NIS 2 status in the Czech Republic
What the directive requires, how the Czech Republic transposes it, and where NÚKIB sits inside the picture.
Overview
The NIS 2 directive is the EU layer. It binds every member state, including the Czech Republic, with one cybersecurity floor for essential and important entities. The Czech Republic must put that floor into Czech law and run a supervision regime under it.
The Czech Republic transposes NIS 2 through Act No. 264/2025 Sb., the new Act on Cybersecurity (Zákon o kybernetické bezpečnosti), adopted on 11 June 2025, published in the Collection of Laws (Sbírka zákonů) on 4 August 2025, and effective from 1 November 2025. It replaces the earlier Act No. 181/2014 Sb. and substantially widens the scope of regulated entities and services.
NÚKIB (Národní úřad pro kybernetickou a informační bezpečnost) is the lead supervisor and runs the national registration portal. Regulated entities self-identify and register via the NÚKIB portal, with the initial registration window closing on 31 December 2025. GovCERT.CZ sits inside NÚKIB; CSIRT.CZ is operated by the CZ.NIC association.
EU directive
Directive (EU) 2022/2555 (NIS 2)
The EU-wide cybersecurity directive. Sets the obligations every member state must transpose, including the size and sector tests for essential and important entities.
EU implementation
Commission Implementing Regulation (EU) 2024/2690
Technical and methodological measures for digital infrastructure providers. Directly applicable in the Czech Republic without national transposition.
Czech transposition
Act No. 264/2025 Sb., on Cybersecurity (Zákon o kybernetické bezpečnosti)
The new Czech NIS 2 Act. Adopted 11 June 2025, published 4 August 2025, effective 1 November 2025. Replaces Act No. 181/2014 Sb. Implementing decrees (vyhlášky) from NÚKIB fill in the operational detail.
Act No. 264/2025 Sb.
Carries the NIS 2 obligations into Czech law. Sets out the two-tier regime of regulated services of higher and lower significance (poskytovatel regulované služby), supervision powers of NÚKIB, incident reporting duties and sanctions of up to CZK 250 million. Replaces Act No. 181/2014 Sb. on 1 November 2025.
NÚKIB as central supervisor
NÚKIB (Národní úřad pro kybernetickou a informační bezpečnost), seated in Brno, runs supervision, audits and sanctions, operates GovCERT.CZ as the government CSIRT, and administers the registration portal. CSIRT.CZ is operated separately by the CZ.NIC association.
Registration and reporting
Entities providing a regulated service had to self-identify and register through the NÚKIB portal by 31 December 2025. Around 6,000 to 8,000 organisations are expected in scope. Significant incidents follow the directive's 24h early warning, 72h notification and one-month final report cadence.
Local law applies inside the Czech Republic
Operations on Czech territory follow Act No. 264/2025 Sb. A German Geschäftsführer running a Czech subsidiary reads the Czech Act for that subsidiary, not the German BSIG. The directive obligations are the same; the procedure, the portal and the sanctions live in Czech law.
The Czech Republic cannot go below the EU floor
The directive is a minimum harmonisation instrument. The Czech Republic can go stricter, and historically has via the 2014 cybersecurity regime that already exceeded NIS 1 in places. It cannot drop below the directive on essential and important entity duties, incident reporting deadlines or management body accountability.
NÚKIB
Lead competent authority and supervisor. Operates GovCERT.CZ as the government CSIRT, administers the registration portal, issues implementing decrees (vyhlášky) and guidance, conducts audits and imposes sanctions. Holds the institutional memory from the 2014 cybersecurity regime that now feeds NIS 2 supervision.
Sector authorities
NÚKIB consolidates supervision but sector regulators stay relevant where lex specialis applies. ČNB (Czech National Bank) supervises financial entities under DORA. ERÚ (Energy Regulatory Office) and ČTÚ (Czech Telecommunications Office) keep their sectoral competence. CSIRT.CZ, run by CZ.NIC, remains the .cz-domain CSIRT and supports the digital sector.
ENISA
The EU cybersecurity agency. Publishes guidance, manages the European vulnerability database, and supports cross-border coordination. Not a supervisor for Czech entities; NÚKIB is.
Our German parent is registered under BSIG, so the Czech entity is covered.
The directive is one floor, but the procedure is national. A Czech subsidiary providing a regulated service inside the Czech Republic registers under Act No. 264/2025 Sb. through the NÚKIB portal. German registration under the BSIG does not substitute. Group structure does not move competence; the place of establishment for the service does.
We were not on the old Act 181/2014 register, so we are not affected.
Act No. 264/2025 Sb. uses self-identification. The earlier KII / VIS lists from the 2014 regime do not carry over one-to-one. Every entity has to test itself against the new sector and size criteria, and against the list of roughly 60 regulated services across 18 sectors. Many entities outside the old register are inside the new one.
NIS 2 is only for energy, telecoms and banks. Manufacturing or waste is out.
The Czech Act mirrors the directive's two annexes. Important entities include manufacturing of certain products, food production and distribution, waste management, postal services, chemical production and digital providers. Medium-sized companies in these sectors are caught by default. Sector lists must be read against Annexes I and II of the directive, not against intuition.
Most Czech mid-market operators we see treat NIS 2 as an extension of the old Act 181/2014 Sb. regime. That is half right. NÚKIB still runs supervision and the incident channel, but the scope is much wider, the two-tier model of higher and lower significance changes obligations per service, and the statutory body (jednatel or představenstvo) carries explicit accountability for risk-management approval and training.
The practical move is the same as everywhere in the EU: confirm scope under the directive, self-identify against the list of regulated services, register through the NÚKIB portal, set up the four continuous obligations (registration upkeep, incident reporting, supply chain risk, management body oversight), and document the minimum. The 2014 documentation helps, but it does not substitute for the NIS 2 obligation register.
We build the NIS 2 obligation register on the EU layer, not on any single national transposition. The same checklist works for a Czech subsidiary using Act No. 264/2025 Sb., a German parent using BSIG, and a French sister using Ordonnance n° 2024-1093. Article references switch per locale; the substantive obligations do not.
For Czech scope you start with the applicability check, then move to incident reporting cadence, supply chain clauses and management body sign-off. Where NÚKIB publishes vyhlášky and sector guidance, we reference them; we do not duplicate them.
- Directive (EU) 2022/2555 (NIS 2) — EUR-Lex
- Commission Implementing Regulation (EU) 2024/2690
- Act No. 264/2025 Sb., on Cybersecurity — Sbírka zákonů (4 August 2025)
- Act No. 181/2014 Sb. on Cybersecurity — predecessor framework
- NÚKIB — Národní úřad pro kybernetickou a informační bezpečnost (Brno), official site nukib.gov.cz
- GovCERT.CZ — government CSIRT, operated by NÚKIB
- CSIRT.CZ — national CSIRT for the .cz internet community, operated by CZ.NIC
- Czech National Bank (ČNB) — DORA-competent authority for the financial sector
- European Commission, NIS 2 transposition tracker — Czech Republic