New Czech Cybersecurity Act & NIS2 Directive
What awaits you and how we can help
The New Czech Cybersecurity Act has been approved, and the NIS2 Directive is coming. We've prepared an overview of everything important for you, along with a range of free, high-quality services to help you with implementation.
In November 2025, the new Czech Cybersecurity Act will come into effect. It affects not only state institutions but also many private organizations – often including those that weren't previously regulated. We've prepared an overview of everything important for you.
What is the NIS2 Directive?
The NIS2 Directive is a new EU directive aimed at strengthening cybersecurity across European Union member states. The directive will be transposed into Czech legislation through the Czech Cybersecurity Act, which brings new obligations for thousands of Czech organizations. Compared to the NIS1 directive from 2016, which applied to organizations in sectors such as healthcare, energy, banking, or managed ICT service providers, the new directive extends to additional sectors, including public administration and food industry. It also raises security standards and strengthens coordination and cooperation between member states.
Who does the NIS2 Directive affect?
Small and micro-enterprises are usually not regulated. For medium and large enterprises, their obligations are tiered depending on whether they fall under essential or important entities. In the Czech Cybersecurity Act, this division corresponds to obligation regimes - higher and lower. Essential entities have the higher regime.
Not sure whether you'll need to comply with the new law's obligations? Use this simple calculator (in Czech):
Obligations regardless of regime
The new Czech Cybersecurity Act will come into effect in November 2025. From the effective date, the deadline for meeting new requirements begins. There is 1 year to implement new obligations and requirements.
Regardless of whether your organization falls under the lower or higher regime, you have the following obligations:
-
November 2025
Expected effective date of the new Czech Cybersecurity Act
-
+ 60 days
Notification of regulated service
through electronic form in the NÚKIB Portal
-
Automatic registration of service provider
-
After registration
Delivery of registration decision
-
Within 30 days of receiving the decision
Notification of contact details
Within 30 days of receiving the registration decision from NÚKIB. Reported through the Portal.
-
+ 1 year
End of transitional period from the law's effective date
-
Obligation to report security incidents and implement security measures
according to relevant regulation
-
Compliance with any countermeasures issued by NÚKIB
Specific measures
Below we present a list of measures that entities will need to implement as part of fulfilling obligations under the directive. We cover all measures with our services – clearly and free of charge. Don't know which regime your organization falls under? Try the calculator first.
Entities with higher obligation regimes must implement a broad spectrum of organizational and technical measures. Our service offering helps with preparation and practical fulfillment of key areas.
Organizational measures
Choose services based on which measures you need help with.
Cybersecurity basics for managers and executives
- information security management system
- requirements for senior management
- security policy and security documentation management
- asset management
- risk management
- supplier management
- change management
- access management
- business continuity management
Workshop tailor-made or on client's request
- establishment of security roles
Cybersecurity Exercise in CyberRangecz Environment
- managing cyber security events and incidents
In-depth cybersecurity consultation on the topic at the client's request
- conducting cybersecurity audits
- human resources security
Consultation on the state of cybersecurity
- acquisition, development and maintenance
Technical measures
Choose services based on which measures you need help with.
Cybersecurity basics for managers and executives
- identity management and authentication
Basic Cybersecurity Course for ICT Administrators
- cyber security event detection
- event logging
- cyber security event evaluation
Advanced Cyber Training for ICT Administrators
- physical security
- communication network security
- access rights and permissions management
- application security
In-depth Cybersecurity Consultation on Client-Requested Topic
- ensuring availability of regulated service
- securing industrial, control and similar specific technical assets
- cryptographic algorithms
Recommended Service Package
Don't have time to choose between services? You can't go wrong with this combination of services.
→ Cybersecurity basics for managers and executives
→ Basic Cybersecurity Course for ICT Administrators
→ Introduction to Cybersecurity
→ In-depth cybersecurity consultation on the topic at the client's request
Lower regime
Requirements
Made Simple
Entities with lower obligation regimes have basic measures established for ensuring cybersecurity. Here too, we offer practical support and suitable services that will help you meet legal requirements in an understandable and accessible format.
Measures in Lower Obligation Regime
Cybersecurity basics for managers and executives
- system for ensuring minimum cybersecurity
- requirements for senior management
- asset management
- risk management
- business continuity management
- access management
- identity and authorization management
- human resources security
Basic Cybersecurity Course for ICT Administrators
- detection and logging of cyber security events
- cyber security incident response
Advanced Cyber Training for ICT Administrators
- communication network security
- application security
In-depth Cybersecurity Consultation on Client-Requested Topic
- cryptographic algorithms
Recommended Service Combination
Don't have time to choose between services? You can't go wrong with this package.
→ Cybersecurity basics for managers and executives
→ Basic Cybersecurity Course for ICT Administrators
→ Introduction to Cybersecurity
→ In-depth Cybersecurity Consultation on Client-Requested Topic
FAQ
Does the NIS2 Directive affect us?
The simplest and fastest way to find out whether the cybersecurity law obligations apply to your organization is to use NÚKIB's calculator.
If I order your services, won't I need to handle anything else?
Not quite – responsibility for meeting requirements always remains with the organization itself. We don't offer comprehensive solutions. However, our services help understand what needs to be done, where to start, and how to plan it all out. We offer training, consultations, and specific support in implementing measures – but we always implement them together with you.
What if I don't want to implement or change anything?
The new Czech Cybersecurity Act isn't a recommendation – it's binding legislation for obligated entities, and non-compliance can impact both the organization's operations and its credibility. Neglecting key security measures can endanger organizational operations and reputation. But if even that doesn't deter you, don't forget that penalties can reach up to 250 million CZK.
What if the regulation doesn't apply to us yet?
Even in that case, it pays to prepare – NIS2 Directive measures are in many respects a healthy foundation for any digitally functioning organization. Whether regulation affects you now or in the future, you'll gain an advantage and peace of mind. We can help you even then, don't hesitate to contact us through the form.
Are your services really free?
Absolutely yes. You won't pay anything at all for our services. They are funded from public sources – from the European Union's Digital Europe program and from the Czech National Recovery Plan. You don't need to worry about paperwork either. Administrative requirements are minimal.
Don't know where to start?
Contact us.
We'd be happy to review your situation with you and recommend the most suitable approach. Fill out the form and we'll get back to you soon with more information. However, the number of places for services is limited and available dates are decreasing, so we recommend not delaying filling out the form.
