After a lengthy and demanding legislative process, on 26 June 2025, the President of the Czech Republic signed a draft of a new Act on Cybersecurity (“CSA“), which was subsequently published in the Collection of Laws on 4 August 2025, setting its effective date as 1 November 2025. This law will replace the older Act No. 184/2014 Coll., on Cybersecurity and on Amendments to Related Acts, thereby implementing the obligations arising from the European Union’s NIS2 Directive into national law. Unfortunately, however, this does not end the period of uncertainty regarding the scope of obligations, as we are still waiting for the adoption of implementing regulations for the new act, which are under the responsibility of the National Cyber and Information Security Agency (“NCISA“). These are key sub-statutory regulations, including, among others, a decree on regulated services, which set out the criteria for determining regulated persons and for establishing higher or lower regulatory regimes; and decrees on security measures for these regimes, which specify in detail the security measures for obligated persons. According to the NCISA’s website, the decrees should be adopted in October or November 2025, meaning that until then, the final scope of obligations for the persons concerned will not be entirely clear. Below, therefore, we offer at least a general overview of the obligations arising directly from the wording of the CSA.

The basic obligation under the CSA is the reporting obligation. It is necessary to emphasize that potentially obligated persons must assess for themselves whether they fall under the CSA or not. The decisive criteria include not only the sector in which the person provides their services, but also their total number of employees and annual turnover. If a person finds that they fall within the scope of the CSA, they are obliged to report this to the NCISA. The NCISA will then assess whether the person meets the specific criteria and, if so, decide on their registration as a regulated service provider. The regulated service provider is then obliged to provide the NCISA with the contact details of the persons responsible for fulfilling the obligations under the CSA, as well as additional information about their ownership structure and the regulated service itself.

The specific sector, number of employees and annual turnover of each regulated service provider are important not only for determining whether a person falls under the CSA, but also for determining whether the “lower” or “higher” obligations regime applies to them. The NCISA sets the criteria for dividing providers of regulated services into individual regimes through a decree on regulated services. A provider of regulated services that is significantly important for the Czech Republic in economic, social or security terms will be subject to the higher obligations regime. The lower obligations regime will then be the residual category, which will include other regulated entities. The NCISA will then set out the individual obligations in two separate decrees: the decree on security measures for the higher regime and the decree on security measures for the lower regime.

Depending on the specific regime of obligations, the provider of a regulated service will be required to gradually implement the relevant security and organizational measures, as specified in detail by individual decrees. These measures include, among others: (i) establishing a system for managing security risks and reporting security incidents; (ii) ensuring cybersecurity audits; (iii) adding cybersecurity requirements to contracts with suppliers; (iv) issuing internal regulations governing employee obligations in relation to cybersecurity; and (v) ensuring proper training of employees.

The provider of a regulated service is also required to immediately report security incidents, i.e. breaches of security information in cyberspace, to the NCISA and consult with it. Here, too, the obligation to report security incidents is more extensive for providers in the higher obligations regime. Based on the report, the NCISA will then evaluate the incident, comment on it, and, if necessary, determine countermeasures to ensure remediation and security. The NCISA then keeps records that include, among other things, individual security incidents.

Finally, it should be noted that the CSA gives the NCISA the power to impose fines for committed offences to ensure that providers of regulated services fulfil their obligations. The maximum amount of each fine varies depending on whether the person falls under a higher or lower regime or which obligation the person has violated. Under the CSA, the NCISA may impose a fine of up to CZK 250,000,000 or up to 2% of net worldwide turnover.

In addition to imposing fines, the NCISA may, for example, declare a state of cyber danger or temporarily suspend a member of a legal entity’s statutory body from performing their duties if they have repeatedly or seriously violated their obligations and thereby obstructed the proper implementation of the NCISA’s decision. Such suspension lasts until the deficiencies are remedied, but for at least six months.

Although we are still waiting for the final version of the individual decrees, it is already possible to start taking steps to comply with them. We will be happy to help you with this as well. If you would like more detailed information on the obligations under this Act or assistance with assessing and potentially reporting a regulated service, please do not hesitate to reach out to your contact person in our office.

If you have any questions about this topic, please contact the authors of this article – Vojtěch Vojíř a Libor Vacek.

This document is a general communication and should not be regarded as legal advice on any specific matter.