From 1 November 2025, the most stringent cybersecurity rules to date will apply in the Czech Republic. The law, published today in the Collection of Laws, expands the range of obliged entities to thousands of organisations across sectors and threatens penalties of up to CZK 250 million or 2% of global turnover.
The first novelty is the obligation to “self-identify”: every hospital, energy company, food manufacturer and medium-sized IT company must verify whether it provides any of the “regulated services” and report it on the NUCIB portal by the end of the year. Based on its size and importance, the company is placed in a regime of higher or lower obligations. However, the basis for all is the same – implement a risk management system, set up security measures and start reporting incidents within a year of registration. Those who fail to report risk the highest fine, as the authorities will assess this as an intention to evade their obligations.
What does this mean for the public? Safer digital services and fewer outages because companies have to protect not only their own systems but also their supply chain – the state can ban technology that poses a risk. Managers will be personally responsible for ensuring that banking apps don’t crash on a Friday night and personal data doesn’t disappear into the depths of the darknet. On the other hand, businesses must budget for training, new technology and audits to avoid astronomical penalties – up to CZK 250 million or 2% of turnover. Are you sure that your company has not fallen through the net of the new regulation?
Our team of experienced attorneys will help you solve any legal issue. Within 24 hours we’ll evaluate your situation and suggest a step-by-step solution, including all costs. The price for this proposal is only CZK 690, and this is refunded to you when you order service from us.
In person and online. Just choose the appropriate service or opt for an independent consultation when you are unsure.
