- The Cybersecurity Act will come into effect on November 1, 2025.
- It is based on the European NIS2 Directive.
- It expands the range of regulated entities from several hundred to thousands.
- It affects a wide range of sectors, including energy, healthcare, transportation, industry, digital services, and more.
- Organizations must determine whether they fall under the new regulation and prepare for the new requirements.
On November 1, 2025, the long-awaited Cybersecurity Act will come into effect, bringing changes to the Czech legal system based on the European NIS2 Directive. This is a fundamental change that expands the circle of regulated entities from several hundred to several thousand across the Czech Republic, ranging from energy and healthcare to manufacturing companies and digital service providers. So where should organizations start in preparing for the new requirements?
Assessing whether an organization falls under the new regulation
The first step is a process called self-identification, which involves assessing whether the new law applies to the organization at all. In order for an entity to become a so-called regulated service provider, it must meet the following three criteria:
- It operates in a regulated sector – for example, energy, healthcare, transport, water management, industry, or digital infrastructure.
- It provides a specific regulated service listed in the decree on regulated services. It is therefore not enough to operate in the sector itself – what matters is what service the organization actually provides.
- It must be of a certain size or significance – typically medium-sized and large enterprises (50 or more employees or a turnover of more than EUR 10 million), or organizations whose activities may have an impact on the provision of key services by the state.
Conversely, the law does not apply to small and micro-enterprises or entities outside regulated sectors. However, each organization must assess these criteria independently. In practice, this means assessing its activities and services provided and determining whether any of them fall within the scope of regulated services.
An online calculator available on the NÚKIB portal can be used as an aid in the preliminary assessment.
Registration obligation
If an organization meets the above criteria, it will be classified into one of two regimes according to the importance of the services it provides:
- lower regime – includes basic security measures specified in the decree on security measures for the lower regime.
- higher regime – applies to key services (e.g., energy, healthcare, telecommunications) and imposes stricter requirements, which are specified in the decree on security measures for the higher regime.
The principle applies that if an organization provides multiple regulated services in different regimes, the higher regime always prevails.
Subsequently, it is necessary to formally report the regulated services provided through the NÚKIB Portal. Organizations have 60 days from the effective date of the law to register, i.e., until December 31, 2025.
After registration, a one-year transition period begins for the implementation of all required organizational and technical measures. Companies must therefore fulfill their obligations by the end of 2026 at the latest.
Why it pays to start now
The new cybersecurity law is not just about fulfilling obligations to the regulator.
Its aim is to ensure that entities operating in economically, socially, or security-sensitive sectors have at least a basic standard of cyber protection in place.
Early preparation will not only help to meet legal requirements, but also reduce the risk of outages, data loss, or reputational damage.
Organizations should therefore at least:
- assess their current level of security and compare it with the requirements of the new law,
- conduct an asset inventory and risk analysis,
- and initiate processes to implement the required security measures.