Act No. 266 / 2025 Coll.
Law on the resilience of critical infrastructure bodies and on the amendment of related laws (Law on critical infrastructure)
Valid
Law
Effective from 19.08.2025
Text versions:
19.08.2025
04.08.2025
Contents
ČÁST PRVNÍ
HLAVA I
§ 1
§ 2
HLAVA II
§ 3
HLAVA III
§ 4
§ 5
§ 6
§ 7
§ 8
HLAVA IV
§ 9
§ 10
§ 11
§ 12
§ 13
§ 14
§ 15
§ 16
§ 17
HLAVA V
§ 18
§ 19
HLAVA VI
§ 20
§ 21
HLAVA VII
§ 22
§ 23
§ 24
§ 25
HLAVA VIII
§ 26
§ 27
HLAVA IX
§ 28
§ 29
§ 30
ČÁST DRUHÁ
§ 31
㤠4j
ČÁST TŘETÍ
§ 32
ČÁST ČTVRTÁ
§ 33
ČÁST PÁTÁ
§ 34
ČÁST ŠESTÁ
§ 35
㤠26
§ 26a
㤠26b
㤠40
§ 36
ČÁST SEDMÁ
§ 37
ČÁST OSMÁ
§ 38
ČÁST DEVÁTÁ
§ 39
ČÁST DESÁTÁ
§ 40
ČÁST JEDENÁCTÁ
§ 41
ČÁST DVANÁCTÁ
§ 42
Zobrazeno prvních 200 z celkem 559 ustanovení tohoto předpisu.
Zobrazit celý předpis →
Pro stažení celého znění použijte tlačítko Stáhnout výše.
266
THE LAW
of 3 July 2025
on the resilience of critical infrastructure bodies and the amendment of related laws (Critical Infrastructure Act)
Parliament has decided on this law of the Czech Republic:
Basic provisions
Subject matter
(1) This law implements the relevant provisions of the European Union1) and provides:
(a) the competence of the State authorities in increasing the resilience of critical infrastructure bodies;
(b) the rights and obligations of legal and natural persons to ensure the provision of basic services;
(c) measures to increase and ensure the resilience of critical infrastructure bodies.
(2) Increasing the resilience of critical infrastructure entities is part of crisis management under the Crisis Act.
Definition of terms
(1) For the purposes of this Act:
(a) the essential service of the service which is necessary to maintain the essential functions of the State, economic activities, safety, public health or the environment, provided in sectors or sub-sectors as specified in the Annex to this Law;
b) Provider of the basic service anyone who provides at least 1 basic service in the Czech Republic and fulfils the criterion of significance;
(c) the critical infrastructure of the asset, equipment, network or system or part thereof necessary for the provision of the basic service;
(d) a critical infrastructure entity, a provider of a basic service whose critical infrastructure is located in the Czech Republic and is included in the list of critical infrastructure entities;
(e) a European critical infrastructure entity which provides the same or similar basic service in at least 6 Member States of the European Union and has been notified that it has been designated by the European Commission as a critical body of specific European importance;
(f) an incident which may significantly disrupt or interfere with the provision of the essential service;
(g) the risk of disrupting the provision of the essential service as a result of the incident, expressed as a combination of the extent of such disruption and the likelihood of the occurrence of the incident;
(h) by assessing the risks of a critical infrastructure entity, the overall process of determining the nature and extent of the risk by identifying and analysing possible relevant threats, vulnerabilities and hazards that could lead to an incident and of assessing the potential disruption of the provision of the essential service caused by the incident;
(i) the resilience of a critical infrastructure entity to the ability of a critical infrastructure entity to prevent, respond to, mitigate, and take measures to prevent incidents,
(j) the worker is a natural person who is in an employment relationship, a service relationship or other similar relationship with a critical infrastructure entity or its critical supplier;
(k) a critical worker who is necessary to ensure the provision of the essential service;
(l) a critical supplier who has entered into a legal relationship with a critical infrastructure entity and on this basis provides the goods or services necessary to ensure the provision of the essential service.
(2) For the purposes of this Act, a Member State of the European Union shall also mean the Contracting State of the Agreement on the European Economic Area.
Strategy to strengthen the resilience of critical infrastructure bodies
(1) The strategy for strengthening the resilience of critical infrastructure entities (hereinafter referred to as "the strategy") sets out strategic objectives and measures to strengthen and ensure the resilience of critical infrastructure entities to the extent of the sector and subsector as set out in the Annex to this Law.
(2) The strategy includes:
(a) strategic objectives and priorities to enhance the overall resilience of critical infrastructure bodies, taking into account cross-border and cross-sectoral dependence;
(b) a framework for the fulfilment of strategic objectives and priorities, including a description of the responsibilities and responsibilities of the relevant competent public administrations and critical infrastructure bodies;
(c) a description of the measures necessary to enhance the resilience of critical infrastructure bodies, including a description of the results of the risk assessment of the Czech Republic under the Crisis Act (hereinafter the "risk assessment of the Czech Republic"),
(d) a description of the process of including basic service providers in the list of critical infrastructure bodies;
(e) the way in which critical infrastructure bodies are supported by competent authorities, including measures to strengthen cooperation between public authorities and critical infrastructure bodies;
(f) an overview of the decision-making bodies in the system of ensuring and strengthening the resilience of critical infrastructure bodies;
(g) the way in which the competent authorities of the State administration are coordinated under this Act with the competent authorities of the State administration under the Cybersecurity Act for the purpose of sharing information on risks, threats and incidents and the exercise of control;
(h) a description of existing instruments used by critical infrastructure bodies to implement measures to ensure their resilience.
(3) The government approves the strategy.
Performance of state administration
The substantive competence of ministries, other central administrative offices and the Czech National Bank in each sector or subsector in which basic services are provided is set out in an annex to this Act.
Ministries and other central administrative offices
Ministries and other central administrations to enhance the resilience of critical infrastructure bodies
(a) provide the Ministry of the Interior with synergies in:
1. the development of the strategy;
2. the processing of a summary report on incidents;
3. exercises to verify the resilience of critical infrastructure bodies; and
4. international exchange of information,
(b) require the provider of the essential service to provide the information necessary to initiate the decision to include it in the list of critical infrastructure bodies;
(c) submit an initiative to the Ministry of Interior to decide to include the provider of the basic service in the list of critical infrastructure bodies;
(d) provide the Ministry of the Interior with information on the implementation of measures to ensure the resilience of critical infrastructure bodies;
(e) provide the critical infrastructure body with the necessary information on the potential threat to the provision of the essential service;
(f) assess the requirement applied by a body of critical infastructures pursuant to Article 14 (3); in order to deal with it under another legislation2), cooperate with the competent authorities;
(g) carry out exercises to verify the resilience of critical infrastructure bodies; to that end, develop a training plan;
(h) carry out checks on the critical infrastructure body and impose corrective measures pursuant to Article 23;
(i) provide the Ministry of the Interior with an opinion on the implementation of an advisory mission by the European Commission;
(j) provide the European Commission with synergies in the implementation of the Advisory Mission;
(k) assess the need to secure the necessary material resources through a system of economic measures for crisis situations in order to provide a basic service in the sector or subsector; for this purpose, use the information provided by the critical information structure body pursuant to Article 14 (1) (q).
Ministry of Interior
(1) Ministry of the Interior in the area of enhancing the resilience of critical infrastructure bodies
(a) coordinate the performance of the administration;
(b) process the strategy, update it at least every 4 years and submit it to the Government for approval;
(c) decide to include the provider of the basic service in the list of critical infrastructure bodies and to remove it from that list; that list shall be updated at least once every 4 years;
(d) inform the critical infrastructure entity, at the request of the European Commission, that it has been designated by the European Commission as a critical entity of specific European importance;
(e) establish and operate a critical infrastructure portal;
(f) provide the critical infrastructure body with parts of the risk assessment of the Czech Republic for the purpose of processing the risk assessment of the critical infrastructure entity;
(g) coordinate the exercise to verify the resilience of critical infrastructure bodies within the competence of several ministries or other central administrations; to this end it shall process the exercise plan;
h) acts as a single contact point of the Czech Republic;
(i) ensure the international exchange of information;
(j) submit to the European Commission:
1. without undue delay after the last significant update or every 4 years at the latest, information on the list of essential services, including their criteria, and the number of critical infrastructure bodies by sector, subsector and each essential service;
2. a summary incident report every 2 years;
3. the strategy, information on the types of risks identified and the results of the risk assessment of the Czech Republic within 3 months from the date of their approval or the last significant update;
4. information on a critical infrastructure body providing the same or similar basic service in at least 6 Member States of the European Union with a view to identifying it as a critical body of specific European importance;
5. in the case of the European Critical Infrastructure Body, upon request of the European Critical Infrastructure Entity, a list of the measures taken pursuant to § 15, the control findings referred to in § 22 and the corrective measures imposed pursuant to § 23 for the purpose of carrying out the advisory mission;
6. the proposal of candidates for the members of the Advisory Mission,
(k) propose to the European Commission the implementation of an advisory mission with the European critical infrastructure body;
(l) approve a request from the European Commission for an advisory mission to the European critical infrastructure body;
(m) issue warnings and decide whether or not to impose a prohibition on the use of the supplier of the critical infrastructure body;
(n) provided on request
1. information on critical infrastructure located in the region to the extent necessary for the processing of the regional crisis plan;
2. The Czech Office of the Regional and Catastrophe for the purpose of conducting a non-public part of the digital technical map, identifying the critical infrastructure entity and its critical infrastructure,
(o) cooperate with the competent authorities of the Member States of the European Union.
(2) The competence of the Ministry of Interior referred to in paragraph 1 is exercised by the General Directorate of the Fire Rescue Corps of the Czech Republic, with the exception of those referred to in paragraph 1 (m).
(3) The competence of the Ministry of Interior to submit the information referred to in paragraph 1 to the European Commission. (j) shall not apply to the security sector.
National Cyber and Information Security Authority
The National Bureau of Cybersecurity and Information Security shall provide the Ministry of the Interior without undue delay with information on a cybersecurity incident with a significant impact on the cyberspace of the State, which it receives on the basis of a report under the Cybersecurity Act and which occurred with a critical infrastructure entity in the digital infrastructure sector.
Czech National Bank
(1) The Czech National Bank creates conditions for increasing the resilience of critical infrastructure entities in the banking and financial market sectors and, to this end, without undue delay, provides the Ministry of the Interior with information on incidents that it receives under the directly applicable European Union3) from the critical banking infrastructure entity or financial market infrastructure.
(2) For the Czech National Bank, Sections 5 (a) (1) and (2) and 5 (b), (c) and (f) apply mutatis mutandis.
Basic service provider and critical infrastructure entity
Obligations of the basic service provider
(1) The provider of the basic service is obliged to provide information to the Ministry, another central administration office or the Czech National Bank and the Ministry of Interior for the purpose of deciding on its listing as critical infrastructure bodies
(a) providing the basic service and fulfilling at least 1 materiality criterion;
(b) its critical infrastructure in the territory of the Czech Republic or another Member State of the European Union; and
(c) the basic service provided in the territory of another Member State of the European Union.
(2) The information referred to in paragraph 1 shall be provided by the provider of the basic service through the critical infrastructure portal at the latest by:
(a) 3 months from the date on which the provision of the basic service begins;
(b) 1 month from the date on which the Ministry, other central administration, the Czech National Bank or the Ministry of Interior was called upon to do so.
Basic service and materiality criterion
(1) The materiality criterion in line with the assessment of the risks of the Czech Republic determines the importance of disrupting the provision of the basic service on the basis of:
(a) the number of users dependent on the basic service provided by the basic service provider;
(b) the extent to which the provision of a basic service in another sector or subsector depends on the basic service;
(c) the possible impact of incidents in terms of their intensity and duration on economic and social activities, the environment, safety or public health;
(d) the market share of the provider of the basic service in the market for basic services or services in the Czech Republic;
(e) the territory likely to be affected by the incident, including any cross-border effects, taking into account the vulnerability associated with the degree of separation of certain types of territory; or
(f) the importance of the provider of the basic service in maintaining a sufficient level of basic service, taking into account the availability of alternative ways of providing that basic service.
(2) The basic services in each sector or subsector and the materiality criteria referred to in paragraph 1 for each basic service shall be laid down in implementing legislation.
Entry into the list of critical infrastructure bodies
(1) The Ministry, another Central Administrative Office or the Czech National Bank shall, without undue delay, assess the information on the provider of the basic service in accordance with Paragraph 9 (1) and initiate the Ministry of Interior to decide to include that provider of the basic service in the list of critical infrastructure bodies.
(2) The Ministry of the Interior shall, on the basis of the initiative referred to in paragraph 1, decide without undue delay to include the provider of the basic service in the list of critical infrastructure bodies.
(3) The decision to list critical infrastructure bodies may be the first step in the management. The decomposition submitted against the decision to list critical infrastructure entities shall not have suspensory effect.
(4) The list of critical infrastructure bodies shall be non-public and shall contain the following information:
(a) identification of the critical infrastructure body;
(b) information on the basic service provided by the critical infrastructure body;
(c) the sector and subsector in which the critical infrastructure entity provides the basic service; and
(d) Member States of the European Union in which a critical infrastructure body provides a basic service.
(5) The Ministry of the Interior shall inform the National Cyber and Information Security Authority and the Ministry, another Central Administration Office or the Czech National Bank of the inclusion of the entity in the list of critical infrastructure entities within 1 month of the date of receipt of the decision to list critical infrastructure entities of the critical infrastructure entity.
(6) The critical infrastructure entity is obliged to comply with the obligations laid down by this Act from the date of receipt of the decision on inclusion in the list of critical infrastructure bodies, unless otherwise specified, until the date of receipt of the decision on its exclusion from the list of critical infrastructure bodies under Section 13.
Changes in the provision of the basic service
(1) If a critical infrastructure entity starts providing a basic service to another extent, starts providing a new basic service or stops providing a basic service, it shall inform the Ministry, another Central Administration Office or the Czech National Bank within 1 month of the date of the occurrence of this fact.
(2) If a critical infrastructure entity provides a new basic service, or if there has been a change in the scope of the basic service already provided, the Ministry of Interior shall, based on information from the Ministry, another central administrative office or the Czech National Bank, add to the list of critical infrastructure entities information about the newly provided basic service or change the scope of the basic service already provided. The Ministry of the Interior shall then inform the critical infrastructure entity, the National Cyber and Information Security Office and the Ministry, another Central Administration Office or the Czech National Bank within 1 month of the date of addition of the new information provided.
(3) The critical infrastructure entity shall be obliged to fulfil the obligations laid down by this Act on the newly registered basic service from the date of notification referred to in paragraph 2, unless otherwise specified.
(1) In the event that the critical infrastructure entity no longer provides any of the essential services listed in the critical infrastructure entity list, the Ministry of the Interior shall delete this essential service from the list of critical infrastructure entities and inform the critical infrastructure entity without undue delay, the National Office for Cybersecurity and Information and the Ministry, another Central Administration Office or the Czech National Bank of this fact.
(2) If the critical infrastructure entity no longer provides any basic service, the Ministry of the Interior shall decide to remove it from the list of critical infrastructure entities.
(3) The decision to withdraw from the list of critical infrastructure bodies may be the first management action. The decomposition submitted against the decision to withdraw from the list of critical infrastructure entities shall not have suspensory effect.
(4) The Ministry of Interior shall inform the National Bureau of Cybernetic and Information Security and the Ministry, another Central Administration or the Czech National Bank of the exclusion of the critical infrastructure entity from the list of critical infrastructure entities without undue delay from the date of receipt of the decision to exclude the critical infrastructure entity from the list of critical infrastructure entities of the critical infrastructure entity.
Rights and obligations of the critical infrastructure body
(1) The critical infrastructure entity is obliged to:
(a) to provide the Ministry of the Interior and the Ministry, another Central Administrative Office or the Czech National Bank without undue delay with information on the essential service provided, critical infrastructure in the territory of the Czech Republic or another Member State of the European Union, critical workers and critical suppliers,
(b) inform the Ministry of the Interior without undue delay in which the Member States of the European Union provide a basic service;
(c) without undue delay inform the Ministry of the Interior and the Ministry or any other central administration that it is part of a group under the Commercial Corporation Act, including whether it is a controlled or controlling person;
(d) process the risk assessment of the critical infrastructure entity and subsequently update it at least every 4 years within 9 months of the date of receipt of the decision on inclusion in the list of critical infrastructure bodies;
(e) provide, without undue delay, at the request of the Ministry or any other Central Administrative Office, documentation for the processing of the risk assessment of the Czech Republic;
(f) within 10 months of the date of receipt of the decision on inclusion in the list of critical infrastructure bodies, prepare a resilience plan setting out technical, safety and organisational measures to ensure the resilience of the critical infrastructure entity and subsequently update it at least every 4 years;
(g) designate a critical infrastructure manager within 10 months of the date of receipt of the decision to list critical infrastructure bodies and without undue delay after the current critical infrastructure manager has ceased to perform this function;
(h) without undue delay, notify the designation of the critical infrastructure manager to the Ministry of the Interior and the Ministry or any other central administration;
(i) to create to the critical infrastructure manager the conditions necessary for the performance of his duties;
j) identify critical suppliers and communicate to the Ministry of the Interior and the Ministry, another central administration or the Czech National Bank
1. in the case of a legal or business natural person, the identification details to the extent of the name, address and identification number of the person;
2. in the case of a natural person, identification details to the extent of the name and surname, date of birth and address of the place of residence;
3. the reasons for which he was designated as a critical supplier,
(k) take measures to ensure the resilience of the critical infrastructure entity pursuant to Article 15;
(l) without undue delay to report to the Ministry of the Interior incidents pursuant to Sections 18 and 19,
(m) to ensure conditions for carrying out sensitive activities under the law governing the protection of classified information;
(n) participate in exercises to verify the resilience of critical infrastructure bodies;
o) use the critical infrastructure portal to fulfil obligations under this Act;
(p) to allow the Ministry or another Central Administrative Office to carry out a check on compliance with the obligations laid down by this Act and to take corrective action pursuant to Paragraph 23;
(q) inform the Ministry or other Central Administrative Office of the need for security by the necessary means of substance to ensure the provision of a basic service which it is unable to provide otherwise;
(r) request verification of the reliability of the critical infrastructure manager's compliance with the conditions for carrying out sensitive activities under the law governing the protection of classified information.
(2) In order to ensure its resilience and to provide a basic service, a critical infrastructure body
a) verifies the reliability according to § 17 in accordance with the risk assessment of the Czech Republic;
(b) processes personal data to the extent necessary to fulfil the obligations under this Act;
1. critical workers,
2. persons seeking employment, recruitment or similar relationship; and
3. persons entrusted with direct or remote access to, information or control systems of his premises.
(3) In order to ensure its resilience and to provide a basic service, the critical infrastructure entity shall, to the extent necessary, be further authorised:
(a) in preparing for crisis situations, ask the Ministry, another Central Administrative Office or the Czech National Bank to provide a preferred connection to the public communications network and access to publicly available electronic communications services for critical workers;
(b) request, during an emergency or emergency situation, to the Ministry, another Central Administrative Office or the Czech National Bank to arrange for entry into designated places or territories where entry has been prohibited in connection with such an event or emergency situation, if necessary to ensure the provision of the essential service; the critical infrastructure entity is entitled to request the provision of such access also for its critical supplier, where necessary for the provision of the essential service;
(c) ask the Ministry, another Central Administrative Office or the Czech National Bank for priority access to the basic service provided by another critical infrastructure body, if necessary for the provision of the basic service.
(4) Furthermore, the European Critical Infrastructure Body shall be obliged from the date of notification of the designation to a critical body of specific European importance
(a) to provide the European Commission, if requested, through the Ministry of Interior
1. the risk assessment of the critical infrastructure body; and
2. a list of measures taken to ensure their resilience;
(b) allow the European Commission's Advisory Mission access to and synergies with the necessary information related to the provision of its essential service and critical infrastructure; and
(c) take corrective action on the deficiencies identified and recommendations of the Advisory Mission and inform the European Commission of its adoption through the Ministry of Interior.
(5) The critical infrastructure entity in the security sector shall not be subject to the obligations set out in paragraph 1 (b) and paragraph 4.
(6) The formalities and manner in which the design of the resilience plan and the risk assessment of the critical infrastructure body are to be carried out are laid down in the implementing legislation.
Measures to ensure the resilience of the critical infrastructure entity
(1) The critical infrastructure entity shall take technical, security and organisational measures on the basis of the risk assessment of the critical infrastructure entity, to the extent of the measures:
(a) risk management;
(b) to ensure continuity of activities;
(c) incident response;
(d) physical safety,
(e) the management of workers' safety; and
(f) management of supply chain security.
(2) The content of the measures to ensure the resilience of the critical infrastructure body referred to in paragraph 1 shall be laid down in the implementing legislation.
Contents
ČÁST PRVNÍ
HLAVA I
§ 1
§ 2
HLAVA II
§ 3
HLAVA III
§ 4
§ 5
§ 6
§ 7
§ 8
HLAVA IV
§ 9
§ 10
§ 11
§ 12
§ 13
§ 14
§ 15
§ 16
§ 17
HLAVA V
§ 18
§ 19
HLAVA VI
§ 20
§ 21
HLAVA VII
§ 22
§ 23
§ 24
§ 25
HLAVA VIII
§ 26
§ 27
HLAVA IX
§ 28
§ 29
§ 30
ČÁST DRUHÁ
§ 31
㤠4j
ČÁST TŘETÍ
§ 32
ČÁST ČTVRTÁ
§ 33
ČÁST PÁTÁ
§ 34
ČÁST ŠESTÁ
§ 35
㤠26
§ 26a
㤠26b
㤠40
§ 36
ČÁST SEDMÁ
§ 37
ČÁST OSMÁ
§ 38
ČÁST DEVÁTÁ
§ 39
ČÁST DESÁTÁ
§ 40
ČÁST JEDENÁCTÁ
§ 41
ČÁST DVANÁCTÁ
§ 42
Sign in for notes, favorites and notifications
Regulation Information
| Citation | Act No. 266 / 2025 Coll., on the resilience of critical infrastructure bodies and on the amendment of related laws (Critical Infrastructure Act) |
|---|---|
| Regulation Type | Law |
| Author | - |
| Collection | Code of Laws |
| Date of Promulgation | 04.08.2025 |
|---|---|
| Effective from | 19.08.2025 |
| Effective until | - |
| Status | Valid |
Parliamentary Paper:
Paper No. 947
Public Contracts 5
Přidání funkcionalit automatizace zpracování dat v podmínkách MŠMT a úpravy dle zákona č. 266/2025 S...
Ministerstvo školství, mládeže a tělovýchovy
ANAKAN s.r.o.
132 495 CZK
23.12.2025
Smlouva č. 0344/24/01
Pražská vodohospodářská společnost a.s.
Pražská vodohospodářská společnost a.s.
2 420 000 CZK
12.12.2025
Notifications
Darovací smlouva - posílení informační, komunikační a energetické odolnosti
Zdravotnická záchranná služba Ústeckého kraje, pří...
Sev.en Inntech a.s.
1 500 000 CZK
10.12.2025
SMLOUVA O POSKYTOVÁNÍ EXPERTNÍCH KONZULTAČNÍCH SLUŽEB
Severočeské vodovody a kanalizace, a.s.
European Business Enterprise,a.s.
08.12.2025
Notifications
zajištení komplexní služby pro metodickou podporu v oblasti řízení dodavatelského řetězce
Česká pošta, s.p.
ROWAN LEGAL, advokátní kancelář s.r.o.
861 520 CZK
27.11.2025
Source:
Hlídač státu
(CC BY 3.0 CZ)
The regulation text is for informational purposes only.
Comments 0