Czech Republic

(a) What is the NIS2 implementation status?

The Czech Republic transposed NIS2 through the Cybersecurity Act (Zákon č. 264/2025 Sb.). The law entered into force on 1 November 2025 and introduces several national deviations from NIS2, such as mandatory reporting of all cybersecurity incidents and extensive supply chain security obligations. Certification according to ISO 27001 or full implementation of the European Commission's implementing regulations is not sufficient to comply with Czech national legislation.

(b) What is the envisaged NIS2 implementation timeline?

  • Registration is possible only electronically via the official Portál NÚKIB: https://portal.nukib.gov.cz
  • Organizations have to notify fulfillment of the criteria for registration of a regulated service no later than 60 days from the date on which the conditions were met (for most entities: 31 December 2025)

(c) What does the NIS2 mean for other national cybersecurity legislation?

From August to early October, accompanying decrees to the Cybersecurity Act replacing previous legislation, were announced. The key implementing Decree on Regulated Services, which defines the scope of entities, was published on October 2, 2025, under Decree No. 408/2025. Other implementing decrees include:

  • Decree on security measures for providers of regulated services under a regime of higher obligations,
  • Decree on security measures for providers of regulated services under a regime of lower obligations,
  • Decree on the Portal of the National Cyber and Information Security Agency (NUKIB) and requirements for certain activities.

(d) Who will be the supervisory authority and how are they preparing the market?

The supervisory authority on the matter of cybersecurity is National Cyber and Information Security Agency (NUKIB). National Cyber and Information Security Agency is also national point of contact for cybersecurity. The National Cyber and Information Security Agency organizes seminars to raise awareness of cybersecurity obligations and is also recording YouTube videos and preparing supporting materials to help gain a basic understanding of the topic. National Cyber and Information Security Agency also provides consultations if requested. However, National Cyber and Information Security Agency does not determine whether entities fall within the scope of the new legislation.

(e) What should you be doing/on the lookout for?

Companies should promptly assess whether they fall within the scope of the new Czech Cybersecurity Act. Key steps include:

  • Conducting a self-assessment to determine whether they provide a regulated service;
  • Determining whether they meet the enterprise size criteria as defined by the European Commission’s recommendation of 6 May 2003 (notified under document number C (2003) 1422);
  • If the criteria are met, notify the National Cyber and Information Security Agency within 60 days of meeting the criteria and proceed with the registration;
  • Companies must fully implement all mandated security measures within 12 months of registration.

Contact

Bořivoj Líbal E: borivoj.libal@eversheds-sutherland.cz

Jaroslav Tajbr E: jaroslav.tajbr@eversheds-sutherland.cz

Compare NIS2 implementation across other EU member states

Compare now

Other Resources

Eversheds Sutherland NIS2 Directive hub

Visit webpage

Whitepaper: Everything you need to know about the NIS2 Directive

Read the whitepaper

Webinar: One year to go until the EU NIS2 Directive

Watch the webinar

Article: Focus on the NIS2 directive

Read the summary briefing

© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.

Share this page