Cyber security is a topic that we have been focusing on in our office for a long time. That is why, in recent months, we have organized professional training for our clients on, among other things, the impact of the NIS2 Directive and its expected transposition into Czech law.

Another important milestone has now been reached: on April 25, 2025, the Chamber of Deputies of the Parliament of the Czech Republic approved a new cyber security law that transposes the European NIS2 Directive into Czech law. The law now awaits debate in the Senate and subsequent signing by the president.

What does the new law bring?

✅ Expansion of the scope of regulated entities - While the existing legislation covered approximately 400 organizations, the new law will apply to more than 6,000 entities - not only in the field of digital services, but also in sectors such as energy, healthcare, transport, banking, and public administration.

✅ Risk management obligations - Organizations will be required to implement technical and organizational measures, including in the areas of risk management, security incident management, business continuity, vulnerability testing, and supply chain security.

✅ Reporting security incidents - The law now requires incidents to be reported in several stages - from early warning within 24 hours, through a follow-up report within 72 hours, to a final assessment of the incident.

✅ Increased penalties – Violations of obligations will be subject to significantly stricter penalties than before, up to EUR 10 million or 2% of global turnover in the case of serious violations.

When will the law come into force?

The law is to take effect on the first day of the third calendar month after its publication in the Collection of Laws. In practical terms, it can be expected to take effect in the fall of 2025 at the earliest. Once the law takes effect, regulated entities will have only 60 days to notify NÚKIB of their activities, so it is advisable to start addressing this issue in your organizations now.

How to prepare for the new regulation?

• Identify whether your organization falls under the regulation (we recommend using the calculator on the NÚKIB website).
• Conduct an internal audit of security measures.
• Prepare documentation and processes for incident management and risk management.
• Secure expert guidance for the implementation of new obligations.

Not sure how to prepare?

Contact us – we will be happy to guide you through the changes.

Mgr. Jaroslav Hroza, partner

Mgr. Lucie Šalanská, lawyer