Czech NIS2 Is Stricter Than the EU Baseline — What NUKIB’s Expanded Scope Means for Your Organisation
November 1, 2025 marked the entry into force of Act No. 264/2025 Coll. — the Czech Cybersecurity Act (Zákon o kybernetické bezpečnosti, ZoKB) — making the Czech Republic one of the EU’s most actively enforcing NIS2 jurisdictions. Approximately 6,000 organisations are now regulated, up from roughly 400 under the previous NIS framework.
What makes Czech transposition notable is where it goes beyond the EU NIS2 Directive minimum. Three provisions in Act 264/2025 exceed the baseline: mandatory reporting of all cybersecurity incidents rather than just significant ones, explicit regulation of the military and defence industry sector, and a dedicated tier of approximately 150 “strategically important services” with heightened supply chain controls. Organisations with Czech operations that assume domestic NIS2 compliance mirrors the EU baseline need to revisit that assumption.
This guide covers NUKIB’s mandate, how Czech law departs from EU NIS2, how scope is determined, the registration process, and the compliance landscape as secondary legislation continues to develop in 2026.
NUKIB: Czech Republic’s NIS2 Competent Authority
NUKIB — Národní úřad pro kybernetickou a informační bezpečnost, the National Cyber and Information Security Agency — holds three mandates under Czech cybersecurity law: national competent authority for NIS2, single point of contact for EU-level coordination, and operator of GovCERT, the governmental computer emergency response team. NUKIB is headquartered in Brno at Mučednická 1125/31.
NUKIB does not determine whether your organisation falls within NIS2 scope — that responsibility sits with you. The agency publishes guidance, runs awareness seminars and an educational platform at osveta.nukib.gov.cz, and accepts consultations from entities uncertain about their obligations. Under Act 264/2025, NUKIB gained substantially expanded enforcement powers: imposing fines, issuing binding remediation directives, and temporarily banning statutory body members who fail to address serious security deficiencies.
Act No. 264/2025 Coll.: Czech Republic’s NIS2 Transposition
The Czech Parliament adopted Act No. 264/2025 Coll. on June 11, 2025. The President signed it on June 26, 2025, it was published in the Czech Collection of Laws on August 4, 2025, and it entered into force on November 1, 2025. It replaces Act No. 181/2014 Coll., the Czech cybersecurity law in effect since the original NIS Directive.
Act 264/2025 follows NIS2’s two-tier entity architecture, mandatory incident reporting structure, and personal accountability obligation for statutory body members. Six implementing decrees set the technical specifics — covering regulated service definitions, security measures by obligation tier, and NUKIB portal submission requirements. Some of these decrees were still in final stages as of early 2026.
Context worth noting: the EU Commission issued a reasoned opinion on May 7, 2025 regarding the Czech Republic’s failure to notify complete NIS2 transposition on time — a process now resolved by Act 264/2025. Czech organisations had more runway than counterparts in early-transposing states, but enforcement is now fully operational.
Three Ways Czech NIS2 Exceeds the EU Baseline
1. All Cybersecurity Incidents Must Be Reported
NIS2 requires essential and important entities to report “significant” incidents — those with material service disruption, significant financial impact, or cross-border effects. Czech Act 264/2025 requires higher-obligation entities to report all incidents affecting a regulated service that originate in cyberspace and where intentional misconduct cannot be ruled out, with no significance filter. The baseline NIS2 Article 23 incident notification standard sets the EU floor; Czech law raises it for essential entities.
2. Military and Defence Industry as a Regulated Sector
The EU NIS2 Directive’s annexes list eighteen sectors across highly critical and other critical categories — national defence is explicitly excluded from civilian cybersecurity scope. Act 264/2025 adds a 15th national sector: military and defence industry, covering producers of dual-use goods, manufacturers of military hardware, and companies subject to Czech and EU arms export controls. No comparable expansion to explicitly include the defence industry is present in the transpositions of France, Germany, or Poland.
3. Strategically Important Services: A Third, Elevated Tier
Approximately 150 entities will be formally designated as providers of “strategically important services” under secondary legislation still being finalised. This designation sits above essential entity status. NUKIB gains the authority to issue binding sector-level measures restricting or prohibiting the use of specific technology vendors within critical parts of a designated service — including on geopolitical grounds. This makes Czech supply chain security obligations among the most extensive in the EU for designated entities.
Who Falls in Scope: 15 Sectors, Two Tiers, 6,000 Entities
Act 264/2025 applies to entities that (a) provide a “regulated service” in one of 15 defined sectors and (b) meet enterprise size or operational impact thresholds. NIS2 scope is already broad at EU level; Czech implementation broadens it further with the defence sector and impact-based designation powers under Section 5.
The 15 regulated sectors: energy, transport, banking, financial market infrastructure, healthcare, drinking water and wastewater, digital infrastructure, digital service providers, public administration, postal and courier services, food, chemicals, manufacturing, science/research/education, and military/defence industry.
Two compliance tiers apply:
| Entity tier | Criteria | Security obligations |
|---|---|---|
| Higher obligations (essential entities) | Large enterprises in critical sectors; medium enterprises whose disruption affects 125,000+ people or national security; Section 5 designated entities | 27 mandatory measures, ISMS, report incidents to NUKIB, 2-year audit cycle |
| Lower obligations (important entities) | Medium enterprises in regulated sectors not meeting essential thresholds | 13 mandatory measures, report incidents to CSIRT.CZ |
Size thresholds follow the EU Commission Recommendation C(2003)1422: medium is fewer than 250 employees and annual turnover not exceeding €50 million or balance sheet total not exceeding €43 million. Linked and partner enterprises are aggregated — a common oversight in initial self-assessments. The essential vs important entity distinction has material implications for security measure count, reporting destination, and audit exposure.
CSIRT.CZ and GovCERT: Czech Republic’s Two-CSIRT Structure
The Czech Republic operates two national CSIRTs, and incident reporting flows differently by entity tier.
GovCERT is operated directly by NUKIB and serves essential entities. Higher-obligation entities report qualifying incidents to NUKIB within 24 hours of becoming aware, followed by a detailed report within 72 hours.
CSIRT.CZ is operated by CZ.NIC, the nonprofit association managing the .cz country code domain registry, under a public contract with NUKIB. CSIRT.CZ has held Trusted Introducer accreditation since 2011 and has been a FIRST member since 2015. Important entities — lower-obligation tier — report incidents to CSIRT.CZ within 24 hours, with the same 72-hour detailed report following.
The practical consequence: if your organisation grows from important to essential entity — which occurs when headcount or turnover crosses the applicable size thresholds — your incident reporting destination changes from CSIRT.CZ to NUKIB. Both transitions require an updated registration notification via the NUKIB Portal.
How to Register: Self-Identification and the NUKIB Portal
Czech law places the self-assessment burden on the regulated entity. NUKIB does not issue notifications — organisations meeting the conditions must identify themselves and register proactively. The process runs in four steps.
Step 1 — Sector check. Does your organisation provide a service within one of the 15 regulated sectors? The Regulated Services Decree defines services by CZ-NACE code. If no sector match exists, Act 264/2025 does not apply regardless of company size.
Step 2 — Service match. Within your sector, the Regulated Services Decree specifies which service types trigger obligations. Broad sector presence is not enough — the specific service must match a defined type in the decree.
Step 3 — Size and impact assessment. Apply the EU Commission Recommendation thresholds, aggregating linked and partner enterprises. Separately check whether NUKIB may designate your entity under Section 5 — applicable even below standard size thresholds for entities appearing in critical infrastructure registries.
Step 4 — Notify NUKIB electronically. All notifications are submitted through the NUKIB Portal at portal.nukib.gov.cz. Required information: entity identification, regulated service identification, sector classification, and responsible persons’ contact details. The portal handles case management and official document delivery.
For entities in scope on November 1, 2025, the notification deadline was December 31, 2025. New entrants have 60 days from the date they first meet the conditions. Within 30 days of NUKIB’s registration decision, entities must file supplementary information covering ownership structure, technical service parameters, geographic footprint, and cross-border service interdependencies.
NUKIB then issues a formal registration decision. The 12-month compliance ramp-up clock starts from that decision date — not from the notification submission date.
Compliance Timeline After Registration
Registration confirmation triggers the structured ramp-up. Most obligations do not apply immediately:
| Milestone | Deadline |
|---|---|
| Notify regulated service to NUKIB | Within 60 days of meeting conditions |
| File supplementary data (ownership, contacts, technical details) | Within 30 days of registration decision |
| Implement all security measures | Within 12 months of registration decision |
| Begin mandatory incident reporting | Within 12 months of registration decision |
| NUKIB compliance audit (higher obligations) | Ongoing — minimum every 2 years |
Contact registration maintenance applies from the notification date, before the formal decision — NUKIB expects up-to-date contact details from the moment you notify.
ISO 27001 certification alone does not satisfy Czech compliance. Act 264/2025 requires the specific statutory measure catalogue — 27 measures for higher obligations, 13 for lower. ISO 27001 partially maps to these requirements but is not a substitute. Higher-obligation entities must also appoint a cybersecurity manager, auditor, and architect as defined roles under the implementing decrees.
Penalties and NUKIB’s Enforcement Powers
NUKIB’s enforcement toolkit under Act 264/2025:
| Breach category | Maximum penalty |
|---|---|
| Higher-obligation entity violations | CZK 250 million (~€10.3M) or 2% of global annual turnover — whichever is higher |
| Lower-obligation entity violations | CZK 175 million (~€7.2M) or 1.4% of global annual turnover — whichever is higher |
| Initial minor infractions | CZK 100,000 |
| Repeated lower-level violations | CZK 10 million or 1% of turnover |
Beyond fines, NUKIB may issue binding operational directives, suspend licences or authorisations, and impose temporary management bans — a minimum six months — where a statutory body member has failed to address serious security deficiencies. This mirrors the personal accountability obligation under NIS2 Article 20. The broader EU-level NIS2 penalties framework applies as the baseline; Czech figures meet it.
NUKIB conducts compliance audits of higher-obligation entities at minimum every two years.
What’s Still Pending: 2026 Secondary Legislation
Act 264/2025 is fully in force, but two government regulations were still being finalised as of early 2026:
- Regulation on essential functions — will formally identify which national services qualify as essential, affecting the higher/lower obligation boundary in edge cases
- Regulation on strategically important services — will formally designate the ~150 entities and activate NUKIB’s authority to issue binding vendor restriction measures
Until these regulations are published, potential strategically important entities should register under the standard higher-obligation framework and monitor the NUKIB portal for designation notices. Most entities whose December 2025 notifications are under review were still awaiting formal NUKIB registration decisions as of early 2026 — meaning compliance ramp-up clocks have not yet started for the full first cohort.
The six implementing decrees covering security measure specifications and incident reporting procedures are operative from November 1, 2025 and require no further legislative action.
Key Takeaways
- Act No. 264/2025 Coll., effective November 1, 2025, is the governing Czech cybersecurity law — administered by NUKIB in Brno
- Czech NIS2 is stricter than the EU baseline in three areas: all-incident reporting scope, military/defence sector inclusion, and supply chain controls for ~150 strategically important services
- Registration runs through portal.nukib.gov.cz; the 12-month compliance clock starts from NUKIB’s formal registration decision, not the notification submission
- Incident reporting flows by tier: essential entities report to NUKIB/GovCERT; important entities report to CSIRT.CZ (operated by CZ.NIC)
- ISO 27001 alone is not sufficient for Czech compliance — the 27- or 13-measure statutory catalogue applies
- Secondary legislation on strategically important services and essential functions is still pending as of early 2026
Frequently Asked Questions
What does NUKIB stand for?
NUKIB stands for Národní úřad pro kybernetickou a informační bezpečnost — the National Cyber and Information Security Agency. It is the Czech Republic’s designated NIS2 competent authority, single point of contact, and operator of GovCERT for essential entities.
Is Czech NIS2 scope broader than the EU NIS2 Directive?
Yes, in three areas. Czech Act 264/2025 requires higher-obligation entities to report all cybersecurity incidents (not just significant ones), adds military and defence industry as a 15th regulated sector not in the EU NIS2 annexes, and introduces approximately 150 strategically important services with enhanced supply chain controls.
How do I register under Czech NIS2?
Self-identification is your responsibility. Confirm your sector is one of 15 regulated sectors, match your specific service to the Regulated Services Decree, assess enterprise size aggregating linked enterprises, then notify electronically through the NUKIB Portal at portal.nukib.gov.cz within 60 days of meeting the conditions.
Does ISO 27001 certification satisfy Czech NIS2 compliance?
No. Czech Act 264/2025 requires compliance with a specific statutory measure catalogue — 27 measures for higher-obligation entities, 13 for lower. ISO 27001 demonstrates maturity and partially overlaps with these requirements, but Czech law requires the specific defined measures, not a certificate.
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
Sources
- NIS2 Directive Czech Republic — European Commission
- About CSIRT.CZ — csirt.cz/en/about-us/ (cited inline above)
- Czech Republic NIS2 — Eversheds Sutherland
- Self-Identification under the Czech Cybersecurity Act — PEYTON Legal
- EU NIS2 in Czech Republic — OpenKRITIS
- Czech Cybersecurity Laws and Regulations 2026 — ICLG
- NIS2 in Czech Practice — Clifford Chance Prague
- NIS2 Czech Republic: Implementation, Deadlines, and Compliance — Copla
