New Cybersecurity Act
source: CEE Legal Matters
authors: Mgr. et Mgr. Ing. Jan Tomíšek, Ph.D.
On June 26, 2025, the Czech Republic adopted a new Cybersecurity Act, transposing the EU NIS2 Directive into national law. The legislation significantly broadens the scope of regulated entities, now covering companies across key sectors such as energy, healthcare, finance, digital infrastructure, and others.
The Act introduces stricter cybersecurity obligations, including mandatory supply chain risk management, enhanced executive accountability, and robust incident reporting. It is expected to take effect in November 2025. Regulated entities will then have 60 days to identify the “regulated services” they provide and notify the National Cyber and Information Security Agency (NÚKIB).
To comply, businesses must revise their cybersecurity frameworks – from assessing third-party risks to updating internal policies and delivering targeted training for staff and executives – to avoid penalties.
The Act also reflects the NIS2 Directive’s exclusive jurisdiction regime for certain digital service providers (e.g. cloud services, online marketplaces, social platforms). However, this “one-stop-shop” model does not apply automatically. Determining whether a provider falls under exclusive supervision by a single Member State requires careful assessment of how services are provided across jurisdictions, including operational and governance structures. A misjudgment could result in overlapping or missed obligations.
The accompanying explanatory memorandum to the new Cybersecurity Act supports this risk-based approach, aiming to reduce duplicative oversight while ensuring appropriate accountability.
Rowan Legal TMT team is actively assisting clients as they navigate these new cross-border compliance challenges – from identifying the “main establishment” to evaluating notification obligations and designing governance structures aligned with supervisory expectations across multiple jurisdictions.
