The new Czech cybersecurity legislation implements the requirements set out at EU level by the NIS 2 Directive, which was adopted on December 14, 2022. The Cybersecurity Act itself has been in force since November 1 last year. Even during the preparation of this Act, the public was gradually informed about the impact of the new legislation on the website of the National Cyber and Information Security Agency (NÚKIB). If you have not yet paid sufficient attention to this topic, we recommend that you visit the NÚKIB portal for basic guidance, where you will also find a practical calculator that you can use to check, without obligation, whether the services you provide fall under the regulated services according to the cyber law and, if so, under which regime, i.e., whether under the higher or lower obligations regime. The criteria for determining regulated persons and the criteria for determining the applicable regime are set out in the Decree on Regulated Services.
The law sets a deadline of 60 days for reporting regulated services. Most organizations were required to submit their reports by December 31, 2025, at the latest (60 days from the effective date of the Cyber Security Act). If you are one of these organizations and have not yet done so, you are committing an offense for which you may be fined up to CZK 250,000,000 or up to 2% of your net global annual turnover (whichever is higher). Do not wait for a fine to be imposed and report the regulated service as soon as possible.
Reporting a regulated service is the initial obligation, followed by other obligations. Based on the report of a regulated service, NÚKIB issues a registration decision. From the delivery of this decision, the regulated service provider has 30 days to report the contact details of the persons authorized to act on behalf of the organization and other information regarding its ownership structure, technical data relating to the regulated service provided, its geographical coverage, and any cross-border provision (this information may be included directly in the notification of the regulated service). Upon delivery of the registration decision, the provider of the regulated service must also begin to fulfill the obligation to implement and execute security measures and report cyber security incidents within one year at the latest. Details regarding the content and implementation of security measures are regulated, according to the relevant category, by the decree on security measures for providers of regulated services under the higher obligations regime and the decree on security measures for providers of regulated services under the lower obligations regime.
If you are unsure whether the obligations arising from the above regulation apply to you or how to comply with these obligations, we will be happy to help you.
Bělina & Partners advokátní kancelář s.r.o.