Czech Republic
(a) What is the NIS2 implementation status?
On 25 April 2025, the Chamber of Deputies approved a new Cybersecurity Act along with an accompanying law. These legislative acts aim to implement NIS2 at the national level. The legislative process is ongoing, pending further steps including approval by the Senate, possible re-vote in the Chamber, presidential assent, and publication in the Collection of Laws.
(b) What is the envisaged NIS2 implementation timeline?
Originally planned for 1 July 2025, the fixed effective date has been replaced with a variable one. The Act will come into effect on the first day of the third calendar month following its publication in the Collection of Laws. If published by the end of July 2025, it would take effect on 1 October 2025. Current estimates place the effective date between 1 September 2025 and 1 January 2026, depending on the speed of the remaining legislative steps.
(c) What does the NIS2 mean for other national cybersecurity legislation?
NIS2 implementation has led to the introduction of a new Cybersecurity Act and accompanying decrees, replacing the previous legislation. Key implementing decrees, particularly the Decree on Regulated Services, are still pending and essential for determining the scope of entities affected. The absence of these final decrees currently limits clarity on applicability for many organizations.
(d) Who will be the supervisory authority and how are they preparing the market?
The supervisory authority for the matter of cybersecurity is National Cyber and Information Security Agency (NUKIB).
National Cyber and Information Security Agency is also national point of contact for cybersecurity. Additionally, national CSIRT has been established in the Czech Republic
National Cyber and Information Security Agency organises seminars and training events to raise awareness of the obligations arising from the cybersecurity legislation. National Cyber and Information Security Agency also provides consultations if requested. However, National Cyber and Information Security Agency does not determine whether entities fall within the scope of the new legislation.
(e) What should you be doing/on the lookout for?
Organizations should immediately begin assessing whether they fall within the scope of the new regulation. Key steps include:
- Conducting a self-assessment to determine if they qualify as essential or important entities;
- Identifying relevant assets (e.g., systems, services, infrastructure) covered by the regulation;
- Monitoring the issuance of implementing decrees, especially the Decree on Regulated Services;
- Preparing for obligations likely to be triggered once the law is effective, such as:
- Within 60 days of the Act’s effective date: Submit application for registration with NÚKIB;
- Within 12 months of registration: Fully implement all mandated security measures.
Even entities outside the Czech Republic or EU (e.g., cloud providers, social networks) may fall under the Act if they serve Czech customers and meet certain criteria, in which case they will be required to appoint a representative in the Czech Republic or another EU member state.
Contact
Bořivoj Líbal E: borivoj.libal@eversheds-sutherland.cz
Jaroslav Tajbr E: jaroslav.tajbr@eversheds-sutherland.cz
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page