Audit41Readiness
🇨🇿Czech Republic

NIS2 in Czech Republic: What your organisation must do.

Act No. 264/2025 Coll. (Zákon o kybernetické bezpečnosti) — full replacement of Act No. 181/2014 Coll. · In force November 1, 2025

Czech Republic has transposed the EU NIS2 Directive. If your organisation operates in a covered sector, you are likely in scope and must comply with NÚKIB — Národní úřad pro kybernetickou a informační bezpečnost (National Cyber and Information Security Agency) requirements.

Start your free self-check →See Audit41 Readiness →

Entity classification

Are you an Essential or Important Entity?

Essential Entity

250+ employees or €50M+ annual turnover (higher-obligations regime)

Penalties: up to €10M or 2% of global turnover

Proactive supervision, authorities can audit at any time

Important Entity

50+ employees or €10M+ annual turnover (lower-obligations regime)

Penalties: up to €7M or 1.4% of global turnover

Reactive supervision, investigated when non-compliance is indicated

Not sure which classification applies to your organisation? The free self-check takes 3 minutes and tells you exactly where you stand, including Czech Republic-specific rules. Start your free self-check →

What Czech Republic requires

Your obligations under Act No. 264/2025 Coll. (Zákon o kybernetické bezpečnosti) — full replacement of Act No. 181/2014 Coll..

1

Register with NÚKIB within 60 days of meeting in-scope conditions (entities already in scope on 1 November 2025: by 30 December 2025)

2

Implement Article 21 risk management measures with a documented risk treatment plan

3

Higher-obligations entities: external audits required

4

Achieve full compliance within 1 year of NÚKIB registration confirmation

5

Report significant incidents to the NÚKIB national CERT (24h early warning, 72h full report)

6

Management body accountability — directors face personal liability for non-compliance

ISO 27001 in Czech Republic

ISO 27001 is a useful framework for NIS2 compliance in the Czech Republic but no formal presumption of conformity exists under the new Cybersecurity Act.

Sectors in scope in Czech Republic

EnergyHealthcareFinanceDigital infrastructureTransportManufacturing

What makes Czech Republic different

Czech Republic enacted a brand-new Cybersecurity Act (not an amendment) effective 1 November 2025, fully replacing the 2014 law.

The two-tier regime uses Czech-specific terminology: "higher obligations" (essential) and "lower obligations" (important).

Thousands of organisations are in scope across key sectors including energy, healthcare, finance, digital infrastructure, transport, and manufacturing.

Fines for higher-obligations entities: up to CZK 250M (~€10.3M) or 2% of global annual turnover (whichever is higher).

Fines for lower-obligations entities: up to CZK 175M (~€7.2M) or 1.4% of global annual turnover.

National CSIRT: NÚKIB operates the national CERT.

Know exactly where you stand on NIS2 in Czech Republic.

The free self-check takes 3 minutes. It applies Czech Republic-specific rules, tells you your entity type, and recommends the right assessment plan.

Start your free self-check →