What is Decree No. 334 / 2025 Coll.?

Decree No. 334 / 2025 Coll., on the Portal of the National Office for Cyber and Information Security and Requirements for Certain Acts — Decree on the Portal of the National Office for Cyber and Information Security and requirements for certain acts.

When it became Decree No. 334 / 2025 Coll. effectiveness?

Decree No. 334 / 2025 Coll. became effective 01.11.2025.

Is Decree No. 334 / 2025 Coll. still valid?

Yes, Decree No. 334 / 2025 Coll. is still valid and effective.

How many times was it Decree No. 334 / 2025 Coll. amended?

Decree No. 334 / 2025 Coll. has 3 time versions of the text.

Decree No. 334 / 2025 Coll.

Decree on the Portal of the National Office for Cyber and Information Security and requirements for certain acts

Valid Order Effective from 01.11.2025

Text versions: 01.11.2025 09.09.2025

§ 1 § 2 § 3 § 4 § 5 § 6 § 7

334

DECLARATION

of 27 August 2025

on the Portal of the National Office for Cyber and Information Security and requirements for certain actions

The National Bureau of Cyber and Information Security provides, pursuant to § 6 (1), § 16 (5), § 34 (3) and § 45 (3) of Act No. 264 / 2025 Coll., on Cyber Security, hereinafter referred to as "the Act":

§ 1

Subject matter

This decree provides

(a) the format and method of reporting the regulated service pursuant to Article 6 (1) of the Act;

(b) content elements, format and method of reporting the cyber security incident, continuous reports of significant changes in the management status of the cyber security incident, interim reports on the current state of management of the cyber security incident and final reports on the resolution of the cyber security incident;

(c) the format and manner of reporting of data of persons providing domain name registration services pursuant to Article 34 (1) of the Act; and

(d) technical and organisational conditions for the use of the National Office for Cyber and Information Security Portal (hereinafter referred to as the Office Portal), content elements, format, structure and manner of implementation of the acts referred to in Article 45 (2) of the Act.

§ 2

Office Portal

(1) Access to the Office's Portal is made via the Office's website after login using login data.

(2) The Office shall, within the framework of the Office's Portal, allow implementation or submission of:

(a) the notification of the regulated service pursuant to Article 6 (1) of the Act;

(b) the notification of a change to the regulated service pursuant to Articles 9 (1) and 26 (1) of the Act;

(d) reporting of data pursuant to Section 11 of the Act;

(e) incident reports pursuant to Sections 15 and 16 of the Act;

(f) notification of the implementation of the reactive countermeasure under Article 23 (6) of the Act; and

(g) reporting of information on suppliers pursuant to Article 31 (1) (c) of the Act.

§ 3

Types of reported data

(1) For the purposes of this decree, the types of data reported are registration data, contact data and supplementary data.

(2) Registration data means:

(a) the identification details of the regulated service provider, which are its name, the person's identification number, if assigned, its registered office and, where applicable, the address of the principal establishment and other establishments in other Member States; and

(b) the list of regulated services provided and the fulfilment of the materiality conditions of the provider in accordance with the regulation governing regulated services.

(3) Contact details are:

(a) identification data of a natural person authorised to act as a regulated service provider in matters governed by the law; and

(b) a function or work assignment, telephone number and e-mail address of a natural person who is entitled to act as a regulated service provider in matters governed by law.

(4) Additional data shall mean:

(a) domain names and ranges of IP addresses used to provide regulated services;

(b) information on the geographical distribution of the regulated service and its cross-border provision; and

(c) information on the membership of the regulated service provider in the group and on its participation in the cyber security information sharing community.

§ 4

Cyber security incident reporting

(1) The report of a cyber security incident by the regulated service provider contains:

(a) the identification of the regulated service provider;

(b) additional data to the assets affected;

(c) information on the cyber security incident, in particular the date and time of the detection, the state of the incident resolution, the probable cause of the incident, the description of the incident and the indications of the compromise, where this information is available,

(d) information defining the impact of the incident, in particular the functional impact, the estimation of the extent and number of assets or persons affected, the time and resources needed to restore the provision of the affected service, the location of the incident, the sensitivity of the affected data and the possible cross-border impact of the incident where this information is available; and

(e) information on the response to a cyber security incident, in particular on the required support by the Office, the measures taken and ongoing to mitigate the consequences and the listing of those who have been informed in relation to the incident.

(2) In the context of the cyber security incident reporting, the regulated service provider may perform:

(a) initial reporting pursuant to Article 16 (1) of the Act;

(b) notification of the incident pursuant to Article 16 (3) (a) of the Act;

(c) an interim report on substantial changes in the management status of a cyber security incident pursuant to § 16 (3) (b) of the Act,

(d) the submission of a final report on the resolution of a cyber security incident pursuant to Article 16 (3) (c) of the Act; and

(e) the submission of an interim report on the current state of management of a cyber security incident under Section 16 (3) (c) of the Act.

(3) The interim report on substantial changes in the management status of a cyber security incident pursuant to Section 16 (3) (b) of the Act contains information on the steps taken to deal with the incident and information on any new facts.

(4) The final report on the resolution of the cyber security incident referred to in Article 16 (3) (c) of the Act contains the updated information referred to in paragraph 1.

(5) The interim report on the current state of management of the cyber security incident under Section 16 (3) (c) of the Act contains information on the steps taken to manage the incident, information on any new facts, planned steps to resolve the incident and explanation why it has not yet been resolved.

(6) Where the provider of a regulated service reports a cyber security incident in accordance with Article 16 (4) of the Act other than through the Office's Portal, the content requirements referred to in paragraph 1 shall apply mutatis mutandis.

(7) If a cyber security incident is reported via the Office's website by a voluntary announcer pursuant to Article 15 (5) of the Act, which is not a regulated service provider, it shall include a report:

(a) identification and contact details of the notifier or other contact person;

(b) identification and description of the information system or service affected by the cyber security incident;

(c) information on the cyber security incident, in particular the date and time of the detection, the nature of the threat or the underlying cause which triggered the incident, the estimation of the extent of the impact of the systems, the estimation of the number of users affected, a detailed description of the incident and, where available, the possible cross-border impact of the incident; and

(d) information on the response to a cyber security incident, in particular the status of the management of the incident and the measures taken and ongoing to mitigate the consequences.

§ 5

Content of certain acts

(1) The notification of a regulated service pursuant to § 6 of the Act or for the notification of a change of regulated service pursuant to § 9 and 26 of the Act contains the registration data or, where appropriate, the amendment thereof.

(2) The request to cancel the registration of a regulated service pursuant to § 10 (2) of the Act contains:

(a) the registration details of the regulated service for which removal is requested; and

(b) the justification for the request for erasure.

(3) The reporting pursuant to Article 11 of the Act contains:

(a) the identification of the regulated service provider;

(b) contact details; and

(4) The notification of the implementation of the reactive countermeasure pursuant to Article 23 (6) of the Act contains:

(a) the identification of the regulated service provider;

(b) additional data relevant to the content of the reactive countermeasure;

(d) information on the implementation of the reactive countermeasure and its outcome.

(5) The report on suppliers referred to in Article 31 (1) (c) of the Act contains:

(a) the identification of the regulated service provider;

(b) supplier's identification data for a security-relevant supply;

(d) identification of the critical part of the specified extent to which a security-relevant delivery is directed;

(e) the identification of a regulated service to which a security-relevant supply is connected; and

(f) information on the relationship of the regulated service provider with the supplier.

§ 6

Reporting of data of persons providing domain name registration services

Data pursuant to Section 34 of the Act shall be reported by means of a form published on the Office's website.

§ 7

Efficacy

This Decree shall take effect on 1 November 2025.

Director:

Ing. Kintr v. r.

§ 1 § 2 § 3 § 4 § 5 § 6 § 7

Comments 0

To write comments, please sign in.

Regulation Information

Citation	Decree No. 334 / 2025 Coll., on the Portal of the National Office for Cyber and Information Security and Requirements for Certain Acts
Regulation Type	Order
Author	-
Collection	Code of Laws

Date of Promulgation	09.09.2025
Effective from	01.11.2025
Effective until	-
Status	Valid

Public Contracts 5

Kupní smlouva - FN Motol - Zdravotnické přístroje pro výzkumné účely IG 6011 - Část 1 - Stolní počít...

Fakultní nemocnice v Motole Beckman Coulter Česká republika s.r.o.

1 390 290 CZK

10.12.2025

Kupní smlouva - FN Motol - zdravotnické přístroje pro výzkumné účely IG 6011 - Část 2 - Měnič zvětše...

Fakultní nemocnice v Motole Sven BioLabs s.r.o.

158 136 CZK

09.12.2025

Smlouva o dílo - soulad s požadavky ZoKB

Město Hlučín Aricoma Systems a.s.

193 600 CZK

14.11.2025

Dodatek č. 1 ke Smlouvě o provedení auditu kybernetické bezpečnosti informačních a komunikačních sys...

Město Telč ELAT s.r.o.

12.11.2025

Notifications

Servisní podpora informačního systému ELZA

Státní oblastní archiv v Plzni LightComp v.o.s.

303 347 CZK

30.10.2025

Source: Hlídač státu (CC BY 3.0 CZ)

The regulation text is for informational purposes only.

Decree No. 334 / 2025 Coll.

Decree on the Portal of the National Office for Cyber and Information Security and requirements for certain acts

Contents

§ 1

§ 2

§ 3

§ 4

§ 5

§ 6

§ 7

Contents

Comments 0

Regulation Information

Public Contracts 5

Partner Websites

Favorites

Browsing History