Blog


The New Cybersecurity Act: Why Cybersecurity Is No Longer Just an IT Department Issue

04. 05. 2026

As of 1 November 2025, the new Act No. 264/2025 Coll., on Cybersecurity, is in force, implementing the requirements of the European NIS2 Directive into Czech law. This legal regulation significantly expands the range of entities that may be subject to cybersecurity obligations. For many entrepreneurs, this means that cybersecurity can no longer be viewed merely as a technical problem for a network administrator or external IT provider.

The new legal framework is based on the idea that cybersecurity is part of organisational management. It concerns not only system settings, backups, or access protection, but also risk management, management responsibility, supplier relationships, internal rules, employee training, and the ability to respond to security incidents. It is precisely this change in perspective that is most important for entrepreneurs.

The Act applies to entities that meet the criteria set out by the legal regulation and provide a so-called regulated service. The National Cyber and Information Security Agency has long stated that the new regulation may affect thousands of organisations, with thousands of entities already reporting regulated services in the first months after the Act took effect. This confirms that this is not a marginal regulation intended only for a few of the largest technology companies.

For entrepreneurs, it is essential first to assess whether they fall within the scope of the Act at all. This question may not always be obvious at first glance. The decisive factors may include the size of the organisation, the sector, the type of service provided, the importance of the service to society, or its connection to other regulated activities. Underestimating this initial analysis may result in an entrepreneur failing to begin fulfilling obligations in time.

If an entrepreneur falls within the regulation, they must address not only formal notification, but also the subsequent implementation of appropriate security measures, risk management settings, incident reporting rules, and documentation of the measures adopted. In practice, the contractual setting of relationships with IT suppliers, cloud service providers, external system administrators, and other persons who have access to important company data or systems will also be important.

The impact on statutory bodies is also significant. If cybersecurity fails as a result of long-term neglect of risk management, the absence of basic measures, or the ignoring of obvious threats, the issue of liability may also shift into the area of the duty of due managerial care. A managing director or member of a statutory body cannot automatically defend themselves by saying that “IT was handled by a supplier.” In the case of significant risks, the company must be able to demonstrate that management actually addressed them and adopted appropriate measures.

In conclusion, the new Cybersecurity Act represents, above all, a call for entrepreneurs to conduct an internal audit. Companies should assess whether the new regulation applies to them, which data and systems are critical to their operation, how they are protected, who is responsible for them, and how the company would proceed in the event of an incident. Cybersecurity is thus becoming not only a technical issue, but also a legal and managerial one.

All articles

Novinky - výpis všech


Choose a free date

Friday Free terms 10. 7.

1. Choose a free date

Friday 10. 7.

2. Tell us more

Information on the processing of personal data can be found here.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.