatory notification net for the first time.

For foreign investors, the practical implications include:

  • Mandatory filings will become more common. Transactions involving Czech targets active in digital, data-driven, energy or healthcare sectors are now far more likely to require prior FDI clearance.
  • Early due diligence is essential. Investors should assess whether the target qualifies (or may qualify) as a regulated-service provider and whether it is registered with NÚKIB early enough to plan transaction timelines accordingly. The statutory deadline for the FDI authority’s decision in the mandatory regime remains long – 90 days from filing, with possible extensions.
  • Even minority acquisitions remain captured. Mandatory filings continue to be required for acquisitions starting at 10%, thus including purely financial investments without control.

Voluntary consultation remains available. A valuable risk-management tool for borderline or sensitive cases remains available where the mandatory regime does not apply.

Related articles