EU NIS2 in Czech Republic
The national implementation in the Czech Republic is carried out by the Cybersecurity Act Zákon o kybernetické bezpečnosti. The law comes with several decrees describing concrete security measures for higher and lower obligations providers in detail.
The Czech administration expects the number of companies affected to rise from 400 to 6,000. In addition, about 150 entities are classified as strategically important services
.
They are subject to increased security requirements in specific cases, primarily in the area of supply chain security and service availability.
EU NIS2 Implementation in EU Member States
Discussion on NIS2 implementations: CZ, FI, FR, DE, HU, PL
Webinar ∙ Register on LinkedIn ∙ English ∙ August 29, 2024
Implementation in Czech Republic
Current status
The implementation is being driven at the national level by the NÚKIB. On July 25, 2025, the NÚKIB presented the final draft law of the Czech Cybersecurity Act to the lower house. In the upcoming weeks, the draft law will undergo several readings in the chamber of deputies.
Prior to this, in May 2024, NÚKIB published a draft law which was subject to several government meetings in July 2024.
The Czech Cybersecurity Act is expected to come into force on October 18, 2024.
The National Cyber and Information Security Agency (NÚKIB) remains the Czech regulator.
National NIS2 differences
The Czech
Cybersecurity Act sets out general obligations that affect both higher and lower obligations providers (that is, essential and important entities), as well as government authorities.
In addition to that, NÚKIB published several decrees specifying a comprehensive list of concrete risk management measures for each group of providers, namely
operators of regulated services,
higher obligations providers and
lower obligations providers.
So far, the Czech Republic is ahead of other EU member states in the level of detail of their concrete security measures.
The Czech draft law is characterized by the following national differences:
- Deadlines: Registration must take place within 60 days from affectedness.
- ISMS: The decree on the security measures for higher obligations providers explicitly requires the use of an ISMS with appropriate documentation and definition of the scope of application for cyber security management.
- Extensive supply chain security: The draft law devotes multiple paragraphs to supply chain security in part 1, section 5, which extends over 6 paragraphs.
- Transitional periods: Affected entities do not have to report incidents until one year after receipt of the registration confirmation and must begin with the implementation of security measures one year after receipt of the registration confirmation.
- Strategically important services: If an entity provides a strategically important service, it must meet certain availability requirements. These are defined by decree.
- Reporting obligations: Both higher and lower obligations providers will have to report security incidents, to varying degrees.
- Sectors: The Czech Republic goes beyond the EU NIS2 sector definitions by some changes and an additional sector for military industry (
Vojenský Průmysl
).
Scope
Entities
The Czech draft law affects large and medium-sized enterprises as defined in 2003/361/EC. Companies can also be affected regardless of their size due to criteria specified in §5. This includes, for instance, monopoly position, impacts on national security in the event of a disruption, or impacts on the lives of more than 125,000 people in the event of a disruption.
The draft law also introduces a slightly different terminology: Essential entities are called providers of a regulated service in the regime of higher obligations
, important entities are called providers of a regulated service in the regime of higher obligations
. For simplicity reasons, this article refers to them as higher obligations providers
and lower obligations providers.
The Czech NIS2 implementation defines higher and lower obligations providers differently compared to other EU member states:
- Higher obligations providers of significant economic, social or security importance for the Czech republic due to
- its size
- the number of users
- the geographical spread of the service
- the impact on the functioning of the sector
- the impact on the functioning of another provider of a regulated service
- the riskiness of its operation
- Lower obligations providers are companies that are not affected by the criteria for essential entities.
The classification of providers into the regimes will be determined by decree. The decree on regulated services already lists a draft version of the thresholds, using the types of metrics specified above. For most services, companies are categorized into one of the entity groups by the definitions of large and medium-sized companies. However, additional metrics are possible. For instance, services in the Electricity sub-sector can be affected by their total output in Mega Watt, services in the Air sub-sector can be afftected by the number of passengers, and research institutions can be affected if they conduct sensitive research activies. The classification into regimes will probably not differ significantly from EU NIS2.
Following from the decree on regulated services in its current draft form, the public administration, qTSPs, TLDs, DNSes, internet exchange nodes and telco providers will be affected independent of their size.
Sectors
The EU NIS2 sectors of Annex I and II are not clearly separated in the decree on regulated services, but are listed in a single enumeration. Therefore, some Czech sectors contain services of Annex II and Annex I of EU NIS 2. The decree on regulated services combines several NIS2 sectors into single national sectors, namely banking and financial market infrastructures, drinking water and waste water, as well as digital infrastructure and ICT service management.
| Sub-Sector | Services |
|---|---|
| Energetika Energy |
|
| Elektřina Electricity |
Generation Operation of transmission system Operation of distribution system Trade Market Operators Selling Generating Aggregating Demand side response Storing Operation of charging stations |
| Teplárenství District heating and cooling |
Heat production Operation of district heating system |
| Ropa a ropné produkty Oil |
Oil extraction Oil processing Operation of storage facility Operation of oil pipeline Operation of product pipeline Central stock manager Operation of fuel station |
| Vodík Hydrogen |
Production Storage Transportation |
| Doprava Transport |
|
| Letecká doprava Air |
Transport Airport operations Ancillary facilities within the aerodrome Air traffic control services Security control cargo and mail Cargo/mail dispatch services In-flight supplies services Check-in services Flight navigation services |
| Drážní doprava Rail |
Construction of train paths National railway Regional railways Public sidings Rail transport Service facilities |
| Vodní doprava Water |
Maritime water transport activities Port management body Work/facility within a port Facility vessel traffic service (VTS) |
| Silniční doprava Road |
Traffic management control Intelligent transport system |
| Finanční trh Banking Financial market infrastructures |
|
| - | Credit institution Trading system Central counterparty Payment institution Electronic money institution |
| Zdravotnictví Health |
|
| - | Health care Emergency medical services EU reference laboratories included in network of reference laboratories for public health R&D medicinal products Manufacture of medicinal substances Medical devices |
| Vodní hospodářství Drinking water Waste water |
|
| - | Water supply systems Sewerage systems |
| Digitální infrastruktura a služby Digital infrastructure ICT service management (B2B) |
|
| - | Electronic communications services Communications networks Internet exchange node service Domain name translation system service Top level domain registry Cloud computing services Data centre services Content delivery network services Qualified electronic identification systems Trust services Managed services Managed security services National CERT |
| Veřejná správa Public Administration |
|
| - | Exercise of powers conferred |
| Poštovní a kurýrní služby Space |
|
| - | Ensuring support for provision of space-based services |
| Vesmírný průmysl Military Industry new |
|
| - | Production of equipment Trade Production of dual-use goods and technologies Export Brokering Technical assistance Transit and transport |
| CZ Sub-Sector | Services |
|---|---|
| Poštovní a kurýrní služby Postal and Courier Services |
|
| - | Postal and Courier Services |
| Odpadové hospodářství Waste Management |
|
| - | Operation of equipment Trade Mediation and Brokerage Transport |
| Chemický průmysl Manufacture Production and Distribution of Chemicals |
|
| - | Production Processing Storage or Distribution |
| Potravinářský průmysl Production Processing and Distribution of Food |
|
| - | Production, Processing, Distribution |
| Výrobní průmysl (and partly Sector Zdravotnictví) Manufacturing |
|
| - Medical devices and in vitro diagnostic medical devices |
Výroba zdravotnických prostředků (see sector Zdravotnictví) |
| - Computer, electronic and optical products |
Výroba počítačů, elektronických a optických přístrojů a zařízení |
| - Electrical Equipment |
Výroba elektrických zařízení |
| - Machinery and Equipment n.e.c. |
Výroba strojů a zařízení nezařazená pod jiné oddíly klasifikace CZ-NACE |
| - Motor vehicles, trailers and semitrailers |
Výroba motorových vozidel (kromě motocyklů), přívěsů a návěsů |
| - Other transport equipment |
Výroba ostatních dopravních prostředků a zařízení |
| Partly Sector Digitální infrastruktura a služby Digital Providers |
|
| - | Provision of online marketplace service internet search engine service and social networking platform |
Strategically important services
In the sectors public administration, energy, transport and digital infrastructure, authorities can define, by decree, so-called strategically important services which could have a serious impact on the security of the Czech Republic or internal order. §25
The decree on regulated services lists strategically important services in §5, including:
- Public administration (1.1) Exercise of delegated powers
- Energy - Electricity, (2.1) Electricity production
- Energy - Electricity, (2.2) Operation of the electricity transmission system,
- Energy - Oil (3.4) Oil pipeline operation
- Energy - Oil (3.5) Operation of the product pipeline
- Energy - Gas (4.2) Operation of the gas transport system
- Energy - Gas (4.3) Operation of the gas distribution system
- Air transport (12.4) Air traffic control over the airspace of the Czech Republic,
- Air transport (12.9) Flight navigation services
- Rail transport (13.1) Construction of train routes on a national level
- Digital infrastructure (16.1) Provision of a publicly available electronic communications service
- Digital infrastructure (16.2) Public communication network of electronic communications
- Digital infrastructure (16.5) Administration and operation of TLD registry
- Digital infrastructure (16.6) Provision of cloud computing service
Requirements
Security
Regulated entities need to scope out their cybersecurity management and assets §12 and implement organizational and technical security measures. The implementation of risk management measures must begin one year after the confirmation of registration. §13
The Czech implementation law lists necessary risk management measures in §14:
For higher obligations providers:
- Organizational measures: ISMS, management, roles, processes and audit
- Technical measures: Physical, networks, incidents, applications, crypto
For lower obligations providers there are fewer mandated measures:
- Measures: Minimum security, management, risk and some technical measures
There are additional draft decrees that provide details of these high-level risk management measures in §. While the EU NIS2 directive lists 10 high-level requirements, the Czech Republic defines 27 for higher obligations providers and 13 for lower obligations providers.
Supply chain security
The draft law emphasizes supply chain security in Part 1, Section 5, spanning over seven paragraphs. §27
If an entity provides these strategically important services in the Czech Republic, it must meet specific availability requirements.
Security measures
There are many specific measures listed in the separate draft decree for higher obligations providers, beginning with organizational measures listed in §4 that require an ISMS:
- ISMS: Set up an information security management system
- Risk management
- Roles and persons
- Improvement and assessments
- Learning process
Senior management needs to be involved deeply in security and risk for leadership, awareness, personel, testing, goals and improvement. §5
Many other topics are defined for higher obligations providers
- §6 Specific roles required like Cyber security manager, auditor, etc.
- §9 Requirements for risk management
- §10 Supplier management
- §11 Human resources security
- §12 Change management
- §13 Acquisition, development and maintenance
- §14 Access control
- §15 Security incidents
- and many more
Information and authorities
Registration
Czech companies must inform the NÚKIB about the regulated service within 60 days of being affected. Following this notification, NÚKIB will decide on the registration of the regulated service, if the requirements according to §4 (1) or §5 are met. §6
Within 30 days of receiving the confirmation of registration, the entity needs to provide additional contact information and data, including details identifying authorized natural persons, ownership structure, technical data on the regulated service, and information on its geographical spread and cross-border provision. §11
Reporting
Higher and lower obligations providers must report cybersecurity incidents that have manifested themselves in a specified scope
, originate in cyberspace, and cannot be excluded as deliberate faults.
Lower obligations providers must report incidents that also have a significant impact
on the provision of the regulated service, resulting in financial loss to the provider or in significant harm to others. NÚKIB will publish a decree detailing how to assess a the significance a cybersecurity incident's impact.
Lower obligations providers report to the National CERT, while higher obligations providers report to the NÚKIB.
There is a transitional period for reporting obligations: Affected entities are not required to report incidents until one year after receiving the registration confirmation. §15
§16 outlines the procedure for reporting cybersecurity incidents, including deadlines: within 24 hrs, 72 hrs and 30 days as specified.
Evidence
For higher obligations providers, audits will be exclusively conducted by the NÚKIB staff. According to the decree on regulated services (currently in draft form), higher obligations providers must conduct these audits every two years. If it is not possible to complete the audit within this interval, the audit can also be carried out continuously, but must be completed within five years. §17
For lower obligations providers, specific requirements are still under consideration. An initial proposal to delegate inspections to external inspectors
was abandoned after public consultation and impact assessments. One potential approach under discussion is periodic self-assessments by the organizations, with the possibility of follow-up inspections by NÚKIB.
Concrete options and timelines will be detailed in a future draft version of the decree on regulated services.
Sanctions
There are 15 offenses listed for higher obligations providers and eight for lower obligations providers. Maximum fines align closely with EU NIS2 requirements, capped at 250 million CZK (approximately 10 million EUR) or 2% of the entity's annual worldwide net turnover, whichever is higher §59, 60.
NÚKIB is also empowered to impose fines up to 100,000 CZK for certain infractions. For repeated violations, the total amount of fines must not exceed 10 million CZK or 1% of annual worldwide net turnover. §63
Further Information
Sources
- Status of the parliamentary process with submitted draft laws, Website of the Czech house press, July 2024
- NIS2 implementation status with current draft laws, Website of the ODok information portal of the Czech government, n.d.
Draft law for Cybersecurity Act of the Czech Republic's NIS2 implementation, Website of the Czech house press, July 2024
Proposal decrees on regulated services and security measures of lower and higher obligations providers, Website of the Czech house press, July 2024- Press release of the NÚKIBon the publication of the draft law in December 2023, Website of the NÚKIB, 22.12.2023
- Overview of the Czech NIS2 sectors, Website of the NÚKIB, January 19, 2024
- Methods of ensuring compliance detailing audit and inspection procedures and proposal considerations, Website of the NÚKIB, n.d.