Reading time ~5 min.
New Cybersecurity Act and NIS2: Top management bears direct responsibility
In recent days, the President of the Czech Republic, Petr Pavel, signed a new law on cybersecurity, which implements the European directive NIS2 (Network and Information Security Directive 2). This law significantly changes the approach to cybersecurity management in the Czech Republic and affects both state institutions and the private sector.
Main changes and impacts of the new legislation
- Binding personal liability of top management
- The law shifts responsibility for cybersecurity directly to the top management of organizations, especially to members of statutory bodies, such as members of the board of directors, executives, members of the supervisory board, or the general director (CEO).
- Responsibility is non-transferable, it cannot be delegated to lower management or external suppliers.
- Risks for non-compliance with obligations can be of the nature of either: financial (fines up to 2% of turnover or hundreds of millions of CZK), So personal (e.g. ban on holding office for up to 5 years).
- Expansion of the scope of the law
- The law will affect 6 to 000 entities throughout the Czech Republic, across all sectors, including not only state organizations, but also hospitals, entities from the energy, transport, food, pharmaceuticals, digital infrastructure, research organizations, and medium-sized and large enterprises.
- The entities are divided into significant a important according to the nature of the services provided and the extent of the impact of their potential failure.
- New requirements for security management (ISMS)
- Organizations will need to have comprehensive information security management systems (ISMS) in place, which will include:
- Assessing risks and implementing appropriate measures to manage them (e.g. data encryption, multi-factor authentication, network segmentation).
- Supply chain security management (e.g. partner verification, contractual security commitments).
- Incident response plan – i.e. specific scenarios of procedures in the event of an attack or threat to the system.
- Regular audits, security tests and record keeping of management activities in the area of security.
- Organizations will need to have comprehensive information security management systems (ISMS) in place, which will include:
- Cybersecurity as part of strategic management
- ISMS now falls under the responsibility of the organization's strategic management, similar to financial management or legal compliance.
- Cybersecurity governance must be regularly discussed at board level and documented. These records can be key evidence in assessing responsibility in the event of an incident.
- Deadlines and effectiveness
- The law was approved by the Chamber of Deputies and, after being signed by the President of the Czech Republic on June 26, 2025, is to be published in the Collection of Laws in August 2025.
- It is to take effect from 1 November 2025, with a transition period of 12 months for the implementation of the necessary measures.
Practical recommendations for organizations
Hook | Description |
1. Identification of responsibilities | Assess whether your organization falls within the scope of the law – as a significant or important entity. |
2. Gap analysis | Conduct an analysis of the current state of security management and prepare an ISMS implementation plan. |
3. Education and leadership responsibility | To familiarize top management with the legal and practical impacts of the new legislation. |
4. Processes and documentation | Ensure that security management is part of management discussions, there is an audit trail and a response plan. |
5. Technical measures | Implement encryption, multi-factor authentication (MFA), logging, regular testing, and security monitoring. |
záver
Cybersecurity law is no longer an IT department issue – it is becoming part of top management risk management. In addition to protecting against real threats such as ransomware attacks, data loss or threats to operational infrastructure, it is also a matter of reputation, legal liability and competitiveness.
Recommended and verified sources
- NUKIB: NIS2 Directive pages
For more information or to prepare your own organization for new responsibilities, you can contact us at sales.
We are building the future of IT with Kubernetes - solutions built on virtualization thanks to containerization with Kubernetes solutions (K8s)
Let yourself be excited by solutions built on almost perfect virtualization thanks to containerization with Kubernetes (K8s). Enjoy simpler and more visible application release, along with a dramatic improvement in the reliability of running the solution as a whole.