Act No. 264 / 2025 Coll.
Cyber Security Act
Valid
Law
Effective from 01.11.2025
Text versions:
01.11.2025
04.08.2025
Contents
ČÁST PRVNÍ
HLAVA I
§ 1
§ 2
HLAVA II
Díl 1
§ 3
§ 4
§ 5
§ 6
§ 7
§ 8
§ 9
§ 10
Díl 2
§ 11
§ 12
§ 13
§ 14
§ 15
§ 16
§ 17
§ 18
§ 19
§ 20
§ 21
§ 22
§ 23
Díl 3
§ 24
Díl 4
§ 25
§ 26
Díl 5
§ 27
§ 28
§ 29
§ 30
§ 31
§ 32
Díl 6
§ 33
HLAVA III
§ 34
§ 35
HLAVA IV
§ 36
§ 37
§ 38
§ 39
§ 40
§ 41
HLAVA V
Díl 1
§ 42
§ 43
Díl 2
§ 44
Díl 3
§ 45
§ 46
§ 47
§ 48
§ 49
§ 50
§ 51
§ 52
§ 53
§ 54
HLAVA VI
§ 55
§ 56
§ 57
§ 58
§ 59
§ 60
§ 61
§ 62
§ 63
ČÁST DRUHÁ
§ 64
§ 65
§ 66
§ 67
§ 68
§ 69
§ 70
§ 71
§ 72
§ 73
Zobrazeno prvních 200 z celkem 853 ustanovení tohoto předpisu.
Zobrazit celý předpis →
Pro stažení celého znění použijte tlačítko Stáhnout výše.
264
THE LAW
of 11 June 2025
on cyber safety
Parliament has decided on this law of the Czech Republic:
CYBERNETIC SECURITY
Basic provisions
Subject matter
(1) This law regulates the rights and obligations of persons, the organisational components of the State and other public authorities in the field of the provision of cyber security and the competence and competence of the National Office for Cyber and Information Security ("the Office ') and other public authorities.
(2) This law applies to persons established in the Czech Republic. This law also applies to persons who provide electronic communications networks or services in the territory of the Czech Republic under another legislation (1), regardless of their place of establishment.
(3) This law implements the relevant European Union Regulation (2) and also builds upon the directly applicable European UnionRegulations (3).
(4) This law shall not apply to information or communication systems which handle classified information.
Definition of terms
(1) For the purposes of this Act:
(a) data records of acts, facts or information and sets of such acts, facts or information, including operational data (4) and metadata (5), in particular in the form of text, numbers, graphs, images, sound and video;
(b) information processed, interpreted or arranged, with meaning and context;
(c) the asset is a physical or digital device, person or activity related to the processing of information and data in electronic form;
(d) the primary asset of the asset in the form of the information or services processed;
(e) an asset support asset providing the functioning of the primary assets, in particular the employee, the supplier, the technical asset, the building and other enclosed area in which the regulated service asset is located; and
(f) technical asset technical or programme means or equipment.
(2) For the purposes of this Act:
(a) through cyberspace, a set of electronic communications networks and other technologies in which information and data are processed in electronic form;
(b) security of information ensuring confidentiality, integrity and availability of information and data;
(c) a threat to any potential circumstance, event or conduct which may be the cause of a cyber security incident or a cyber security incident and which may harm, distort or otherwise adversely affect assets, their users or other persons;
(d) a significant threat to which, on the basis of its technical characteristics, it can be assumed that it has the potential to significantly affect the assets of the regulated service provider or user of the regulated service to such an extent as to cause significant damage;
(e) a cyber security event which may result in a cyber security incident;
(f) a cyber security incident in the security of information in the cyberspace;
(g) managing the cyber security incident by actions leading to prevention, detection, analysis, impact reduction, incident response and subsequent renewal; and
(h) a vulnerability to the weakness of an asset or a security measure which may be misused by a threat.
(3) For the purposes of this Act:
(a) a hierarchical distributed domain name translation system that allows the identification of Internet services and resources, while allowing end-user devices to use routing and Internet connection services to access such services and resources;
(b) the management and operation of the Top Level Domain Register of activities consisting of the management of a particular delegated Top Level Domain, including the registration of domain names within the Top Level Domain and the technical operation of the Name Servers domain, the management of databases providing the Top Level Domain Management and Operation and the distribution of the Top Level Domain Zone Files between the Top Servers, except in situations where the Top Level Domain Register uses top level domain names only for its own use;
(c) the cloud computing service is an information society service under the legislation governing information society services, which allows self-service management and wide remote access to an expandable and flexible grouping of shared computing resources, including those deployed in multiple locations;
(d) a service of the data centre which includes premises, including all energy distribution and environmental management facilities, intended for centralised location, interconnection and operation of information technology and network equipment providing data processing services;
(e) content delivery networks of geographically distributed servers to ensure high availability, accessibility or rapid provision of digital content and services to Internet users;
(f) a platform for social networks that enables end-users to interconnect, share, discover and communicate across different facilities, in particular through chat, contributions, videos and recommendations,
(g) a managed service related to the installation, management, operation or maintenance of technical assets, by means of assistance or active administration carried out at the premises of customers or remotely;
(h) a managed security service consisting of or providing assistance for cyber security risk management activities; and
(i) a person providing domain name registration services, or a person providing similar services on behalf of a registrar.
Provider of regulated service
Regulated service and provider regime
Regulated service
The regulated service is a service decided by the Office pursuant to Article 6 (2).
Conditions for registration of regulated service
(1) The conditions for registering a regulated service are fulfilled where:
(a) it is a service which is important for ensuring important social or economic activities or for security in the Czech Republic in any of the following sectors:
1. public administration,
2. energy,
3. the manufacturing industry,
4. the food industry;
5. chemical industry,
6. water management,
7. waste management,
8.
9. digital infrastructure and services,
10. financial market,
11. Health,
12. science, research and education,
13. postal and courier services,
14. defence industry,
15. Space Industry; and
(b) the service provider is a medium or large enterprise within the meaning of Commission Recommendation 2003 / 361 / EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises ("Commission Recommendation 2003 / 361 / EC") (6), or is important for ensuring important social or economic activities or security in the Czech Republic.
(2) The list of services referred to in paragraph 1 (a) and the definition of the materiality conditions of the provider referred to in paragraph 1 (b) shall be laid down by the Office by decree.
The conditions for the registration of a regulated service are also fulfilled where:
(a) the service referred to in Article 4 (1) (a); and
1. its provider is the only provider of this service in the Czech Republic and this service is essential for ensuring critical social or economic activities or security in the Czech Republic,
2. the disruption of this service could have a significant impact on the security of the Czech Republic, internal order or life and health,
3. the disruption of this service could create significant systemic risks, in particular in sectors where such disruption could have a cross-border impact; or
4. its provider is essential for the specific sector in which it operates or the type of service it provides or other interconnected sectors in the Czech Republic due to its specific importance at regional or national level,
(b) it is a service the disruption of which may cause serious interference in the life of more than 125 000 persons, through a threat to the security of the Czech Republic, internal order, life and health, property value or the environment;
(c) a service the disruption of which may cause serious interference in the ability to provide another regulated service to a provider under a higher obligation regime; or
(d) it is a service whose provider is a critical infrastructure entity under the law governing crisis management and critical infrastructure; in which case the regulated service is a service corresponding to a critical infrastructure element designated for that entity.
Notification and registration of regulated service
(1) A service provider meeting the conditions for the registration of a regulated service pursuant to Article 4 (1) is required to notify that service to the Office no later than 60 days after the date on which the conditions have been met for the purposes of the marketing authorisation. The format and method of notification referred to in this paragraph shall be laid down by the Office by a decree.
(2) The Authority will decide on the registration of a regulated service where the conditions for the registration of a regulated service are met pursuant to § 4 (1) or § 5.
(3) A procedure for the registration of a regulated service complying with the conditions for registration provided for in Article 5 may be initiated only on its own initiative.
(4) A marketing authorisation for a regulated service referred to in paragraph 2 may be the first act of the Office in proceedings. The degradation submitted against the marketing authorisation for a regulated service has no suspensive effect.
Specific provisions for determining the size of the holding
By way of derogation from the rules of Commission Recommendation 2003 / 361 / EC for the purposes of this Law,
(a) Article 3 (4) of Commission Recommendation 2003 / 361 / EC shall not apply;
(b) the organisational units of the state7), the local authorities and the Czech National Bank are not considered to be undertakings;
(c) persons whose technical assets are entirely separate from the technical assets used by the person under consideration in providing the regulated service shall not be regarded as a partner or linked undertaking; and
(d) for determining the size of the provider of regulated services in the science, research and training sector, which is not an undertaking, the rules for determining the size of an undertaking as laid down in Commission Recommendation 2003 / 361 / EC, including the special rules laid down by this law, shall apply mutatis mutandis.
Regulated Service Provider Scheme
(1) In the higher duty regime, the regulated service provider is a provider which, due to its size, number of users, geographical extension of the service, impact on the functioning of the sector or other provider of regulated service or the risk of operation, is of considerable economic, social or security significance for the Czech Republic. Under the lower duty regime, the regulated service provider is not under the higher duty regime under the first sentence.
(2) The division of providers by regulated service provided into the schemes referred to in paragraph 1 shall be determined by a decree.
(3) Where a regulated service is registered by a decision of the Office on the basis of compliance with the conditions for registration provided for in Article 5, the provider of the regulated service shall be under higher obligations.
(1) The regulated service provider is required to report to the Authority changes to the regulated service which may lead to a change in the regime of the regulated service, no later than 60 days after the change in the regulated service has occurred.
(2) When changing the regulated service provider's regime from a lower obligation regime to a higher obligation scheme, new deadlines for initiating the obligations under § 11 (1), § 13 (4) and § 15 (4) result.
Cancellation of registered regulated service
(1) If the service no longer fulfils the conditions for registration of the regulated service pursuant to § 4 (1) or § 5, the Office shall decide to cancel the registration of the regulated service.
(2) The procedure for the cancellation of a regulated service registration shall be initiated at the request of its provider. Proceedings may also be initiated ex officio. A decision to cancel the registration of a regulated service may be the first act in the proceedings. Submission of decomposition against a decision to revoke a regulated service to which the Office has fully granted the request shall not be admissible.
(3) A written decision to revoke a regulated service shall not be drawn up where the Office has fully complied with the request or has decided to revoke the regulated service in an ex officio procedure. In such a case, the decision shall become final on record. The Office shall inform the party in writing of the cancellation of the registered service.
Obligations of the regulated service provider and countermeasures
Data reporting
(1) The regulated service provider shall report to the Authority no later than 30 days after the date of receipt of the marketing authorisation for regulated services
(a) contact details which are the identification data of natural persons who are entitled to act as regulated service providers in matters governed by this law; and
(b) additional information, which means information on the ownership structure of the regulated service provider, technical data concerning the regulated service and information on its geographical distribution and cross-border provision.
(2) The regulated service provider shall report changes only to those data referred to in paragraph 1 which are not reference data held in the basic registers, no later than 14 days after the date on which the change occurred.
Determination of the range of cyber safety management
(1) The scope of cyber security management (hereinafter referred to as "the specified scope") includes assets related to the provision of a regulated service.
(2) In order to define a specified range, the regulated service provider:
(a) identify all its primary assets;
(b) assess whether the primary assets are related to the provision of the regulated service; and
(c) for the primary assets referred to in point (b), identify the ancillary assets.
(3) The regulated service provider shall record the assets that are part of the specified range and the primary assets that have been excluded from the specified range, including the reasons for their removal.
(4) It is true that primary assets that have not yet been assessed under paragraph 2 (b) and ancillary assets that have not yet been determined under paragraph 2 (c) are part of a specified range.
(5) The specified scope shall be subject to regular review and updating by the regulated service provider.
Security measures
(1) Security measures are organisational and technical measures designed to ensure the proper provision of regulated services and cyber asset security.
(2) The regulated service provider shall, within the specified scope, implement and implement the security measures referred to in Section 14 to the extent necessary to ensure the cyber security of the regulated service.
(3) The content of the security measures and the manner in which they are implemented and implemented shall be laid down by a decree.
(4) The provider of the regulated service shall comply with the obligation to introduce and implement the security measures referred to in paragraph 2 for each regulated service no later than 1 year after the date of receipt of the marketing authorisation for the regulated service.
(5) Where a regulated service provider introduces or implements security measures through a supplier, it shall select its supplier in accordance with the requirements of the security measure and include the requirements of the security measure in contracts with the supplier.
List of security measures
(1) For regulated service providers under higher obligations,
(a) organisational measures
1. information security management system;
2. requirements for senior management;
3. determination of safety roles;
4. management of security policy and security documentation,
5. asset management;
6. risk management,
7. management of suppliers,
8. Human resources security,
9. Change Management,
10. acquisition, development and maintenance,
11. access management,
12. management of cyber security incidents and incidents,
13. business continuity management; and
14. carrying out an audit of cyber security,
(b) technical measures
1. physical safety,
2. the security of communication networks;
3. identity management and verification,
4. the management of access rights and authorisations,
5. detection of cyber security incidents,
6. recording events,
7. evaluation of cyber security events,
8. application safety,
9. cryptographic algorithms;
10. ensuring the availability of regulated services; and
11. security of industrial, management and similar specific technical assets.
(2) For providers of regulated services under lower obligations, the organisational and technical measures are:
(a) a system for ensuring minimum cyber security;
(b) requirements for senior management;
(c) asset management;
(d) risk management;
(e) human resources security;
(f) business continuity management;
(g) access management;
(h) identity management and authorisation;
(i) detection and recording of cyber security incidents;
(j) addressing cyber security incidents;
(k) security of communication networks;
(l) application safety; and
(m) cryptographic algorithms.
Cyber security incident reporting
(1) The provider of regulated services under the regime of higher obligations is obliged to report to the Office, in accordance with the procedure laid down in Article 16, cyber security incidents which have occurred within the specified scope, originating in the cyberspace and which cannot be ruled out by the time limit referred to in Article 16 (1) by intentional fault.
(2) The regulated service provider in the lower duty regime is obliged to report to the national team of coordination and management of cyber security incidents, events and threats (hereinafter referred to as "National CERT ') in accordance with the procedure set out in Article 16 of the cyber security incidents, which have occurred to the extent specified, have its origin in the cyberspace, have a significant impact on the provision of the regulated service and cannot be ruled out intentionally by the time limit referred to in Article 16 (1).
(3) A cyber security incident has a significant impact on the provision of a regulated service which has caused, or may cause, serious operational disruption or financial loss to the provider of the regulated service or has caused or may cause significant harm to other persons. The procedure for assessing the significance of the impact of a cyber security incident on the provision of a regulated service by a regulated service provider under a lower duty regime shall be determined by the Authority by a decree.
(4) The regulated service provider shall comply with the obligation to report cybersecurity incidents referred to in paragraphs 1 and 2 for each regulated service no later than 1 year after the date of receipt of the regulated service's marketing authorisation.
(5) The Authority also adopts voluntary reports of cyber security incidents, cyber security incidents or threats. Vulnerability may also be reported to the Office.
Cyber security incident reporting procedure
(1) The regulated service provider shall, without undue delay, no later than 24 hours after the detection of the cyber security incident, submit an initial report indicating its identification data, the essential data on the cyber security incident and whether it considers that the cyber security incident was caused by an illegal interference or could have a cross-border impact.
(2) The Authority shall inform the provider of regulated services in the higher duty regime without undue delay, no later than 24 hours after the notification of the cyber security incident referred to in paragraph 1, whether this cyber security incident has a significant impact on the national cyberspace. The significance of the impact on the cyberspace of the state is determined by the severity of the impact on the provision of regulated services, the affected sectors and the current situation in the cyberspace with a potential impact on the security of the Czech Republic.
(3) In the event of a report of a cyber security incident with a significant impact on the provision of a regulated service pursuant to Article 15 (2) or on the cyberspace of the State referred to in paragraph 2, the provider of the regulated service shall further submit:
(a) without undue delay, no later than 72 hours after the detection of the cyber security incident of the notification, in which it updates the information referred to in paragraph 1, submit an initial assessment of the cyber security incident and indicate the impact and indicators of compromise where available; a provider of regulated trust services pursuant to the directly applicable European Union8) shall submit this notification within 24 hours of the detection of a cyber security incident;
(b) an interim report, at the request of the Office or National CERT, on substantial changes in the state of management of a cyber security incident; and
(c) not later than 30 days after the date of submission of the notification referred to in (a), a final report on the resolution of the cyber security incident; where, after the expiry of that period, the cyber security incident still exists, the regulated service provider shall, without undue delay after the expiry of the period, submit an interim report on the current status of the management of the cyber security incident and thereafter no later than 30 days after the date on which the cyber security incident was resolved, a final report on the resolution of the cyber security incident.
(4) The regulated service provider shall report cyber security incidents including voluntary reports under this Act through the Office Portal. If it is not possible to use the Office Portal, the regulated service provider in the higher duty mode shall send a message to the Office's e-mail address for receiving cyber security incidents reports or to the Office's data box, and the regulated service provider in the lower duty mode shall send a message to the National CERT e-mail address for receiving cyber security incidents reports or to the National CERT data box.
(5) Content elements, format and method of reporting the cyber security incident, interim reports on substantial changes in the management status of the cyber security incident, interim reports on the current state of management of the cyber security incident and final reports on the resolution of the cyber security incident are set by the Authority by decree.
Management of cyber security incidents
(1) The Authority or National CERT shall provide the provider of the regulated service with its comments on the cyber security incident without undue delay, no later than 24 hours after receipt of the initial report pursuant to § 16.
(2) At the request of the regulated service provider concerned, the Authority or National CERT shall provide methodological support for the implementation of mitigation measures and, where appropriate, further technical support to manage the reported cyber security incident.
Contents
ČÁST PRVNÍ
HLAVA I
§ 1
§ 2
HLAVA II
Díl 1
§ 3
§ 4
§ 5
§ 6
§ 7
§ 8
§ 9
§ 10
Díl 2
§ 11
§ 12
§ 13
§ 14
§ 15
§ 16
§ 17
§ 18
§ 19
§ 20
§ 21
§ 22
§ 23
Díl 3
§ 24
Díl 4
§ 25
§ 26
Díl 5
§ 27
§ 28
§ 29
§ 30
§ 31
§ 32
Díl 6
§ 33
HLAVA III
§ 34
§ 35
HLAVA IV
§ 36
§ 37
§ 38
§ 39
§ 40
§ 41
HLAVA V
Díl 1
§ 42
§ 43
Díl 2
§ 44
Díl 3
§ 45
§ 46
§ 47
§ 48
§ 49
§ 50
§ 51
§ 52
§ 53
§ 54
HLAVA VI
§ 55
§ 56
§ 57
§ 58
§ 59
§ 60
§ 61
§ 62
§ 63
ČÁST DRUHÁ
§ 64
§ 65
§ 66
§ 67
§ 68
§ 69
§ 70
§ 71
§ 72
§ 73
Sign in for notes, favorites and notifications
Regulation Information
| Citation | Act No. 264 / 2025 Coll., on Cyber Security |
|---|---|
| Regulation Type | Law |
| Author | - |
| Collection | Code of Laws |
| Date of Promulgation | 04.08.2025 |
|---|---|
| Effective from | 01.11.2025 |
| Effective until | - |
| Status | Valid |
Parliamentary Paper:
Paper No. 759
Public Contracts 5
Dodatek – aktualizace dle zákona č. 264/2025 Sb., o kybernetické bezpečnosti“,
Řízení letového provozu České republiky, státní po...
SITEL, spol. s.r.o.
30.04.2026
Notifications
Smlouva o zpracování bezpečnostní dokumentace dle ZoKB 264/2025 sb.
Statutární město Prostějov
Fitio Platform s.r.o.
174 240 CZK
26.02.2026
poradenské služby v oblasti kybernetické bezpečnosti
Domov pro seniory Máj České Budějovice, příspěvkov...
Ing. Roman Šmíd, MBA
30.01.2026
Notifications
Vytvoření dokumentace dle zákona č.264/2025 Sb. o kybernetické bezpečnosti a navazujících vyhlášek
Město Čáslav
Ing. Milan Seidler
99 000 CZK
28.11.2025
Objednávka - Audit kybernetické bezpečnosti v návaznosti na zákon č. 264/2025 Sb.
Domov pro seniory Kociánka,příspěvková organizace
Lexnova Technology s.r.o.
90 738 CZK
24.11.2025
Source:
Hlídač státu
(CC BY 3.0 CZ)
The regulation text is for informational purposes only.
Comments 0