NIS2 Country Guide

NIS2 Czechia: Cybersecurity Act No. 264/2025 Coll.

Learn how Czechia has implemented the EU NIS2 Directive through the new Cybersecurity Act No. 264/2025 Coll., which significantly expands the scope of regulated entities, introduces new cybersecurity obligations, and establishes a modernised supervisory and incident-reporting framework led by NÚKIB.

Get Ready Checklist Get Consultation
Czechia NIS2 law in force: 2025 Competent authority: NÚKIB

Introduction: NIS2 Directive & the Czech context

Czechia had an established cybersecurity regulatory environment prior to NIS2, but the new Cybersecurity Act No. 264/2025 Coll. modernises and significantly expands the framework, replacing the older 2017 Cybersecurity Act and aligning national rules with NIS2.

The 2025 Act introduces broader scope, clearer classification of entities, stronger governance requirements, and new incident-reporting obligations, reflecting the heightened cyber-risk landscape across the EU.

Quick link: New to NIS2? Start with our guides “What is NIS2?” and “NIS vs NIS2”.

NIS2 implementation in Czechia

NIS2 is implemented in Czechia through the Cybersecurity Act No. 264/2025 Coll. and its accompanying secondary legislation (implementing decrees). The law entered into force on 1 November 2025, replacing the previous Cybersecurity Act.

The Act introduces the concept of regulated services, expands the number of in-scope entities, and sets more detailed obligations on risk management, incident reporting, supply-chain security and governance.

Status

NIS2 is fully implemented through the Cybersecurity Act No. 264/2025 Coll., effective 1 November 2025.

Legal structure

The Act defines regulated services, duties of essential and important entities, supervisory powers of NÚKIB, and the national incident-reporting framework.

Supervisory approach

NÚKIB remains the central authority, supported by sector regulators and national CSIRTs. It oversees registration, audits, inspections, and enforcement actions.

NIS2 Czechia: what you need to know about compliance

Czechia adopts the NIS2 model of essential and important entities. Classification depends on sector, size thresholds, and whether an organisation provides a regulated service as defined by the law.

Who is in scope?

  • Entities operating in NIS2 Annex I & II sectors (energy, transport, health, water, ICT, digital infrastructure, manufacturing, research etc.).
  • Medium-sized and large organisations meeting NIS2 thresholds.
  • Entities covered regardless of size: DNS, TLD registries, trust-service providers, major cloud and data-centre operators.
  • Public-sector bodies defined under the Czech Act as essential for national functions.

Core obligations

  • Implement risk-management measures aligned with NIS2 Annex I.
  • Maintain complete asset inventories and network documentation.
  • Ensure monitoring, detection, and reporting of significant incidents.
  • Notify NÚKIB and the national CSIRT in prescribed timeframes.
  • Manage supply-chain and third-party cybersecurity risks.
  • Ensure management oversight and mandatory cyber-awareness training.

Standards & frameworks

While not mandatory, alignment with ISO/IEC 27001, NIST CSF or similar frameworks helps structure and demonstrate compliance under the Czech Act.

Registration: Entities must self-identify and register with NÚKIB if they provide regulated services, within the deadlines set by the Act.

Competent authorities & CSIRTs

Czechia maintains a centralised model with NÚKIB at the heart of NIS2 supervision, supported by sector regulators and multiple national CSIRTs.

Role Authority Notes
National competent authority & Single Point of Contact NÚKIB (National Cyber and Information Security Agency) Leads NIS2 implementation, inspections, coordination and strategic communication.
National CSIRTs GovCERT.CZ and other sectoral CSIRTs Receive incident notifications, share threat intelligence and support response efforts.
Sectoral regulators Various authorities Support enforcement and sector-specific supervision where applicable.

NIS2 timeline & key dates (Czechia)

2023–2024 — Drafting of the new Czech Cybersecurity Act.
26 June 2025 — Act No. 264/2025 Coll. approved by Parliament.
4 August 2025 — Published in the Collection of Laws.
1 November 2025 — Law enters into force; registration obligations begin.
2025–2026 — Designation of entities, initial audits, compliance checks.

Sector-specific notes for Czechia

  • Energy: extensive coverage of electricity, gas and district heating infrastructure.
  • Transport: includes air, rail and road operators essential to Czech logistics.
  • Finance: supervised by financial regulators in coordination with NÚKIB.
  • Healthcare: hospitals and essential medical service providers carry heavy obligations.
  • Public administration: core governmental bodies classified as essential.
  • Digital infrastructure: data centres, cloud providers, major ICT service operators in scope regardless of size.

Penalties for non-compliance

The Czech Act follows the NIS2 penalty model and introduces substantial administrative fines, corrective measures, strengthened oversight and potential management liability for serious breaches.

  • High administrative fines aligned with EU-level NIS2 ceilings.
  • Binding remediation orders from NÚKIB.
  • Enhanced supervision for entities with repeated deficiencies.
  • Management accountability for governance failures.

How to prepare for NIS2 in Czechia

  1. Determine if you provide a regulated service.
  2. Map your organisation against NIS2 sectors & thresholds.
  3. Register with NÚKIB if requirements apply.
  4. Perform a full NIS2 gap assessment.
  5. Strengthen incident detection & reporting procedures.
  6. Implement supply-chain cybersecurity controls.
  7. Adopt or align with an ISMS framework (e.g., ISO 27001).
  8. Provide management-level cybersecurity training.
Run Eligibility Check Start Readiness Test

Official links & resources

🇨🇿 NÚKIB — National Cyber and Information Security Agency
📘 Czech Cybersecurity Act No. 264/2025 Coll.
📊 European Commission — NIS2 Directive
📄 Guide: What is NIS2? · NIS vs NIS2

FAQ: NIS2 in Czechia

Has Czechia fully transposed NIS2?
Yes. NIS2 is implemented through the Cybersecurity Act No. 264/2025 Coll., in force since 1 November 2025.
Do entities need to register?
Yes — organisations providing regulated services must self-identify and register with NÚKIB.
Which sectors are in scope?
All sectors listed in NIS2 Annex I and II, plus nationally designated bodies in public administration.
Is ISO 27001 required?
Not mandatory, but strongly recommended as a structured way to meet NIS2 requirements.
Information provided for general guidance; always consult the official Czech legislation, NÚKIB publications and legal counsel for definitive NIS2 compliance requirements.