Current status of implementation


The national Czech NIS Directive Implementation Act, is effective from 1 August 2017.

Implementation Act


The Act No. 205/2017 Coll. (Collection of Acts part 74) amends Act No. 181/2014 Coll. on Cyber Security, as amended by Act No. 104/2017, Act No. 412/2005 Coll. on Protection of Classified Information and also to a lesser extent other related Acts.

Determination of operators of essential services (Art. 5 NIS)


Pursuant to Art. 5 of the NIS Directive, the Czech legislator has specified the criteria to identify operators of the following essential services: a) energy, b) transportation, c) banking, d) financial markets infrastructure, e) healthcare, f) water management, g) digital infrastructure and h) chemical industry.

Operators of essential services can be legal persons, entrepreneurs or public bodies, which (i) operate one of the following essential services and (ii) are designated as such by the National Cyber and Information Security Agency. Pursuant to Art. 5(7) of the NIS Directive, the following bodies are also classed as operators of essential services: i) administrators and operators of information systems of critical information infrastructure and ii) administrators and operators of communication systems of critical information infrastructure.

Reporting obligations


Certain authorities and persons (listed in Section 3(b)-(f) of the CSA) are required to report cyber-security incidents in their significant network, the Critical Infrastructure Information System, Critical Information Infrastructure Communication System, Basic Service Information System, or Significant Information System, without delay after detection (Section 8(1) of the CSA).

They either report the cyber security incidents to the national CERT or the National Cyber and Information Security Agency (Section 8(2),(3) of the CSA). Authorities and persons not listed in Section 3 of the CSA can report to either the national CERT or the National Cyber and Information Security Agency (Section 8(6)).

In the event that a cyber security incident has a significant impact on the continuity of the provision of the basic service, the operator of the basic service shall notify the National Cyber and Information Security Agency (Section 8(1)).

Providers of digital services must immediately report any cyber security incident that has significant impact on the provision of its digital service, provided that it has access to the information necessary for assessing the significance of the impact (Section 8(2) of the CSA).

If the cyber security incident that has affected a provider of a digital service has a significant impact on the continuity of provision of the digital service, the provider of the digital service has to report to the National Cyber and Information Security Agency (Section 8(8) of the CSA).

The type, category and assessment of the significance of the cyber security incident's impact, as well as the requisites and means of reporting the cyber security incident shall be set out in implementing legislation (Section 8(7)).

Sanctions regime


Section 25 of the CSA provides for administrative fines to legal persons of up to approx. EUR 200,000, in particular in the following cases:

  • Administrators or operators of the information or communication systems of a critical information infrastructure, administrators or operators of significant information systems or administrators and operators of the basic service information systems do not introduce/ carry out security measures or do not maintain security documentation.
  • Providers of digital services do not introduce/ carry out security measures.

Section 25 of the CSA provides for administrative fines to legal persons of up to approx. EUR 40,000, in particular in the following cases:

  • Providers of electronic communication services, entities operating an electronic communication network or authorities or persons operating a significant network:
    • do not fulfil their obligation imposed by the National Cyber and Information Security Agency contained in its decision or a measure of a general nature during a time of a cyber threat; or
    • do not fulfil any of the obligations imposed through a corrective measure.
  • Administrators and operators of the information or communication systems of critical information infrastructure or administrators or operators of significant information systems:
    • do not report a cyber security incident;
    • do not fulfil their obligation imposed by the National Cyber and Information Security Agency contained in its decision or a measure of a general nature; or
    • do not hand over data, operating data and information.
  • Administrators of the information or communication systems of critical information infrastructure or administrators of a significant information system do not notify the operator of the system.
  • Administrators or operators of the information or communication systems of critical information infrastructure do not notify the entities operating an electronic communication network.
  • Operators of the information or communication systems of critical information infrastructure:
    • do not fulfil their obligation imposed by the National Cyber and Information Security Agency contained in its decision;
    • do not hand over data, operating data and information; or
    • do not destroy copies of data, operating data and information.
  • Authorities or persons operating a significant network do not report a cyber security incident.
  • Administrators and operators of the basic service information systems:
    • do not report a cyber security incident;
    • do not fulfil its obligation to inform the public imposed by the National Cyber and Information Security Agency;
    • do not fulfil an obligation imposed by the National Cyber and Information Security Agency; or
    • do not fulfil an obligation imposed through a corrective measure.
  • Administrators or operators of the information or communication systems of a critical information infrastructure, administrators or operators of the significant information systems, administrators or operators of the basic service information systems and operators of basic services, who are public authorities, enter into a contract with a provider of cloud computing services.
  • Administrators or operators of the information or communication systems of critical information infrastructure do not fulfil their obligation to notify the public imposed by the National Cyber and Information Security Agency.
  • Operators of basic services:
    • do not notify the administrators or providers of basic service information systems;
    • do not report a significant impact on the continuity of provision of the basic service whether or not caused by a cyber security incident; or
    • do not fulfil its obligation to inform the public imposed by the National Cyber and Information Security Agency.
  • Providers of digital services:
    • do not appoint their representative;
    • do not report a cyber security incident; or
    • do not fulfil its obligation to inform the public imposed by the National Cyber and Information Security Agency.

Section 25 of the CSA provides for administrative fines to legal persons of up to approx. EUR 8,000, in particular in the following cases:

  • Operators of the information or communication systems of critical information infrastructure:
    • do not hand over data, operating data and information; or
    • do not allow administrators to supervise the destruction of data, operating data and information.

Section 25 of the CSA provides for administrative fines to legal persons of up to approx. EUR 400, in particular in the following cases:

  • Administrators or operators of the information or communication systems of critical information infrastructure or administrators or operators of significant information systems do not fulfil their obligation imposed by the National Cyber and Information Security Agency contained in its decision.
Competent authorities


The National Cyber and Information Security Agency is the central authority competent for the cyber security on a national level (Section 21a of the CSA).

National and government CERT are responsible for sharing information on national and international level regarding cyber security. Some of their other duties are to collect and evaluate cyber security incident reports from certain authorities and persons listed by the CSA (Sections 17 and 20 of the CSA).

Jurisdictional applications

Providers of digital services are subject to the CSA if:
  • Their seat is located in the Czech Republic (Section 33 of the CSA); or
  • Their seat is located outside of the EU, but their representative is located in the Czech Republic (Section 3a of the CSA)
Remarks (if any)

The key requirements set out in the NIS Directive  are already part of the Czech Cybersecurity Act of 1 January 2015. The changes required to Czech law resulting from the NIS Directive were relatively small.


Last reviewed 28.02.2018