Managers' liability for cybersecurity

New Cybersecurity Act

On 1 November, the new Act No. 264/2025 Coll., Act on Cybersecurity (“CA”), comes into effect, imposing new obligations on a wide range of entities, including:

(i)     reporting to the National Cyber and Information Security Agency (“NUKIB”);

(ii)    adoption of security measures; and

(iii)   reporting cyber security incidents.

In the case of security measures and incident reporting, these are rather “old-new” obligations, as they are already known from the current legislation, but the CA significantly expands the range of entities which are subject to these obligations. NUKIB itself estimates that the CA will now apply to more than 6,000 entities providing so-called "regulated services", which it defines across sectors – from energy and industry to the financial market and healthcare.

In addition to general obligations, our article takes a closer look at one of the key impacts of the new CA on management positions in companies. The CA tightens the responsibility of members of statutory bodies of companies for ensuring and maintaining cybersecurity. These persons now face, among other things, the threat of being banned from performing the function in a statutory body.

General information on the obligations of regulated service providers

The CA applies to providers of regulated services. Therefore, if your activity falls within the scope of services listed in the new decree on regulated services (e.g. industrial food production, operation of waste management facilities or manufacture of medical devices) and you are a medium-sized or small enterprise, or you meet the criteria of significance for ensuring important social or economic activities or for the security of the Czech Republic (again specified in the forthcoming decree), you will most likely be subject to the CA and the obligations set out therein.

Reporting obligation

One of the initial obligations of a regulated service provider is to submit a notification to NUKIB within 60 days of the date on which it begins to meet the conditions for registration, on the basis of which NUKIB will issue a decision on the registration of the regulated service. Entities that will meet the conditions for registration on the effective date of the CA must therefore submit their notification by the end of this year at the latest. This obligation should not be underestimated, as the CA allows for a fine of up to CZK 250,000,000 or up to 2% of the net global group turnover to be imposed for its violation.

Higher and lower obligations regime

In addition to other general obligations, such as reporting changes in regulated service data, the CA distinguishes between specific obligations depending on whether the service is classified under the lower or higher obligations regime. The classification will be determined by a forthcoming decree, with the key criteria being the size of the enterprise and quantitative indicators (for financial institutions, these include, for example, the volume of payment transactions for a certain period or the number of petrol stations operated in the Czech Republic by their operators).

Services falling under the lower obligation regime must only meet basic requirements, such as implementing a system to ensure a minimum level of cybersecurity or detecting and recording security incidents. Conversely, service providers under the higher obligation regime must ensure comprehensive organisational and technical measures, including the evaluation of individual incidents. An overview of specific security measures is provided in Section 14 of the CA, with more detailed specifications set out in decrees on security measures for the lower and higher obligation regimes.

Managerial responsibility

Failure to comply with selected obligations under the CA may have direct consequences for the statutory bodies of companies. The CA works with mechanisms to which managers should pay close attention.

For providers of regulated services under the higher regime, the CA introduces relatively strict sanctions in the event of a breach of the obligations set out in the NUKIB decision. In the event of a serious or repeated breach of obligations by a statutory body that has prevented the proper implementation of the authority's decision to remedy deficiencies in cybersecurity, the NUKIB will now be authorised to prohibit the person concerned from performing the function of a statutory body for a minimum period of six months.

Any failure to fulfil the legal obligations arising from the CA may also lead to a breach of the statutory body's legal obligation to act with due care. For example, if a security incident occurs or a fine is imposed by NUKIB, the company's management may be liable for any damage incurred by your company. This could be a situation where the company fails to adequately assess that it is affected by new legislation, fails to report regulated services to NUKIB in a timely manner and is subsequently fined, or fails to take adequate security measures in a timely manner.

The obligation to pay damages and a possible ban on performing their duties can therefore have a significant impact on management. Exposing yourself to such a risk is therefore a completely unnecessary gamble, especially when it is sufficient to take a responsible approach to assessing your obligations under the CA and implementing individual measures.

Conclusion

It is important that company management does not take cyber security lightly, has an assessment carried out in good time to determine whether the company's activities fall under a regulated service, ensures registration with NUKIB and takes the necessary measures. This is the only way to avoid potential personal liability. Moreover, cybersecurity is not just about complying with legal requirements; it is primarily about protecting the integrity of your company, including ensuring comprehensive security within the supply chain. Compliance with cybersecurity is becoming a common standard in business and neglecting it can be a competitive disadvantage.

Cybersecurity is an area that we deal with in detail at our office. If you are unsure whether you fall under the definition of a regulated service, need help implementing security measures, or need to perform a comprehensive audit of your compliance, please do not hesitate to contact us.

We will ensure that you are always one step ahead in cyberspace.