Skip to main content
EN

NIS2 in the Czech Republic: Who Must Register

NIS2 in the Czech Republic: Who Must Register and Why It Is Mandatory

The new Cybersecurity Act (ZKB) implementing the NIS2 Directive marks a major change in national cybersecurity regulation. The scope is now much wider. As a result, more than 6,000 organizations are expected to fall under the new requirements.

The first mandatory step is the registration of regulated entities by 31 December 2025. This step is essential. Without registration, companies cannot begin the compliance process required from 2026 onward.

Who Must Register?

NIS2 divides regulated companies into two groups.

1. Essential Entities

This group includes organizations whose disruption would significantly affect society or the economy. These include:

  • energy providers (electricity, gas, oil, distribution)
  • water suppliers and wastewater services
  • transportation (rail, air, road, maritime, critical logistics)
  • public and private healthcare providers
  • digital infrastructure (DNS, data centers, cloud providers)
  • banking, insurance, and regulated financial services
  • government and public administration

These entities must meet stricter cybersecurity requirements. For instance, they must perform regular audits, maintain business continuity planning, and follow advanced reporting procedures.

2. Important Entities

This category also requires registration, although the initial requirements are less strict. It includes:

  • ICT companies, hosting providers, SaaS and cloud platforms
  • medium and large manufacturing companies
  • waste management and environmental services
  • logistics, postal services, and delivery companies
  • food production and agriculture
  • universities and research institutions
  • IT suppliers to essential entities

Smaller companies may also be included if they operate in critical supply chains.

Size Thresholds

To be covered by NIS2, a company must meet at least one of the following:

  • 50 or more employees, or
  • €10 million annual turnover or more

However, authorities may include smaller organizations if considered strategically important.

Why Registration Matters

The goal of NIS2 is to increase cybersecurity maturity and resilience across Europe. Additionally, it creates a unified registry of strategic organizations to standardize security practices.

Once registered, companies become regulated entities and must:

  • implement cybersecurity measures aligned with ISO 27000
  • appoint a cybersecurity officer
  • establish governance processes and internal policies
  • report significant incidents within 24 hours
  • prove compliance through audits and documentation

Penalties for Non-Compliance

The consequences are severe. Fines may reach:

  • CZK 250 million, or
  • 2% of global annual revenue, whichever is higher.

Management may also be held directly accountable.

Key Deadlines

DateRequirement
1 November 2025New Cybersecurity Act becomes effective
31 December 2025Mandatory registration deadline
2026Compliance implementation and audits

Because of this, many companies have already started assessments and preparation.

It's time to rely on trusted professionals. Book a free consultation with Axevera.

Services

Discover our vast professional areas of experience

DISCOVER THE SERVICES

Contacts

Get in touch with Axevera professionals

CONTACT US

Axevera is a corporate, tax, accounting, financial and real estate consultancy firm based in the Czech Republic since 1991. The main objective of the firm is to assist companies wishing to develop internationalization projects in Central Eastern European countries. Axevera is part of the international IC & network Partners Group and has around 100 employees including consultants and collaborators from associated companies, who guarantee constant assistance to its over 300 customers.

Call Now Button