Skip to content
CZ

The new Czech Cybersecurity Act

What does Act 264/2025 Coll. and the NIS2 transposition into Czech law bring?

What changed

The Czech Republic has completed the transposition of the European NIS2 Directive by adopting a new Cybersecurity Act - Act No. 264/2025 Coll. The new act took effect on 1 November 2025 and replaces the original Act No. 181/2014 Coll.

This is not a partial amendment but a complete recodification. It expands the range of regulated entities, redefines obligation regimes, strengthens management accountability, and introduces new sanctions.

The supervisory and methodological body remains the National Cyber and Information Security Agency (NÚKIB), which issues implementing decrees and operates the portal for registration and communication with regulated entities.

Two obligation regimes

The act distinguishes companies by the importance of services they provide. You can determine which regime applies to you using the official NÚKIB calculator.

Higher obligations regime

For providers of critical services and large entities in regulated sectors.

  • Mandatory separate roles: cybersecurity manager, architect, auditor
  • Comprehensive ISMS
  • Regular risk analysis and maintenance
  • Fully documented security measures per Decree 409/2025 Coll.
  • Regular audits and tests
  • Significant supplier assessment
  • Incident reporting on tight deadlines
Lower obligations regime

For mid-sized companies in regulated sectors and providers of certain digital services.

  • Person responsible for cybersecurity (need not be a separate role)
  • Basic security measures per Decree 410/2025 Coll.
  • Risk analysis (simplified)
  • Security policy and key directives
  • Incident response plan
  • Incident reporting to NÚKIB

The architect role

Under the higher obligations regime, the cybersecurity architect is a mandatory separate role. They are responsible for the technical design of security measures and the overall security architecture of the organization - from network infrastructure through IAM to application security.

Decree 409/2025 Coll. defines competence requirements: at least 3 years of relevant practical experience or qualifications evidenced through accredited certifications.

The architect role must be separated from the cybersecurity auditor role - independence is both formal and practical. The act does not require the role to be staffed by an internal employee. An external person is a fully valid option.

What an architect typically does

  • Designs and maintains the security architecture of the organization
  • Prepares security standards and reference patterns
  • Approves security solutions for new projects
  • Cooperates with the cybersecurity manager on risk management
  • Prepares technical input for the management
  • Communicates with vendors and external experts

Key dates

  1. 1 1 Nov 2025

    Act takes effect

    Act No. 264/2025 Coll. becomes effective.

  2. 2 within 60 days

    NÚKIB registration

    From the moment the company meets the regulation criteria, it has 60 days to register via the NÚKIB portal. Companies regulated from 1 Nov 2025 must register by 31 Dec 2025.

  3. 3 within 1 year

    Implementation of measures

    After registration, the company has one year to implement all mandatory organizational and technical measures.

Official sources

home.finalCta.title

Free 30-minute consultation. We assess your current state and propose concrete steps to reach your target state.

Free consultation