NIS2 Czech Republic Compliance Guide: Act No. 264/2025, NÚKIB Authority and Strategically Important Services for 2026

The Czech Republic went further than almost any EU member state in transposing NIS2. Act No. 264/2025 Coll. doesn’t merely implement the directive — it creates an entirely new cybersecurity legal framework, introduces the concept of “strategically important services” that goes beyond EU requirements, and expands regulation from hundreds to thousands of organizations.

For Czech organizations — and the cyber insurance professionals who underwrite them — this guide covers the new Act, the NÚKIB (National Cyber and Information Security Agency) authority, the unique higher/lower obligations regime, the strategically important services concept, penalty structures, and the compliance timeline already in motion.

Czech Republic’s NIS2 Legal Framework

Act No. 264/2025 Coll. — The New Cybersecurity Act

The Czech Republic replaced its entire previous cybersecurity legal framework with Act No. 264/2025 Coll. on Cybersecurity. This is not an amendment — it’s a complete rewrite that:

• Repeals the earlier Cybersecurity Act in full
• Creates a comprehensive new regulatory architecture
• Goes beyond EU minimums with uniquely Czech provisions
• Introduces the “strategically important services” concept
• Expands the scope of regulated entities dramatically

The Act was signed by the President on 27 June 2025, published in the Collection of Laws on 4 August 2025, and entered into force on 1 November 2025. The Czech Republic missed the EU’s 17 October 2024 transposition deadline and received a reasoned opinion from the European Commission on 7 May 2025.

Companion Legislation

• Act on Critical Infrastructure Resilience — implements the CER Directive (entered into force August 2025)
• NÚKIB implementing decrees — still being finalized as of April 2026, specifying detailed technical requirements by sector

Key Differences from Previous Framework

Aspect	Previous Act	Act No. 264/2025 Coll.
Scope	~200-300 OES + DSPs	Thousands of entities
Entity types	OES and DSPs	Essential + Important + Strategically Important
Maximum fines	Limited	CZK 250M (~€10M) or 2% global turnover
Management liability	None	Personal liability + management function bans
Supply chain	Minimal	Comprehensive + security-relevant supplier registry
National additions	Limited	Strategically important services concept

National Competent Authority — NÚKIB

NÚKIB (Národní úřad pro kybernetickou a informační bezpečnost)

NÚKIB (National Cyber and Information Security Agency) is the principal cybersecurity regulator in the Czech Republic. Under the new Act, NÚKIB:

• Issues implementing decrees defining detailed security requirements
• Maintains the Agency Portal for all incident reporting and entity registration
• Conducts compliance inspections and audits
• Issues warnings, advisories, and reactive countermeasures
• Supervises all entities not assigned to sector-specific authorities

Countermeasures Framework

NÚKIB operates a three-tier countermeasures system:

1. Warnings — public alerts about cybersecurity threats
2. Advisories — targeted guidance for specific entities or sectors
3. Reactive countermeasures — administrative decisions or measures of general nature to address active threats

Entity Classification

Three-Tier System (Beyond EU Minimum)

The Czech Republic adds a third tier beyond the EU’s essential/important classification:

1. Essential Entities (Higher Obligations Regime)

Organizations in Annex I sectors meeting size thresholds:

• ≥250 employees AND (≥€50M turnover OR ≥€43M balance sheet)
• Automatic inclusion regardless of size: DNS, TLD registries, cloud services, trust services, public electronic communications

2. Important Entities (Lower Obligations Regime)

Organizations in Annex II sectors meeting size thresholds:

• ≥50 employees AND (≥€10M turnover OR ≥€10M balance sheet)

3. Strategically Important Services (Czech Addition)

This is the Czech Republic’s unique contribution — entities providing services whose disruption could significantly affect national security or public order. These entities face additional obligations beyond standard NIS2 requirements:

• Must ensure service availability directly from Czech Republic to the necessary extent
• Must identify and register all suppliers of “security-relevant supplies”
• Must notify NÚKIB of supplier changes within 10 days
• Subject to enhanced NÚKIB oversight

Security Requirements

Higher Obligations Regime (Essential Entities)

Comprehensive security measures including:

• Asset identification and recording — all information, services, technologies, employees, and suppliers related to regulated service provision
• Organizational measures — governance structures, policies, procedures, training programs
• Technical measures — access control, encryption, monitoring, vulnerability management
• Supply chain security — vendor assessments, contractual clauses, continuous monitoring
• Incident response — detection, classification, containment, recovery procedures
• Business continuity — backup strategies, disaster recovery, regular testing

Lower Obligations Regime (Important Entities)

Selected security measures (subset of the higher regime):

• Core security measures proportionate to risk
• Incident reporting obligations
• Basic supply chain risk management
• Management awareness and training

Strategically Important Service Providers — Additional Obligations

Beyond the standard measures, these entities must:

• Maintain domestic service availability to a defined extent
• Maintain a registry of security-relevant suppliers
• Report supplier changes to NÚKIB within 10 days
• Undergo enhanced NÚKIB supervision

Incident Reporting

All significant incidents must be reported through the Agency Portal:

1. 24 hours: Initial notification — early warning of significant impact
2. 72 hours: Initial assessment — for incidents with significant impact, provide severity assessment and indicators of compromise
3. 30 days: Status/final report — root cause analysis, remediation measures, lessons learned

Broader Reporting Obligation (Czech Addition)

Higher-obligations entities must report ALL incidents related to regulated services originating in cyberspace where intentional misconduct cannot be ruled out. This is broader than the EU requirement, which limits reporting to incidents with “significant impact.”

Penalties

Administrative Fines

Entity Type	Maximum Fine	Turnover Cap
Essential entities (higher regime)	CZK 250M (~€10M)	2% global turnover
Important entities (lower regime)	CZK 175M (~€7M)	1.4% global turnover

Management Liability

NÚKIB may temporarily prohibit members of statutory bodies from performing their functions for:

• Repeated breaches of cybersecurity obligations
• Serious breaches that result in significant incidents
• Failure to implement required security measures after being ordered to do so

Enforcement Approach

NÚKIB is building its enforcement capacity. Early indications suggest:

• Compliance-first approach in the initial implementation period
• Inspections and audits ramping up throughout 2026
• Fines for egregious non-compliance expected by late 2026
• Management function bans reserved for the most serious cases

Registration and Compliance Deadlines

Date	Milestone	Status
1 November 2025	Act enters into force	✅ Completed
Within 60 days of meeting criteria	Entity notification to NÚKIB	⏳ Active
Within 1 year of registration	Implement required security measures	⏳ Active
Within 1 year of designation	Strategically important service providers meet additional obligations	⏳ Active
Ongoing	NÚKIB implementing decrees being adopted	⏳ Active

Important: Implementing decrees specifying detailed technical requirements are still being finalized. Entities should begin implementing NIS2 Article 21 measures now while awaiting sector-specific guidance.

Implications for Cyber Insurance

Underwriting Considerations for Czech Entities

1. Expanded scope = new demand — Thousands of newly regulated entities will need cyber insurance for the first time. Manufacturing, food production, and chemicals sectors are particularly underserved.

2. Strategically important services risk — The domestic availability requirement and supplier registry create unique operational risks that standard cyber policies may not adequately cover.

3. Broader incident reporting — The Czech “all incidents where intentional misconduct cannot be ruled out” standard means more reported incidents, potentially affecting loss ratios and claims frequency.

4. Management liability — The possibility of management function bans creates demand for D&O coverage with NIS2-specific extensions.

5. Implementing decree uncertainty — Until NÚKIB finalizes its decrees, underwriters face uncertainty about exact technical requirements. Factor this into pricing.

Coverage Checklist

• Regulatory investigation and defense costs
• Incident notification and response costs
• D&O liability for management function prohibition risk
• Business interruption from mandatory incident reporting
• Supply chain security compliance costs
• Strategically important service provider obligations
• Legal defense for broader reporting standard

Related NIS2 Country Guides:

• NIS2 France (ANSSI) | NIS2 Germany (BSI) | NIS2 Italy (ACN) | NIS2 Netherlands (NCSC-NL) | NIS2 Spain (INCIBE) | NIS2 Poland (NCSA) | NIS2 Belgium (CCB) | NIS2 Austria (NISG 2026) | NIS2 Sweden (MCF) | NIS2 Denmark (CFCS) | NIS2 Czech Republic (NÚKIB) | NIS2 Portugal (CNCS) | NIS2 Ireland (NCSC) | NIS2 Finland (Traficom)

Related Resources

• NIS2 Compliance Checklist for Brokers
• NIS2 Compliance Cost Analysis
• NIS2 Gap Analysis: Readiness Assessment
• NIS2 Supply Chain Security Requirements

---

Last updated: April 2026. Czech Republic’s NIS2 framework is actively evolving as NÚKIB finalizes implementing decrees. Check the NÚKIB website for the latest guidance and sector-specific requirements.