I still remember the buzz in Prague back in early 2023 when whispers of the new NIS2 directive started stirring in cybersecurity circles. For most professionals I spoke with, especially those in regulated sectors like finance and utilities, there was one prevailing feeling: this is going to be a game changer. Fast forward to 2025, and the Czech Republic is deep in the legislative trenches, transposing the Directive on Measures for a High Common Level of Cybersecurity Across the Union (NIS2) into national law. If you’re a compliance officer, ICT manager, or a senior decision-maker, understanding where things stand—and what’s coming—is critical.
Without further ado, let’s unpack the Czech Republic’s approach to NIS2, highlighting key deadlines, implementation mechanics, and what businesses should prepare for.
The legislative path: where the Czech Republic stands today
The Czech Republic’s transposition of the NIS2 directive is anchored in the development of a brand-new Cyber-Security Act (nový zákon o kybernetické bezpečnosti). This new law will replace the existing Act 181/2014 Sb. and dramatically broaden the scope of regulated entities.
The National Cyber and Information Security Agency (NÚKIB) has been leading the charge. After submitting a draft in December 2023, the government gave its green light to a revised version on 12 February 2025. This draft (Chamber print #550) entered parliamentary readings in July 2025, with passage expected by the end of the year.
Here’s how the timeline unfolds:
Legislative milestones and deadlines
| Date | Milestone | Status |
| Dec 2023 | NÚKIB submits draft to Government Legislation Council | ✔︎ |
| 12 Feb 2025 | Cabinet approves revised bill | ✔︎ |
| 25 Jul 2025 | Bill introduced in Chamber of Deputies | ✔︎ |
| Sep 2025 (est.) | 2nd & 3rd readings in Chamber | ⏳ |
| Oct 2025 (est.) | Senate approval and President’s signature | ⏳ |
| 8 Nov 2025 (est.) | Publication in Sbírka zákonů (Collection of Laws) | ⏳ |
| 1 Aug 2026 | Law enters into force; 60-day registration window begins | ⏳ |
The 60-day registration period and a six-month compliance window mean that entities should start preparing now, even before the law formally passes.
What the new Cyber-Security Act entails
This isn’t a simple update—it’s a structural overhaul. The law significantly increases the number of regulated entities, shifting from roughly 500 “operators of essential services” under NIS1 to between 6,000 and 8,000 under NIS2, according to estimates by NÚKIB and KPMG.
Two types of regulated entities will emerge:
- Higher-obligation providers (essential entities)
- Lower-obligation providers (important entities)
A size-based test determines classification. If your organization has over 250 full-time employees or €50 million in turnover, you fall into the higher category. However, certain sectors like telecoms, cloud services, and domain name systems (DNS) are in scope regardless of size.
Key components of the act
| Part | Focus | Highlights |
| §§1–9 | Scope & definitions | Covers Annex I/II sectors; includes research institutes. |
| §§10–27 | Risk management | ISMS mandatory for higher entities, per Article 21 of NIS2. |
| §§28–34 | Incident reporting | 24-hour alert, 72-hour update, 30-day final report. |
| §§35–49 | Supervision | Audits, penalties, cost recovery, test warrants. |
| §§50–60 | Sanctions | Tiered fines, public naming, disqualification of directors. |
The ISMS (Information Security Management System) requirement, unusually explicit in Czech legislation, will be detailed in a forthcoming decree—something to watch closely.
Sanctions and accountability: the stakes are high
One of the most attention-grabbing elements of the Czech Republic’s NIS2 implementation is its tough sanctioning regime. Beyond EU-standard fines, the Czech law introduces an upper-tier penalty of up to CZK 100 million (~€23 million) if public safety or national security is threatened.
Sanctions and liability measures
| Entity Type | Max Fine | Additional Notes |
| Higher-obligation | €10 million or 2% of global turnover | Possible court-ordered suspension of operations |
| Lower-obligation | €7 million or 1.4% of global turnover | Graduated enforcement: warning → plan → fine |
| Special Czech tier | CZK 100 million (~€23 million) | Applies when life or state security is at risk |
| Public bodies | No fines | Subject to corrective orders and oversight only |
In cases of repeated negligence, company directors may face personal consequences, including being barred from executive roles for five years.
Sectoral impact: who’s most affected?
The Czech Republic’s NIS2 directive reshapes the risk landscape across key industries. Many sectors are seeing sweeping changes, especially manufacturing and healthcare, where compliance burdens are growing rapidly.
Sectoral impacts and new obligations
| Sector | Changes vs 2014 Act | Typical new duties |
| Manufacturing | New coverage, size-based tiering | Supply-chain audits, ISMS, annual penetration tests |
| Energy & utilities | Broader scope, new tech (e.g., hydrogen) | Continuous monitoring, SBOM, board reporting |
| Healthcare | Expansion from 60 to ~300 facilities | ISO 27001, incident drills, 24-hour rule |
| Digital infrastructure | Always higher-obligation | 24/7 SOC, zero-trust, supplier registry |
| Finance | DORA overlaps, ICT risk | Dual reporting, TLPT, vendor-risk oversight |
| Public administration | All large municipalities included | Appoint CISO, reporting compliance, no fines |
What Czech companies need to prepare for
With the law’s entry into force approaching, proactive companies are already conducting self-assessments and preparing registry information. Once the law is passed, NÚKIB will offer a digital self-assessment tool to help organizations determine their classification.
Key steps to prepare:
- Collect registry data: IČO, NACE code, and cyber contact point
- Perform a gap analysis against Article 21 and the upcoming ISMS decree
- Create a standard operating procedure (SOP) for incident notification across the three national CSIRTs
- Schedule executive-level briefings and ensure the board approves the cyber-risk program
- Plan for an external audit within two years of onboarding to reduce liability
Are you prepared for the next cybersecurity shift?
The Czech Republic’s NIS2 implementation is not just regulatory housekeeping—it’s a fundamental shift in how digital risk is managed across both public and private sectors. With thousands of new entities falling under its purview and a rigorous reporting regime looming, companies that wait risk non-compliance, reputational damage, and even operational shutdowns.
The good news? The roadmap is clear, the deadlines are known, and resources are on the way. What matters now is how quickly and effectively you mobilize your teams to adapt. Whether you’re leading a bank’s security division or running IT for a regional municipality, now is the time to act.
