New cybersecurity law will affect thousands of organisations

Who is affected by the new law?

The new legislation significantly expands the range of obliged entities. The decisive criteria for determining whether an organisation is an obliged entity are its size and whether the organisation provides any of the services in the sectors defined in the implementing decrees to the Cybersecurity Act, which are now being prepared.

To the previously regulated services from sectors such as healthcare, energy, transport, digital infrastructure or banking, new sectors will be added, including the food industry, manufacturing, public administration, research, utilities and electronic communications networks, managed IT services, waste management, postal services or chemical industry.

Dual regime of obligations and sanctions

Apart from extending the range of obliged entities, the new law foresees a dual regime of lower and higher obligations depending on the criticality level of the regulated entity.

1. The lower obligation regime will mostly apply to smaller organisations that are required by law to provide at least a basic level of security.
2. In contrast, the higher obligation regime will have stricter rules, in particular for the implementation of security measures, incident reporting procedures, implementation of countermeasures issued by the regulator (the National Cyber and Information Security Agency), and the security of supply chains.

The importance of cybersecurity is also underlined by the sanctions for breaches of individual obligations. Fines can reach up to CZK 250 million or two percent of a company's net worldwide turnover. At the same time, the personal liability of top management can be imposed, which can result in a temporary ban on the exercise of an office of a statutory body.
 
An entity’s responsibility for cybersecurity thus not only lies with its IT departments but directly with its top management who will now have to ensure that cybersecurity measures are actually implemented and maintained and that they do not remain just on paper. 

How and when to prepare?
 

• If you are not sure when your organisation needs to do what in relation to the new Cybersecurity Act, or whether it is affected at all, here is an overview of the most important deadlines, and related obligations:
• 1 November 2025 – effective date of the new Cybersecurity Act.
• 60 days after meeting the conditions for registration: Based on the self-identification principle, obliged entities will be required to report the provision of their identified regulated service to the National Cyber and Information Security Agency. For a basic indication of whether your service will be regulated, you can use the calculator located on the Agency’s portal.
• 30 days from the receipt of the registration of the regulated service: After receiving the decision on the classification as a provider of a regulated service, obliged entities shall provide the contact details of their persons responsible for this area via the Agency’s portal, within 30 days.

One year after registration of the regulated service - a one-year transition period during which the obliged entity must set up and put into practice appropriate technical and organisational measures including risk management and continuity plans, supply chain security, and regular training of employees and senior management.

For many organisations, the new obligations including self-identification can be technically and legally challenging. That's why we provide our clients with comprehensive services that combine the expertise of legal and cybersecurity specialists. If you need to navigate the new Cybersecurity Act’s landscape, are unsure whether the new rules apply to you, or need assistance implementing the legal requirements, don't hesitate to contact us.