Czechia has taken an important step in the area of digital security. On 25 April 2025, the Chamber of Deputies approved a new Cybersecurity Act along with an accompanying law, both of which implement the EU NIS2 Directive. This regulation introduces substantial changes, expanding the scope of regulated entities and imposing higher demands on risk management, management’s liability, and cooperation within supply chains.
Variable effective date instead of a fixed one
A major change from the original plan is the removal of the fixed effective date (1 July 2025). The Act will now come into effect “on the first day of the third calendar month following its publication.” For instance, if the Act is published in the Collection of Laws by the end of July, it will come into effect on 1 October 2025. The final effective date will depend on the speed of the remaining legislative process (Senate, potential re-vote in the Chamber of Deputies, President, publication in the Collection of Laws). Current estimates range between 1 September 2025 and 1 January 2026.
Implementing decrees – essential for success
Many details will only become clear after the issuance of implementing decrees. Based on current information from the National Cyber and Information Security Agency (NÚKIB), changes can be expected compared to previously published draft decrees. Due to the absence of these decrees, organizations currently lack certainty about whether the Act applies to them, complicating their preparation for it.
The actual effectiveness of the regulation depends not only on the Act itself but also on the issuance of the implementing Decree on Regulated Services. Without it, it will be impossible to determine who falls under the regulation; therefore, the entire regulation can only take effect once it is announced. The legislative process for the Decree includes interdepartmental consultations, discussions in the Legislative Council of the Government, and publication in the Collection of Laws. Therefore, it cannot be excluded that it could theoretically appear in the Collection of Laws only after the Act becomes effective.
Who is affected by the regulation?
The new Act extends its scope to thousands of organizations across 18 sectors - from energy, healthcare, food and digital services. Obligations may also apply to organizations outside the main sectors, especially if they are suppliers to regulated entities.
Additionally, NÚKIB can designate certain entities based on its assessment if their activities could impact cybersecurity. This approach aligns with the concept of "identified entities" under NIS2.
New management’s obligations and liability
The Act emphasizes personal liability of company management for managing cyber risks. Management must approve security policies, ensure employee training or regularly evaluate security measures. Non-compliance can result in fines of up to EUR 10 million or 2% of worldwide turnover.
Practical implications and recommendations
- Impact analysis: Organizations should promptly assess whether and to what extent the new regulation affects them, particularly their primary assets (e.g., key systems, data, infrastructure).
- Contract and process review: It is necessary to update supplier contracts, internal procedures, and security documentation.
- Training and awareness: It is crucial to train employees and management on new obligations and cyber risks.
- Cooperation with experts: It is worthwhile to utilize consultations and professional audits, especially in the areas of risk and incident management.
Slovakia leads, Europe in motion
In Slovakia, similar legislation has been in force since 1 January 2025. Implementation is also already in place in Belgium, Croatia, Greece, Hungary, Italy, Latvia, Lithuania, Malta and Romania. Experience shows that early preparation is key – organizations that began implementation in advance manage the transition to new rules more smoothly and effectively. Demonstrable progress in implementing new obligations within organizations will undoubtedly play a role in any potential inspections and their conclusions.
Conclusion: Cybersecurity as a necessity and an opportunity
The new Act brings higher administrative demands but also an opportunity to strengthen the credibility and resilience of companies. Those who start preparations early will gain an advantage not only in meeting statutory obligations but also in building trust with customers and partners.
