Czech Republic
(a) What is the NIS2 implementation status?
The parliament is in the process of approving the NIS2 implementation legislation.
The new Czech Cybersecurity Act draft is available online (only in Czech).
(b) What is the envisaged NIS2 implementation timeline?
The law is likely to enter into force on 1 July 2025 (the date may still change).
(c) What does the NIS2 mean for other national cybersecurity legislation?
The implementation of NIS2 resulted in new draft Cybersecurity Act and relating draft decrees. All drafts are available online (in Czech).
(d) Who will be the supervisory authority and how are they preparing the market?
The supervisory authority for the matter of cybersecurity is National Cyber and Information Security Agency (NUKIB).
National Cyber and Information Security Agency is also national point of contact for cybersecurity. Additionally, national CSIRT has been established in the Czech Republic
National Cyber and Information Security Agency organises seminars and training events to raise awareness of the obligations arising from the cybersecurity legislation. National Cyber and Information Security Agency also provides consultations if requested. However, National Cyber and Information Security Agency does not determine whether entities fall within the scope of the new legislation.
(e) What should you be doing/on the lookout for?
First of all, the clients should assess whether they qualify as affected entities under the new legislation, i.e. self-assessment. They should also assess whether they qualify as essential or important services providers and identify their “assets” being in scope of the new regulation.
For entities who will fall under the scope of the new legislation, the following deadlines shall apply as of the date on which the new legislation will come into force (likely 1 July 2025):
- 60 days to submit an application for registration in the register maintained by the National Cyber and Information Security Agency;
- 12 months from the date of registration to implement all requested security measures.
The Cybersecurity Act will likely apply, under certain conditions, to entities that do not have a registered office in Slovakia, specifically to those providing services such as DNS, domain name registration, cloud computing, data centres, or social networks. To a limited extent, it may also apply to suppliers outside the EU operating in the Czech Republic. These entities must have a representative in the Czech Republic or another EU member country.
Contact
Bořivoj Líbal E: borivoj.libal@eversheds-sutherland.cz
Jaroslav Tajbr E: jaroslav.tajbr@eversheds-sutherland.cz
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page