At the end of last year, EU lawmakers adopted the NIS2 Directive to improve cybersecurity. Now, the Czech Cybersecurity Act is being drafted to impose new obligations on domestic companies. Are you among them?

The aim of the directive and the new legislation is to increase protection against cyber attacks. The new obligations will affect a large number of companies.

What will be your new obligations?

In principle, the obligations could be divided into organisational and technical measures.

Organisational means, for example, adopting a corporate cybersecurity policy, designating responsible persons, audits, maintaining security documentation, establishing crisis management procedures, ensuring business continuity, etc.

Technical measures include e.g. network security, identity and access authorization management and authentication, but also physical infrastructure security.

Read in more detail what all subjects will have to arrange and comply with.


An important provision in the proposal is that companies and organisations will have to decide for themselves whether or not they are covered by the Cybersecurity Act. Based on this, they have to actively register themselves with the national agency.

You have 30 days to comply with this obligation from the moment you become aware that you are subject to the obligations set out in the Act. But at most 90 days from the time you meet the criteria of the Act, regardless of whether you have become aware of it. Therefore, you cannot use the excuse that you did not become aware.

Find out if you will have new responsibilities

1. Look in the czech proposal or the NIS2 Annex if you are active in one of the listed sectors.

2. If so, answer the question whether you are a medium or large business.

medium-sized enterprise must meet two criteria: it has 51-250 employees and at the same time an annual turnover of up to EUR 50 million or an annual balance sheet total of no more than EUR 43 million. Anything above that is already a large enterprise, below that is a small enterprise.
Beware, if you are part of a group, you must also take into account the links between property-related organisations! Detailed guidance on how to assess size is provided by the “NUKIB” on the pages dedicated to NIS2.

3. If you are a small business or in an industry that is not covered by the Act, you still need to make sure that you are not an exemption and are not carrying on an activity to which NIS2 and the Act will apply regardless of industry or size. This is a situation where your activity is important to the state in some way (e.g., you provide a strategic service to the state, you are the only one in the country providing an important service, or your outage would affect a large number of people, etc.). In that case, you will fall under the law individually.

According to the proposal, the Act should also apply to various public administrative organisations and public institutions, such as universities, professional chambers or municipalities with extended competence, regardless of their size.

If the law applies to you, you will need to take, review or increase security measures. And if you’re one of the lucky ones who will avoid the obligations, at least think about the security minimum. It is only in your own interest. After all, hackers don’t ask for legal directives.

Need advice on whether you fall under the obligations of the law and where you stand on security? Contact us, we will assess your business professionally. We will recommend how you can meet the letter of the law and implement the measures for you. From developing procedures and policies, to deploying the appropriate security features to suit your circumstances and organisational and financial capabilities.