Czech NIS2 Penalties Explained: CZK 250M Fines, 6-Month Management Bans, and Why NUKIB’s 27 Measures Expand Your Audit Exposure

Czech NIS2 enforcement is live. Act No. 264/2025 Sb. (ZoKB) came into force on 1 November 2025, transforming cybersecurity compliance for approximately 6,000 Czech organisations across 18 sectors — a tenfold expansion from the roughly 400 entities regulated under the previous Czech cybersecurity law.

The financial exposure is real: higher obligations providers face fines up to CZK 250,000,000 — approximately EUR 10.3 million — or 2% of global annual turnover, whichever is higher. But the number that requires more attention when building a Czech compliance programme is 27: the count of discrete security measures NUKIB requires of essential-tier entities, compared to the 10 minimum measures in EU NIS2 Article 21(2). More checkpoints means more potential enforcement findings — each measure is an independent NUKIB audit point.

Board members and executives face personal liability through a management ban with a minimum floor of six months and no fixed ceiling: the disqualification runs until deficiencies are remediated. NUKIB’s enforcement toolkit extends beyond financial penalties to include supply chain vendor bans and certification suspensions.

This guide covers who ZoKB applies to, how Czech fine tiers work in practice, what triggers the management ban, what NUKIB’s 27 measures add beyond the EU baseline, and the registration timeline that starts your implementation clock.

Does ZoKB Apply to Your Organisation?

ZoKB divides regulated entities into two tiers based on their role in critical infrastructure and their significance to Czech society or the national economy.

Tier	NIS2 equivalent	Fine ceiling	Security measures
Higher obligations providers	Essential entities	CZK 250M or 2% of global turnover	27 measures
Lower obligations providers	Important entities	CZK 175M or 1.4% of global turnover	13 measures

The scope trigger is three-part: the organisation must operate within a regulated sector, provide a specific service type from NUKIB’s catalogue of 60 regulated services, and meet a significance threshold. For most sectors, the threshold is service disruption that would affect more than 125,000 people, or provision of a monopoly-position service.

Sectors covered include energy, transport, healthcare, digital infrastructure, financial services, public administration, manufacturing, the defence industry, and postal services. The inclusion of the defence industry is notable — it goes beyond what many other EU member states have implemented in their national transpositions.

Small and micro-enterprises are generally excluded unless they meet the significance threshold or hold a monopoly position. Universities are within scope; schools below university level are not.

Understanding the essential versus important entity distinction is the starting point for determining which fine tier and security measure count applies to your organisation.

The Czech Fine Tiers: How CZK 250M and CZK 175M Calculate in Practice

Czech ZoKB establishes penalty amounts that mirror the NIS2 Directive’s structure but express them in Czech crowns. The amounts correspond to the EU ceiling set in Article 34 of Directive 2022/2555: essential entities face a maximum of EUR 10,000,000 or 2% of global turnover, and important entities face EUR 7,000,000 or 1.4%, in both cases whichever is higher.

The “whichever is higher” mechanic matters more than the headline CZK number. For a higher obligations provider with CZK 15 billion (approximately EUR 620 million) in global annual turnover, 2% equals CZK 300 million — exceeding the CZK 250M statutory cap by 20%. The CZK 250M figure is the minimum floor for large operators, not the ceiling. Multinationals with significant global revenue face materially larger potential maximum fines than the headline CZK amount suggests.

NUKIB may also impose separate fines of up to CZK 100,000 for procedural infractions — failure to register within 60 days, incomplete incident reporting, or missing documentation. These are minor relative to the main penalty regime, but they are independent actions: a registration delay and an incomplete incident notification can each generate a separate enforcement finding on the same case.

The most significant practical point about the fine structure is that exposure is not tied to a single triggering event. Each of NUKIB’s 27 security measures constitutes a discrete compliance obligation. A missing risk register, an unreviewed incident response plan, and a gap in supply chain documentation are three separate deficiencies — each capable of generating an independent enforcement action. The broader NIS2 penalties framework shows how this layered exposure maps across all Article 21 obligations.

Management Accountability: The 6-Month Ban and What Triggers It

ZoKB introduces personal liability for board members and statutory body members, following the NIS2 Directive’s Article 20 framework with a Czech-specific enforcement mechanism: a temporary ban on exercising managerial functions.

NUKIB may impose a temporary ban on any member of the statutory body — board directors, executive directors, managing directors — when three conditions are met:

1. Serious or repeated breaches of ZoKB obligations have been identified
2. NUKIB has issued a binding corrective instruction with a remediation deadline
3. The organisation has failed to remedy the identified deficiencies within the specified period

The ban lasts at least six months. There is no fixed ceiling — the prohibition remains in force until the compliance deficiencies are actually remediated. An organisation that receives a corrective instruction, fails to act, and re-enters NUKIB scrutiny faces management disqualification of indeterminate duration. The six-month minimum is the floor; remediation performance sets the actual end date.

This mechanism has direct governance implications. Under Article 20 of the NIS2 Directive — transposed by ZoKB — management bodies are personally responsible for approving and overseeing the implementation of cybersecurity risk management measures. Delegation to an IT department or CISO does not transfer the personal accountability that NUKIB’s management ban mechanism targets.

What NUKIB inspectors look for when assessing management accountability:

• Board meeting minutes showing formal approval of the cybersecurity risk management framework
• Records of regular cybersecurity briefings to the board — documented, dated, and signed
• A board-level resolution designating the cybersecurity manager role and confirming resource allocation
• Evidence that management reviewed and approved the organisation’s risk assessment and risk treatment plan

The documentation trail matters as much as the technical controls. Organisations that have implemented reasonable security measures but cannot produce evidence of board-level oversight remain exposed to a management ban finding. This is the practical reason why board member NIS2 obligations require more than awareness — they require a documented governance process.

NUKIB’s 27 Security Measures vs the EU’s 10: The Expanded Audit Surface

The NIS2 Directive’s Article 21(2) specifies 10 minimum security measures: risk analysis and security policies, incident handling, business continuity, supply chain security, secure development, effectiveness assessment, cyber hygiene and training, cryptography policies, human resources and access control, and multi-factor authentication and secure communications. These apply to both essential and important entities across all EU member states.

Czech ZoKB through NUKIB’s regulatory decrees expands this baseline substantially. Higher obligations providers must implement 27 security measures — 2.7 times the EU minimum. Lower obligations providers face 13 mandatory measures — still 30% more than the EU floor.

Each measure is a discrete compliance obligation and a discrete NUKIB audit checkpoint. Inspectors assess conformance measure-by-measure, meaning 27 potential enforcement findings exist compared to 10 in jurisdictions that implemented NIS2 without national additions. The Czech framework is materially more granular than the EU baseline, and that granularity translates directly into audit surface.

Two specific additions in the Czech framework create the most operational complexity for organisations migrating from EU-baseline compliance programmes:

The cybersecurity auditor segregation requirement: ZoKB requires essential entities to designate three cybersecurity roles: a cybersecurity manager, a cybersecurity architect, and a cybersecurity auditor. The auditor role must be organisationally segregated from the individuals responsible for implementing the controls. This dual-accountability structure is unusual for most mid-sized organisations and typically requires either an external hire or a restructuring of internal reporting lines before NUKIB registration.

Data storage localisation: ZoKB includes an obligation to primarily store regulated data within Czech territory. This has no direct equivalent in the NIS2 Directive itself and affects cloud-first organisations and multinationals routing data through infrastructure outside the Czech Republic. Organisations need a clear answer on their cloud architecture before the 12-month implementation clock starts — not after.

For organisations that built their compliance programme around the EU’s 10-measure framework, the task before NUKIB registration is identifying which of the 17 additional Czech obligations are currently unmet. The full Article 21 requirements provide the EU baseline; the Czech-specific additions sit on top and require a separate gap-close exercise.

NUKIB’s Supervision Toolkit: What Inspectors Can Actually Do

NUKIB holds asymmetric enforcement powers between the two entity tiers, reflecting the NIS2 Directive’s Articles 32 and 33 framework.

For higher obligations providers, NUKIB operates on a proactive supervision model. Mandatory regular audits are conducted every two years — or continuously within a rolling five-year window for the largest operators. NUKIB is the exclusive cybersecurity audit authority for this tier.

For lower obligations providers, NUKIB applies reactive supervision. Audits are triggered by incidents, complaints, or risk-based selection rather than a fixed schedule, following the NIS2 Directive’s Article 33 framework for important entities.

Beyond audit cycles, NUKIB holds four enforcement tools that extend beyond financial penalties:

Enforcement tool	Practical effect
Binding corrective instructions	NUKIB issues a specific remediation requirement with a deadline. Non-compliance after the deadline escalates to management ban and/or financial penalty
Certification and authorisation suspension	NUKIB may temporarily suspend regulated authorisations — a significant operational consequence for entities whose licence depends on regulatory standing
Supply chain vendor bans	NUKIB can prohibit or restrict use of specific high-risk suppliers. The organisation’s vendor relationships may be disrupted by a NUKIB determination independent of the vendor’s own compliance status
State of cyber danger declaration	In serious situations, NUKIB can declare a national cyber danger state with extended powers, including measures directed at entities outside the normal regulatory perimeter

The supply chain vendor ban is operationally the most disruptive. An organisation may have no compliance deficiency of its own, yet face mandatory supplier changes if NUKIB determines a supplier presents unacceptable risk to Czech critical infrastructure. Organisations with concentrated supply chain dependencies — single-vendor cloud, single-vendor connectivity, single-vendor operational technology — face the largest potential disruption from this power. Building a documented supply chain security posture that includes vendor risk classification directly reduces this exposure vector.

Registration and the Implementation Clock

ZoKB entered into force on 1 November 2025. The compliance timeline runs from the moment an organisation first meets ZoKB’s scope criteria:

1. Day 0: Organisation meets scope criteria (sector + service type + significance threshold)
2. Days 0–60: Registration notification must be submitted to NUKIB
3. Registration confirmed: NUKIB issues a formal registration decision
4. +12 months from confirmation: All 27 (or 13) security measures must be implemented; incident reporting obligations begin
5. +24 months from registration: First mandatory audit for higher obligations providers begins

For entities in scope on 1 November 2025, the practical registration deadline was 31 December 2025. Entities meeting scope criteria after that date have 60 days from the triggering event to notify NUKIB.

Missing the 60-day window is itself a breach of ZoKB, subject to procedural fines of up to CZK 100,000 and — more significantly — it delays the start of the 12-month implementation period. An organisation that registers late starts its compliance clock late, compressing available implementation time without reducing NUKIB’s expectations for the end state.

Entities registered in the first wave (October–December 2025) will have their 12-month implementation clocks maturing through 2026–2027, which is when NUKIB’s audit programme is expected to begin targeting entities whose windows have closed.

Key Takeaways for Compliance Officers

Czech NIS2 under ZoKB is not equivalent to meeting the EU Directive minimum. Three points determine the gap between an EU-baseline programme and full ZoKB conformance:

Identify your 17 additional measures. If your compliance programme was built around EU Article 21’s 10 measures, you have an incomplete Czech implementation. Map your current control set against all 27 NUKIB-required measures, prioritise the gaps by audit risk, and document remediation plans before your 12-month clock expires.

Document board governance before NUKIB contacts you. The management ban is triggered by failure to remediate after a NUKIB instruction — not directly by the initial deficiency. Organisations that can demonstrate proactive board oversight, documented approvals, and responsive action to NUKIB communications have a substantively different liability profile than those that wait for enforcement correspondence before engaging.

Review supply chain vendor concentration. NUKIB’s vendor ban power is operational from day one. An audit of your supply chain — identifying which critical vendors are single-source and which have documented security assessments — directly addresses the risk of forced supplier changes without management lead time.

Frequently Asked Questions

What is the difference between ZoKB and the NIS2 Directive?
NIS2 (EU Directive 2022/2555) sets the minimum EU framework; ZoKB (Czech Act No. 264/2025 Sb.) is the national transposition. ZoKB exceeds the EU minimum in three areas: 27 security measures required of essential entities (vs 10 in Article 21), primary data storage in Czech territory, and a three-role cybersecurity structure including a segregated cybersecurity auditor.

How is the fine calculated for a large global company?
Take the entity’s total worldwide net annual turnover, multiply by 2% (higher obligations) or 1.4% (lower obligations). Compare the result to CZK 250M or CZK 175M. NUKIB applies whichever amount is higher — so a company with CZK 15 billion in worldwide turnover faces a potential maximum fine of CZK 300 million, not CZK 250M.

Can a board member face criminal charges under ZoKB?
ZoKB’s management sanction is a temporary ban on exercising managerial functions — a civil and administrative measure. Criminal liability for cybersecurity incidents may arise under separate Czech criminal law, but that falls outside ZoKB’s direct scope.

Does ZoKB apply to foreign companies operating in the Czech Republic?
Yes. ZoKB applies to entities providing regulated services within Czech territory regardless of where they are headquartered. A company registered outside the Czech Republic that provides regulated services meeting Czech scope criteria — including the 125,000-person disruption threshold — is subject to ZoKB’s obligations.

What happens if we miss the 60-day NUKIB registration deadline?
Missing the deadline is itself a ZoKB breach, subject to procedural fines and a delayed start to the 12-month implementation window. NUKIB also has the power to initiate compliance proceedings against unregistered entities it identifies through sector-level review. Self-registration within the window is preferable to waiting for NUKIB to contact you.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

• NIS2 Directive Article 34 — Administrative Fines
• NIS2 Directive Article 21 — Cybersecurity Risk-Management Measures
• NIS2 Directive Article 32 — Supervisory Measures for Essential Entities
• NIS2 Directive Article 33 — Supervisory Measures for Important Entities
• EU NIS2 in Czech Republic — OpenKRITIS
• Czech Republic Cybersecurity Laws and Regulations 2026 — ICLG
• NIS2 Czech Republic: Implementation, Deadlines, and Compliance — Copla
• Czechia: New Cyber Security Act — What Does It Mean for Your Business? — Lynx Legal