The state of cybersecurity regulation in the Czech Republic: NIS 2 transposition underway, deadline 17 October 2024

While the Czech Republic has been a pioneer in cybersecurity regulation with its own dedicated law, to align with the NIS2 requirements, national legislators decided to enact a completely new Act on Cybersecurity (the "Act"). This Act is currently in an advanced stage of the legislative process and should enter into force in the second half of this year.

To assist you, we have prepared this summary of the Act's main features, as well as the current timeline for its adoption.

What are the main changes introduced by the Act?

Expanded scope

In contrast to the current regulatory framework, the new Act will substantially broaden the scope of the law to cover new sectors and expand the existing ones. As a result, it is estimated that the number of regulated entities, referred to as regulated providers under the Act, will increase significantly, from currently around 300 Czech entities to up to 10,000 new ones, mainly from large and medium-sized enterprises.

The regulated providers will have to follow a new (self-)identification procedure with the supervisory authority (National Cyber and Information Security Agency - NCISA). Depending on their size and turnover, they will be classified as either essential or important providers, which will determine the applicable regulatory regime and the extent of their obligations.

Obligations

The Act will further build on the existing Czech rules and NIS2, and impose on regulated providers the following core obligations around which the specific rules are structured:

1. registration with and data reporting to NCISA;
2. implementation and enforcement of security measures;
3. reporting of cybersecurity incidents;
4. implementation of countermeasures; and
5. determining the scope of cybersecurity management.

In addition, the Act will increase management accountability and impose a revamped requirement for the training of responsible persons and employees in the field of cybersecurity or the establishment of compulsory new roles within the organisation, such as cybersecurity architect or manager. Lastly, the Act will introduce new requirements for supply chain security, requiring regulated entities to implement and adopt adequate and proportionate technical, organisational and legal measures.

As is common with high-impact EU regulation transposition, the Act will introduce higher and new forms of sanctions, including GDPR-like fines based on a percentage of global turnover. Furthermore, given the EU-wide high priority of cybersecurity regulation, the NCISA is expected to conduct rigorous inspections. Its significantly increased powers will include the authorisation to conduct dawn raids.

What should every company do now?

The specific obligations under the Act are expected to roll out in 2025, but we recommend that every Czech company stay abreast of the legal developments. Even before the Act comes into force, a preliminary assessment can be done to determine whether the company will be affected by the new rules and to what degree.

The Act will entail substantial obligations, and compliance will demand considerable time and resources. Therefore, we advise allocating sufficient resources and obtaining technical and legal advisory support in a timely manner.

[1] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union.

authors: Sebastian Špeta, Martin Svoboda