Skip to main content

From NIS2 to Law: The new Cybersecurity Act

Our team specializing in cybersecurity, regulatory compliance, and law will guide you through a comprehensive assessment of your readiness in relation to the requirements arising from the new Cybersecurity Act No. 264/2025 Coll., which transposes the NIS2 Directive into national legislation and is in force starting from November 2025, representing a fundamental change in the field of cybersecurity in the Czech Republic and introducing new obligations for a wide range of organizations.

Contact us
Download PDF

Cybersecurity Act as a national regulation implementing NIS2

NIS2 is a European directive that sets rules and requirements for cybersecurity and ICT systems and networks. Following on the previously applicable NIS Directive, it improves cybersecurity across the European Union by harmonizing security requirements and reporting obligations. It extends the scope of requirements to other areas of interest, such as supply chain management, vulnerability management, and cyber hygiene, and strengthens cooperation and knowledge sharing among EU Member States. Alongside the Digital Operational Resilience Regulation (DORA) and the Critical Entities Resilience Directive (CER), NIS2 is another European Union legislative tool focused on increasing the digital operational resilience and cybersecurity of all relevant entities operating in the EU.

Although NIS2 has been in force at the European level since the beginning of 2023, its requirements affect individual entities in the Czech Republic only through the Cybersecurity Act.

Ruka používá digitální pero na tabletu s překryvnými ikonami kyberbezpečnosti

What does Cybersecurity Act bring?

The final version of the NIS2 Directive was published in the Official Journal of the EU in December 2022 in all official languages, and Member States were responsible for the implementation of the requirements into their national legislation by 17 October 2024. This deadline was not met in the Czech Republic – the final version of the Cybersecurity Act was published only on 4 August 2025 and signed by the President only in June 2025. Below is an overview of the new rules introduced by the Act.

The Cybersecurity Act applies to a wider range of entities than its previous version. Particularly, to providers of regulated services in key sectors such as energy, healthcare, transport, and digital services. This expansion is related to changes in the NIS2 Directive itself, which distinguishes between two categories of entities: Essential entities operating in sectors such as public administration, digital infrastructure, energy, finance, and transportation; and Important entities providing services in areas such as waste management, research, and manufacturing. In total, NIS2 affects more than 18 sectors and extends rules and obligations for businesses in four key areas, including risk management, corporate responsibility, business continuity, and reporting. 

In line with the Cybersecurity Act, the entities concerned will encounter two regimes for meeting the legal requirements – a lower and a higher obligation regimes. The regime that each entity falls into depends mainly on the size of the entity and its business sector. 

Entities subject to the Cybersecurity Act’s requirements are obliged to implement measures to address specific forms of cyber threats and minimize their impacts; ensure that their governing bodies oversee cybersecurity matters and are properly trained in the field; establish processes for incident reporting; prepare a comprehensive business continuity plan for major incidents. You can test your organization's compliance with the basic requirements arising from NIS2 a specified by the Cybersecurity Act using Deloitte's NIS2 Self-Assessment Tool.

How can we help?

At Deloitte, we offer legal and consulting services related to the new legislation. We can also help you with Cyber Risk management.

Legal services

Find out more

Risk Advisory services

Find out more

Cyber Risk Management

Find out more

How Deloitte can help?

It is crucial for all affected entities to start the process of achieving compliance with legal requirements as soon as possible, bearing in mind that compliance processes, including assessments of the overall state of cybersecurity, auditing, consultations, and implementation of tools, take several months and are relatively demanding. Even determining the regime of applicability itself can be challenging, given the different conditions in each business sector.

Our team of experts in cybersecurity, regulatory compliance
and law, risk management, and security controls implementation will help you
meet all requirements of the Cybersecurity Act. Our support includes a
comprehensive approach to cyber risk management and compliance, including:

  • Comprehensive analysis of your organization's environment and classification into compliance regimes.
  • Assessment of readiness and identification of gaps in compliance with legal requirements.
  • Proposal of corrective measures and their prioritization.
  • Re-adjustment of contracts within supply chains to ensure compliance.
  • Communication with the regulator and performing the necessary actions before the authority.
  • Providing support in the implementation of security measures.
  • Providing support in preparing for an audit, for example in preparing the necessary documentation.
  • Developing business continuity plans, vulnerability management, and implementing security requirements in the supply chain and third-party assessments.

If you want to be sure that your organization is prepared to comply with legal requirements, do not hesitate to contact us. We will conduct a gap analysis for you, prepare an action plan, and provide support in implementing the necessary measures.

An overview of our services by area can be found below.

As a generally binding legal regulation, the Cybersecurity Act has an unprecedented impact on the legal status of regulated entities compared to previous regulations. The status of a regulated entity needs to be reflected both internally, within your organization in relation to your employees and legal processes, and externally when dealing with the regulator and your suppliers or contractual partners.

From a legal services perspective, it is crucial that all efforts to comply with the Cybersecurity Act formally meet the legal requirements. At the same time, due diligence and the obligation of senior management to comply also come into play – failure to meet those requirements may be considered a violation. Organizations may have the best processes in place, but if they are not aligned with the measures required by law, they may be irrelevant to the regulator. Therefore, when preparing clients for the Cybersecurity Act and implementing processes, we always work closely with cybersecurity experts, to ensure that all measures are done in accordance with the legal requirements. Our services include:

  • Legal impact analysis: We will assess whether and how the Cybersecurity Act affects your business and recommend what steps to take to ensure that your organization adapts quickly and effectively to the requirements.
  • Legal advice: We will provide you with legal advice related to the Cybersecurity Act, including coverage of the basic requirements that apply to your business environment, and propose procedures for meeting them.
  • Legal assistance in resolving cybersecurity incidents: We will provide immediate legal support in the event of a cyberattack or other security incident. We will help you minimize legal risks and ensure compliance with regulatory requirements during a crisis.
  • Grant consulting: We will assess the possibilities of using funds provided to support measures to increase cybersecurity within the EU or at the national level, including legal services in the area of assessing the funds provided from the perspective of public support regulations and preparing and submitting applications for financial support.
  • Contractual documentation: We will create or update your contracts with suppliers, customers, and partners and prepare other necessary documentation required to protect critical information infrastructures and comply with the requirements of the Cybersecurity Act. This process is similar to that used when concluding data processing agreements (DPAs) in relation to GDPR.
  • Training and compliance: We will design and implement comprehensive cybersecurity training programs for your employees, management, and statutory bodies. We will focus on the practical aspects of the Cybersecurity Act and their application in your organization.
  • Legal support in the development of security products and services: We will provide legal support in the area of cybersecurity certification for companies developing security solutions.
  • Representation before NÚKIB and other authorities: In the event of inspections, administrative proceedings, or other interactions with NÚKIB or other regulatory authorities, we will represent you and defend your interests. We will help you navigate complex regulatory processes and minimize potential penalties.

Implementing new legal requirements into business practice often involves aligning regulations with company processes, organizational structures, staffing, and technological infrastructure. In similar implementations, the following approach has proven highly effective. As part of our analyses, we use our own proven tools that enable us to efficiently identify gaps and prioritize steps. Examples include the Deloitte NIS2 Maturity Assessment Tool and the ZoKB Maturity Assessment Tool, designed directly with the Cybersecurity Acts requirements in mind, which we offer to our clients as part of our services.

  • Analysis of existing processes: We will analyze existing processes, applications, and staffing in the context of the requirements of the Cybersecurity Act.
  • Technology: We will conduct IT, business, and financial assessments of your considered options.
  • Changes: We will propose specific changes at the organizational level and within individual domains, and validate these proposals with you.
  • Implementation roadmap: We will prepare a detailed implementation plan that considers your company’s technological, process, and organizational readiness. On the technological side, we often recommend using cloud services in combination with traditional enterprise ICT (e.g., a mix of AWS, MS Azure, M365 with on-premises infrastructure).

Together, we will plan the scope and depth of our involvement according to your needs and expectations. We will map your organization, the reasons for introducing the Cybersecurity Act requirements into the company, as well as the personnel, financial, and technical context, and determine the final scope of our activities and expected deliverables accordingly.

  • Information gathering: We will collect information about cybersecurity in your company, specifically regarding ICT assets, related threats, job roles and procedures, and other variables.
  • Security risks: We will identify cybersecurity risks relevant to your company.
  • Gap analysis: We will conduct a gap analysis comparing your current cybersecurity state with the desired target state – in this case, full compliance with the Cybersecurity Act.
  • Security measures: We will propose and implement security measures to mitigate identified cybersecurity risks.
  • Regular follow-up: We will fine-tune the measures and capture lessons learned. We will ensure the measures are sustainable and subject to regular review.

Contact us

Jakub Höll

Jakub Höll

Director
+420 734 353 815
Jaroslava Kračúnová

Jaroslava Kračúnová

Partner | Attorney at Law
+420 724 705 824
Dagmar Yoder

Dagmar Yoder

Local Partner