NIS2 and the New Cybersecurity Act: Does It Apply to Your Company?
The new Czech Cybersecurity Act (No. 264/2025 Coll.) introduces obligations that this time go far beyond large corporations and public institutions. The regulation affects thousands of Czech companies — and many still don't know it.
If you've come across the abbreviations NIS2 or ZKB in recent months and filed them away as "something for the big guys," it's time to take a closer look. The new Cybersecurity Act is the direct Czech implementation of the European NIS2 directive, and its scope is significantly broader than anything we've seen in previous legislation.
What Is NIS2 — and Why Did ZKB Come About?
NIS2 is a European directive (2022/2555) that replaced the original NIS1 from 2016. The reason for the update was straightforward: the original law had a too-narrow scope, inconsistent implementation across member states, and cyber threats had grown into an entirely different beast in the meantime. NIS2 corrects all of that — it expands the number of regulated sectors, tightens requirements, and significantly raises penalties.
The Czech Republic implemented NIS2 through Act No. 264/2025 Coll., commonly referred to as ZKB (Zákon o kybernetické bezpečnosti — Cybersecurity Act). This law replaces the previous Act No. 181/2014 Coll. and comes with two implementing decrees — 409/2025 and 410/2025 — that spell out exactly what your organisation must do.
The supervisory authority is NÚKIB — the National Cyber and Information Security Agency — and mandatory registration is handled through them as well.
Who Does the Law Regulate? Possibly You.
Here's where many companies get their first surprise. ZKB is no longer just a matter for operators of critical infrastructure. The law covers 14 sectors, ranging from energy and transport to healthcare, digital infrastructure, and manufacturing.
The key criteria for determining whether the law applies to you are three:
Sector and type of service provided — do you operate in one of the 14 regulated sectors?
Organisation size — the law generally works with thresholds for medium and large enterprises (typically 50+ employees or €10M+ annual turnover), but there are exceptions where size is irrelevant.
Importance of the service provided — even a smaller company may fall under the regulation if its disruption would be critical to infrastructure or market operations.
If you're unsure whether the law applies to you, that's entirely understandable — the text of the act isn't exactly light reading. That's why we've built tools that will give you a clear answer in under a minute.
👉 Run the ZKB Calculator → — select your sector, answer a few criteria, and find out immediately whether the law applies to your company and under which regime.
Two Regimes: Higher and Lower Obligations
Not all regulated entities are created equal. ZKB distinguishes between two groups:
Higher obligations (essential entities) — typically larger companies or organisations in critical sectors. The scope of obligations is broadest here: comprehensive cybersecurity management, incident detection, cryptographic measures, supply chain security, strict incident reporting, and mandatory audits. Governed by Decree No. 409/2025 Coll.
Lower obligations (important entities) — companies with a lower risk profile. Requirements are simplified but still include a mandatory baseline: security policies, access management, network protection, reporting of significant incidents, and basic business continuity measures. Governed by Decree No. 410/2025 Coll.
Incident reporting timelines are the same for both regimes — and they're strict. A significant incident must be reported to NÚKIB within 24 hours of detection (initial notification), with a full report due within 72 hours.
What Does the Law Actually Require?
Regardless of which regime you fall under, ZKB obligations revolve around several key areas:
Governance and accountability — you must have a defined person or role responsible for cybersecurity (the so-called MKB — cybersecurity manager), or have this role externally covered.
Risk management — regular assessment of threats and vulnerabilities, not a one-time exercise.
Technical measures — network protection, identity and access management, encryption, system patching.
Supply chain security — you are also responsible for the security level of your key suppliers and partners.
Incident reporting — statutory deadlines with no possibility of extension.
Registration with NÚKIB — mandatory for all regulated entities.
Penalties Worth Knowing About
Unlike the original law, sanctions under ZKB (and NIS2 as a whole) are significantly more serious. They range up to:
€10,000,000 or 2% of global annual turnover for entities with higher obligations,
€7,000,000 or 1.4% of turnover for entities with lower obligations.
Beyond financial penalties, the law also introduces personal liability for statutory representatives. That's a signal management can't afford to ignore.
What to Do Now?
The law is in force and the obligations are real. If your company hasn't addressed ZKB yet, we recommend starting with these steps:
1. Find out whether the law applies to you. Use our free ZKB Calculator — it takes 30 seconds.
2. Measure how far you are from compliance. Run the ZKB Readiness Check — 12 questions based on the act and its decrees, with a concrete score and your top 3 gaps to address.
3. Read what the law actually says. Our ZKB Law Guide is written in plain language — no legislative text, no unnecessary jargon.
All of these tools are in one place: cypheron.cz/odkazy — free, no registration required.
Final Thought: Compliance Is a Foundation, Not a Finish Line
ZKB isn't just about ticking boxes for an audit. It's an opportunity to put your company's cybersecurity on a solid footing — one that holds up not only under regulatory scrutiny, but during an actual incident.
If you're unsure what the law means for your specific situation, or you need help with implementation — from NÚKIB registration to setting up security processes end-to-end — get in touch. We offer a free introductory consultation with no strings attached, and we respond within 24 hours.