On November 1, 2025, the new Cybersecurity Act No. 264/2025 Coll. will come into effect, fundamentally changing our approach to protecting digital infrastructure in the Czech Republic. Along with it, a set of seven implementing decrees and two government regulations were also issued, which detail the requirements for organizations, state institutions, and companies.
The Act frames the environment of our daily activities that we need for normal functioning at work and in our private lives. At the same time, it responds to the significant growth of cyber threats, whose rise and level of danger reflect our dependence on online technologies.
In the following text, we will look at what the new law brings, what its structure is, and, above all, how it is often perceived by the various groups that encounter it in practice – from business owners and management, to IT experts and security specialists, to ordinary employees.
NIS2 Law structure at a glance
Act No. 264/2025 Coll. itself sets out the basic obligations and categorization of regulated entities. It specifies who must implement a cybersecurity management system, what measures need to be taken, and how incidents should be handled.
It is followed by seven decrees that elaborate on the technical and procedural requirements in detail.
This includes, for example:
- incident reporting obligations,
- rules for security measures and audits,
- requirements for detection and monitoring mechanisms,
- standards for working with suppliers,
- obligations for the certification of selected services.
Two government regulations also play an important role, which:
- define specific sectors and categories of regulated entities (e.g., energy, healthcare, banking, public administration),
- determine the amount of penalties for non-compliance.
Together, this legal framework forms a comprehensive ecosystem designed to ensure that key parts of the Czech economy and public administration are more resilient to cyber attacks.
Who does the law apply to and what are the implications?
1. Owners and management
For company management, the new law is primarily a matter of responsibility and investment. The law emphasizes the personal responsibility of management – if an organization fails to fulfill its obligations, not only the company but also its statutory bodies may be sanctioned.
From the perspective of owners and managers, this represents a fundamental shift in thinking: cybersecurity is no longer a “technical problem for the IT department,” but a strategic area of risk management. Investments in security must be planned in the same way as investments in production, marketing, or human resources. The law should thus shift the topic of security from IT department offices to higher levels of management, boards of directors, and supervisory boards.
2. IT department and technicians
For IT teams, the new law means a significant increase in responsibilities. It is no longer enough to deploy traditional protection measures such as firewalls or antivirus software. The law also requires an active approach to the implementation of technical measures, including:
- network traffic monitoring,
- real-time threat detection,
- setting up processes for rapid incident response,
- mandatory logging and record retention,
- forensic analysis after attacks.
For IT professionals, this means expanding their skills to include working with tools such as SIEM, EDR, and NDR, and working closely with security teams. The need for training and specialization is also growing significantly.
3. Security specialists (CISO, risk managers)
For cybersecurity specialists, the new law mainly represents compliance obligations. They must ensure:
- keeping records of security measures,
- regular testing and audits,
- reporting to regulatory authorities (e.g., NCISA),
- risk management and links to the supply chain,
- implementation of contingency plans and drills.
The role of CISOs and security managers is also evolving here: their role is shifting from a technical to a strategic and business-oriented focus. Security managers are thus becoming a key link between the IT department and company management. They are responsible for ensuring that technical measures are translated into understandable reports for management and that the organization is able to demonstrate compliance during inspections or audits.
4. Non-IT employees
Perhaps the least expected but very important group is regular employees. The law affects them indirectly—through mandatory training, guidelines, and processes.
Employees are expected to:
- be able to recognize phishing and other scams,
- follow the rules for password management and use of company devices,
- know how and to whom to report an incident.
Statistics have long shown that the human factor is the weakest link in security. That is why the law supports systematic and ongoing training for all employees – from administrative staff to department heads.
5. Key suppliers (so-called indirect impact)
Special attention should be paid to a group of companies that are not directly regulated by the new law but are its indirect addressees – significant suppliers to regulated entities.
In practice, this means that if a company provides services or technologies to, for example, a bank, hospital, energy company, or government institution, it must be able to demonstrate its cybersecurity status. Regulated customers must prove that their supply chain is secure.
For suppliers, this means an obligation to:
- provide customers with information about their security measures,
- agree to contractual clauses allowing for audits,
- comply with the security requirements specified in the SLA,
- in some cases, demonstrate security certification standards (e.g., ISO/IEC 27001, SOC 2, etc.).
This “indirect impact” affects thousands of companies in the Czech Republic – from large technology players to smaller IT service providers. For many of them, the new legislation will mean the need for fundamental changes in processes and investments in security.
Key responsibilities of organizations
The law and regulations require the implementation of a number of measures. The main ones include:
- Identification and classification of assets – knowing what we protect.
- Implementation of ISMS, i.e., information security management system.
- Technical measures – access control, backup, monitoring, incident detection.
- Organizational measures – training, contingency plans, supplier management.
- Incident reporting – mandatory communication with NÚKIB and other authorities.
- Proof of compliance – obligation to have documentation and verifiable records of measures.
Penalties and liability
The new law also introduces a stricter system of sanctions. The amount of fines depends on the size of the organization and the severity of the violation, but can reach tens of millions of crowns.
Crucially, the law strengthens management responsibility. If it cannot be proven that management has taken appropriate measures, not only the company but also its statutory bodies may face consequences. This pressure is intended to motivate company management to treat cybersecurity as part of strategic management.
Practical recommendations
How should organizations proceed?
1. Determine whether we fall under the regulation – directly as a regulated entity or indirectly as a significant supplier.
2. Set up governance – designate responsible persons, roles, and reporting.
3. Develop guidelines and policies in accordance with regulations.
4. Strengthen monitoring and detection capabilities – without this, it is impossible to respond to incidents.
5. Address relationships with suppliers – contractual clauses, SLAs, audit rights.
6. Train employees and raise awareness.
The new Cybersecurity Act is one of the most significant legislative steps taken in the last decade, and not only in the area of digital resilience in the Czech Republic. It places higher demands on companies and institutions, but at the same time paves the way for greater trust among customers and business partners.
Each group—management, IT, security specialists, regular employees, and suppliers—perceives the impact of the law differently. However, the common denominator is the need to strengthen cooperation and build security as an integral part of the organization’s functioning.
So let’s not view the law as just a set of obligations and penalties. It is primarily about changing the culture: about the fact that cybersecurity is as essential today as accounting, marketing, legal services, or physical security of buildings. At the same time, by actively embracing legal requirements, we are cultivating a level of shared responsibility for protecting ourselves, our colleagues, business partners, and customers.
