Detail

The New Cybersecurity Act Will Change the Rules of the Game for 6,000 Czech Companies

Press releases

On November 1, 2025, a new Cybersecurity Act will come into force, bringing significant changes to the Czech business environment. RESPECT is alerting companies to the new obligations and related risks that may substantially affect their operations and financial stability.

 

The new legislation, which incorporates the European NIS2 Directive into Czech law, will expand the number of regulated entities from the current approximately 300 to more than 6,000 organizations. The law will cover 105 services across 18 key sectors of the economy, including energy, healthcare, transport, digital services, manufacturing, finance, and public administration.

 

“While the previous legislation primarily concerned a narrow group of critical infrastructure operators, the new regulation significantly broadens its impact on ordinary businesses. Many entrepreneurs do not yet realize that from November they will fall under a strict cybersecurity regime,” says cyber risk insurance expert Josef Majer.

 

A Response to Growing Cyber Threats

The European Union adopted the NIS2 Directive in December 2022 in response to a dramatic increase in cyberattacks that have targeted critical infrastructure across member states in recent years. The original NIS Directive from 2016 proved insufficient in the era of rapid digital transformation and increasingly sophisticated cyber threats.

The new law introduces a number of specific obligations for regulated organizations:

  • Security Measures: Companies must implement technical and organizational measures to protect their information systems from cyberattacks, including regular risk analyses and security testing.

  • Incident Reporting: Certain organizations must report serious cybersecurity incidents to the National Cyber and Information Security Agency (NÚKIB) within 24 hours of detection.

  • Management Responsibility: The law places direct responsibility for cybersecurity on top management. Company leadership must approve security policies, ensure sufficient resources, and actively participate in managing cyber risks.

  • Supply Chain Security: Companies will also be required to assess cybersecurity risks among their suppliers and partners.

 

Significant Penalties for Non-Compliance

Companies that fail to meet the requirements of the law may face substantial financial penalties. Fines can reach up to CZK 250 million or 2% of the company’s global annual turnover—whichever amount is higher. In extreme cases, NÚKIB may even restrict the organization’s operations.

Implementation timeline:

  • November 1, 2025 – The law comes into effect

  • By December 31, 2025 – Obligation to register with NÚKIB (within 60 days of the law taking effect)

  • Following 12 months – Transitional period for implementing required security measures

“Many companies underestimate how long preparation can take. Determining whether they fall under the regulation, analyzing their current security posture, and implementing the necessary measures may take several months. We recommend not wasting time and starting the process immediately,” adds Josef Majer.

 

RESPECT Offers Support

RESPECT provides companies with comprehensive assistance, including:

  • Cyber risk analysis

  • Designing appropriate insurance protection against cyber threats

  • Advisory services for setting up effective risk management processes

“Cybersecurity is not just a technological challenge—it is a complex issue of enterprise risk management. Properly structured insurance can help companies minimize the financial impact of both cyberattacks and potential penalties for non-compliance with legislation,” concludes Josef Majer.

Privacy and cookie settings 🍪

The website uses cookies to provide services, personalize ads and analyze traffic.

 

By selecting below you agree to our privacy and cookie policy. You can change your settings at any time.