Act No. 265 / 2025 Coll.
Law amending certain laws in connection with the adoption of the Cybersecurity Act
Valid
Law
Effective from 01.11.2025
Text versions:
01.11.2025
04.08.2025
265
THE LAW
of 11 June 2025
amending certain laws in connection with the adoption of the Cybersecurity Act
Parliament has decided on this law of the Czech Republic:
Amendment to the Banking Act
Act No. 21 / 2011, Act No. 13 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 13 / 2005 Coll.
1. In Paragraph 38 (3), the word "or 'shall be deleted at the end of point (q).
2. In Paragraph 38 (3), the dot at the end of point (r) is replaced by "or 'and the following point (s) is added:
"(s) the National Office for Cyber and Information Security in examining the risks associated with the supplier of a service of strategic importance under the Cybersecurity Act.";
Amendment of the Postal Services Act
Act No. 29 / 2000 Coll., on Postal Services and on the amendment of certain laws (Act on Postal Services), as amended by Act No. 517 / 2002 Coll., Act No. 225 / 2003 Coll., Act No. 501 / 2004 Coll., Act No. 95 / 2005 Coll., Act No. 413 / 2005 Coll., Act No. 444 / 2005 Coll., Act No. 264 / 2006 Coll., Act No. 110 / 2007 Coll., Act No. 250 / 2016 Coll., Act No. 41 / 2009 Coll., Act No. 221 / 2009 Coll., Act No. 212 / 2013 Coll., Act No. 258 / 2014 Coll., Act No. 329 / 2011 Coll., Act No. 89 / 2012 Coll.
1. In Paragraph 33, the following paragraph 3 is inserted after paragraph 2:
"(3) The holder of a postal licence shall inform the Office without undue delay of any danger or breach of the security of the postal network, of the provision of essential services or of access to elements of the postal infrastructure and of specific services related to the operation of the postal infrastructure pursuant to Section 34. This obligation shall not apply where the breach of the security and integrity of such networks and services originates in cyberspace, to the extent that the holders of the postal licence are subject to similar information obligations under the Cybersecurity Act. ';
Paragraphs 3 to 9 shall be renumbered paragraphs 4 to 10.
2. In Article 33 (6), "paragraph 6 'is replaced by" paragraph 7';
3. In Article 33 (7), "paragraph 5 'is replaced by" paragraph 6';
4. In Paragraph 33 (10), "paragraph 8 'is replaced by" paragraph 9'.
5. The following Section 36b is inserted after Section 36a, including the title:
Cooperation with the National Office for Cyber and Information Security
The Office and the National Office for Cyber and Information Security shall provide each other with the initiatives, information and other forms of synergies needed to carry out the tasks provided for by the legislation. When transmitting the information, the beneficiary shall ensure the same level of confidentiality as the donor. ';
6. in Article 37a (3), the following point (c) is inserted after point (b):
"(c) fails to comply with the information obligation laid down in Article 33 (3);"
Points (c) to (g) shall be renumbered as points (d) to (h).
7. in Article 37a (3) (d), "paragraph 4" is replaced by "paragraph 5."
8. in Paragraph 37a (3) (e), "paragraphs 5, 7, 8 or 9" shall be replaced by "paragraphs 6, 8, 9 or 10."
9. in Article 37a (6) (a), "(e)" is replaced by "(f)."
10. in Article 37a (6) (b), "(f) or (g)" is replaced by "(e), (g) or (h)";
11. in Paragraph 41 (1), the text "paragraph 4" is replaced by "paragraph 5."
Amendment of the Act on Information Systems of Public Administration
Act No. 365 / 2000 Coll., on Information Systems of Public Administration and on the amendment of certain other laws, as amended by Act No. 517 / 2002 Coll., Act No. 413 / 2005 Coll., Act No. 444 / 2005 Coll., Act No. 70 / 2006 Coll., Act No. 81 / 2006 Coll., Act No. 251 / 2007 Coll., Act No. 110 / 2007 Coll., Act No. 269 / 2007 Coll., Act No. 130 / 2008 Coll., Act No. 104 / 2017 Coll., Act No. 183 / 2009 Coll., Act No. 223 / 2009 Coll., Act No. 227 / 2009 Coll., Act No. 298 / 2016 Coll., Act No. 263 / 2011 Coll., Act No. 65 / 2012 Coll.
1. in Paragraph 2 (2) (a):
"(a) a security level of the security level of the public administration information system, expressing the possible effects of a cyber security incident on the public administration information system to ensure the operation of which cloud computing is to be used,";
2. In Article 2, at the end of paragraph 2, the dot is replaced by a comma and the following point (g) is added:
"(g) rules on security for public administrations using cloud computing service providers laying down minimum requirements for the use of cloud computing service by a public authority in order to ensure the security of information.";
3. In Article 4 (2), the words "except for the obligations laid down in Articles 6n (b) to (f) and 6l (3) 'shall be added at the end of the text of point (a).
4. In Article 5a (2), the last sentence is replaced by the sentence "The structure and details of the information concept of the public administration as well as the procedures of public authorities in its establishment, issue and evaluation of compliance with it, the requirements for the management of public administration information systems, including the decoupling of public administration information systems, the technical requirements for public administration information systems and the rules for the structure of data in public administration information systems shall be laid down in implementing legislation '.
5.
Managers of public service information systems that are not regulated service providers under the Cybersecurity Act shall be required to introduce security measures for regulated service providers under the regime of lower obligations under Sections 8, 13 and 14 of the Cybersecurity Act, taking into account the potential impact of a breach of confidentiality, integrity and availability of a particular public administration information system on the activities of its administrator and its ability to provide its services to citizens, as well as the appropriateness and feasibility of such measures. ';
6. in Article 6i (2) (e), the words "(a)" shall be inserted after the words "Article 6n."
7. Paragraph 6i (3) reads as follows:
"(3) National Cyber and Information Security Authority
(a) check that the cloud computing provided to public authorities complies with the requirements of § 6n (b) to (f);
(b) controls the inclusion of the public administration information system in the security level referred to in Article 6l (3);
(c) checks compliance with the security rules by the public authority in the use of cloud computing services pursuant to § 6l (3). ';
8. In Paragraph 6l, the following sentence is added at the end of paragraph 3: "Before concluding a contract with a cloud computing provider, the public administration information system or part thereof to ensure the operation of which cloud computing is to be used shall be added to the security level, taking into account the nature of the public administration information system concerned under the implementing legislation. The public authority shall also ensure that security rules are respected throughout the use of cloud computing services. ';
9. In Article 6n (c), the words "follow the security rules for public authorities using cloud computing services under the legislation governing cyber security 'are replaced by the words" ensure compliance with the security rules laid down in the implementing legislation'.
10. in § 6q (5) (c), § 6t (6) (b) and (d) to (g) and § 6t (7) (c) and (e) to (h), the words "governing cyber security" are replaced by the words "issued pursuant to § 12 (2)";
11. At the end of Section 7, the words "and public authorities' shall be added.
12. In Article 7, the following paragraphs 4 and 5 are inserted after paragraph 3:
"(4) A cloud computing provider shall commit an offence by providing a public authority or a public cloud computing provider that does not meet the cloud computing requirements of the public administration pursuant to § 6n.
(5) A public authority commits an infringement by:
(a) uses cloud computing in breach of § 6l (1);
(b) fails to comply with the obligation to terminate the use of cloud computing in accordance with § 6l (2) within the prescribed period;
(c) fails to comply with the obligation to include the information system or part thereof in the security level referred to in Article 6l (3); or
(d) does not ensure compliance with the security rules provided for in Article 6l (3). ';
Paragraph 4 shall become paragraph 6.
13. in Article 7 (6), the following point (a) is inserted:
"(a) 10 000 000 CZK if the offence referred to in paragraph 4 or 5 is committed,"
Points (a) to (c) shall be renumbered (b) to (d).
14. in Paragraph 9e (3), the words "administrator and operator of an important information system" shall be deleted;
15. in Article 12 (1) (b), the words "safety levels and" shall be deleted;
16. In Article 12, at the end of paragraph 2, the dot is replaced by a comma and the following points (g) and (h) are added:
"(g) security levels of public administration information systems;
(h) the content and scope of the security rules for public administrations using cloud computing services pursuant to § 6l (3). ';
Amendment to the Electronic Communications Act
Act No. 20 / 2011, Act No. 20 / 2011, Act No. 20 / 2011, Act No. 20 / 2011, Act No. 20 / 2011, Act No. 20 / 2011, Act No. 20 / 2011, Act No. 20 / 2011, Act No. 20 / 2011, Act No. 20 / 2011, Act No. 20 / 2011, Act No. 20 / 2011, Act No. 20 / 2011, Act No. 20 / 2011, Act No. 20 / 2011, Act No. 20 / 2011, Act No. 20 / 2011, Act No. 20 / 2011, Act No. 20 / 2011, Act No. 20 / 2011, Act No. 20 / 2011, Act No. 20 / 2011, Act No. 20 / 2011, Act No. 20 / 2011, Act No. 20 / 2011, Act No. 20 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 15 / 2011, Act No. 20 / 2011, Act.
1. In Article 6, the following paragraph 6 is added:
"(6) The Authority shall decide, on the basis of a request for amendment or withdrawal of a regulatory measure imposed by a decision under this Law, where compliance with the conditions or obligations laid down in that decision makes it impossible to fulfil, in whole or in part, the obligations set out in a countermeasure or measure of a general nature issued under the Cybersecurity Act. ';
2. in Paragraph 22a (3), "paragraph 5" is replaced by "paragraph 6";
3. In Paragraph 22a, the following paragraph 5 is inserted after paragraph 4:
"(5) The President of the Council may decide, after consultation in accordance with Paragraph 130, to amend the allocation of radio frequencies if this is necessary for the performance of countermeasures or the purpose of measures of a general nature issued under the Cybersecurity Act. The procedure laid down in Article 6 (6) shall be without prejudice to this. ';
Paragraph 5 shall become paragraph 6.
4. In Paragraph 98, the following paragraph 9 is added:
"(9) The obligations laid down or imposed pursuant to paragraphs 1, 3, 4 and 6 to 8 shall not apply in the case of an entrepreneur providing a public communications network or providing a publicly available electronic communications service where the breach of the security and integrity of such networks and services originates in the cyberspace, to the extent that similar information obligations under the Cybersecurity Act apply to it. ';
Amendment to the Act on the implementation of international sanctions
Act No. 69 / 2006 Coll., on the implementation of international sanctions, as amended by Act No. 227 / 2009 Coll., Act No. 281 / 2009 Coll., Act No. 139 / 2011 Coll., Act No. 167 / 2012 Coll., Act No. 399 / 2012 Coll., Act No. 377 / 2015 Coll., Act No. 298 / 2016 Coll., Act No. 368 / 2016 Coll., Act No. 183 / 2017 Coll., Act No. 261 / 2021 Coll., Act No. 240 / 2022 Coll. and Act No. 280 / 2024 Coll., is amended as follows:
1. In Article 16 (4), at the end of point (m), the word "or 'is replaced by a comma.
2. In Article 16, at the end of paragraph 4, the dot is replaced by "or 'and the following point (o) is added:
"(o) The National Office for Cyber and Information Security in examining the risks associated with the supplier under the Cybersecurity Act."
3. In Article 16, the following paragraph 7 is added:
"(7) The exemptions referred to in paragraph 4 (b) to (o) shall apply only to the extent strictly necessary according to the purpose of the information provided. It may not be applied if the disclosure of information could thwart or jeopardise an investigation under this law or pending criminal proceedings, or if the disclosure would be manifestly disproportionate to the legitimate interests of the person to whom the information relates or the purpose for which the request was made. ';
Amendment of the Act on certain measures against the legalisation of proceeds from crime and terrorist financing
Act No. 25 / 2016 Coll.
1. In Article 39, at the end of paragraph 1, the dot is replaced by a comma and the following point (r) is added:
"(r) the National Office for Cyber and Information Security in examining the risks associated with the supplier under the Cybersecurity Act.";
2. In Section 39 (4) of the introductory part of the provision, the text "q) 'is replaced by" r)'.
Amendment to the Customs Act of the Czech Republic
In Article 27 (3) of Act No. 17 / 2012 Coll., on the Customs Administration of the Czech Republic, as amended by Act No. 283 / 2020 Coll., the words "the National Office for Cyber and Information Security," shall be inserted after the word "the Republic."
Amendment to the Foreign Investment Review Act
Act No. 34 / 2021 Coll., on the examination of foreign investments and on the amendment of related laws (Act on the examination of foreign investments), as amended by Act No. 69 / 2025 Coll., is amended as follows:
1. In Article 7 (c), the words "the controller of the information system of the critical information infrastructure, the controller of the communication system of the critical information infrastructure, the controller of the information system of the basic service or the operator of the basic services5) 'are replaced by the words" the provider of the regulated service in the higher obligation5)'.
footnote 5:
"5) Act No. 264 / 2025 Coll., on Cyber Security. '.
2. Article 20a, including the title, reads:
Exceptions to the obligation of confidentiality
(1) The obligation of the employees of the Ministry responsible for management or consultation under this Act to maintain confidentiality pursuant to Paragraph 20 shall not apply in the context of the cooperation of the Ministry with:
(a) by the Office pursuant to legislation governing certain public aid relations (9); and
(b) the National Office for Cyber and Information Security in verifying supply chain security under the legislation governing cyber security.
(2) The staff of the National Bureau of Cyber and Information Security shall be entitled to use the information obtained in the framework of the cooperation referred to in paragraph 1 (b) only in the verification of supply chain security and shall be subject to confidentiality. "
EFFECTIVE
This Law shall take effect on the first day of the third calendar month following its publication.
Pekarová Adamová v. r.
Pavel v. r.
Fiala v. r.
Sign in for notes, favorites and notifications
Regulation Information
| Citation | Act No. 265 / 2025 Coll., amending certain laws in connection with the adoption of the Cybersecurity Act |
|---|---|
| Regulation Type | Law |
| Author | - |
| Collection | Code of Laws |
| Date of Promulgation | 04.08.2025 |
|---|---|
| Effective from | 01.11.2025 |
| Effective until | - |
| Status | Valid |
Parliamentary Paper:
Paper No. 760
Public Contracts 5
Poskytnutí komplexních penetračních testů, včetně souvisejících služeb, v prostředí Ministerstva zem...
Ministerstvo zemědělství
Fitio Platform s.r.o.
287 496 CZK
22.01.2026
Smlouva o poskytování služeb správy a podpory databázového systému ORACLE
Masarykova univerzita
Digitec Solutions s.r.o.
665 198 CZK
22.01.2026
Mobilní aplikace ZP 211
Zdravotní pojišťovna ministerstva vnitra České rep...
MVKV Solutions s.r.o.
3 630 000 CZK
16.12.2025
Zajištění technické podpory a rozvoje SW aplikace Service Desk
Zdravotní pojišťovna ministerstva vnitra České rep...
truconneXion, a.s.
02.10.2025
Notifications
Prodloužení platnosti licencí DLP Safetica včetně technické podpory
Zdravotní pojišťovna ministerstva vnitra České rep...
CompuNet s.r.o.
1 658 100 CZK
30.09.2025
Source:
Hlídač státu
(CC BY 3.0 CZ)
The regulation text is for informational purposes only.
Comments 0