Czech Republic
(a) What is the NIS2 implementation status?
On 26 June 2025, the President signed the new Czech Cybersecurity Act, previously approved by the Chamber of Deputies and the Senate, thereby completing the legislative process. The Act entered into effect on 1 November 2025.
(b) What is the envisaged NIS2 implementation timeline?
The Cybersecurity Act has already been approved and is now in effect.
(c) What does the NIS2 mean for other national cybersecurity legislation?
From August to early October, accompanying decrees to the Cybersecurity Act replacing previous legislation, were announced. The key implementing Decree on Regulated Services, which defines the scope of entities, was published on October 2, 2025, under Decree No. 408/2025. Other implementing decrees include:
- Decree on security measures for providers of regulated services under a regime of higher obligations,
- Decree on security measures for providers of regulated services under a regime of lower obligations,
- Decree on the Portal of the National Cyber and Information Security Agency (NUKIB) and requirements for certain activities.
(d) Who will be the supervisory authority and how are they preparing the market?
The supervisory authority on the matter of cybersecurity is National Cyber and Information Security Agency (NUKIB). National Cyber and Information Security Agency is also national point of contact for cybersecurity. The National Cyber and Information Security Agency organizes seminars to raise awareness of cybersecurity obligations and is also recording YouTube videos and preparing supporting materials to help gain a basic understanding of the topic. National Cyber and Information Security Agency also provides consultations if requested. However, National Cyber and Information Security Agency does not determine whether entities fall within the scope of the new legislation.
(e) What should you be doing/on the lookout for?
Companies should promptly assess whether they fall within the scope of the new Czech Cybersecurity Act. Key steps include:
- Conducting a self-assessment to determine whether they provide a regulated service;
- Determining whether they meet the enterprise size criteria as defined by the European Commission’s recommendation of 6 May 2003 (notified under document number C (2003) 1422);
- If the criteria are met, notify the National Cyber and Information Security Agency within 60 days of meeting the criteria and proceed with the registration;
- Companies must fully implement all mandated security measures within 12 months of registration.
Contact
Bořivoj Líbal E: borivoj.libal@eversheds-sutherland.cz
Jaroslav Tajbr E: jaroslav.tajbr@eversheds-sutherland.cz
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page