MENU
EN

Cybersecurity is becoming a personal responsibility for executives

12.5.2025

Cyber security is no longer just a technical issue for IT departments – with the arrival of the European NIS2 Directive and the new Czech Cyber Security Act, it is becoming a priority issue for senior management. A new law transposing NIS2 is set to come into force in the Czech Republic on July 1, 2025. This legislation aims to significantly increase the cyber resilience of organizations and fundamentally expands the range of companies and institutions it will affect – estimates suggest several thousand entities in the Czech Republic. For executives and other members of statutory bodies, this means not only new obligations, but also personal responsibility for fulfilling them. Ignorance of the law is no excuse, and failure to comply can have serious consequences. This article explains the main changes and obligations, highlights the risks of non-compliance, and offers practical recommendations on how to prepare – all in an understandable way, with practical examples and with regard to management responsibility.

Author of the article: ARROWS (JUDr. Kateřina Müllerová, office@arws.cz, +420 245 007 740)

New cybersecurity responsibilities for executives

The NIS2 Directive and the new law place much greater emphasis on the involvement of senior management in ensuring cybersecurity. Executives and board members will be directly responsible for ensuring that their companies comply with these regulations. In practical terms, this means that if your company is subject to regulation, you must ensure that all necessary measures are in place, monitor compliance, and allocate sufficient resources to cybersecurity. This responsibility applies regardless of your technical expertise—it cannot be waived or transferred to anyone else. The new regulation explicitly requires members of the statutory body to act with due diligence, which now also includes cybersecurity.

Before a company begins to implement specific security measures, it must assess whether it is subject to the law. This is done through a process known as self-identification, in which the company assesses its size, field of activity, and other criteria specified by law. If it finds that it falls under the regulation, it is required to register with the National Cyber and Information Security Agency (NÚKIB). It must then implement a comprehensive system of technical and organizational measures, which include, in particular:

  • Cyber risk management and security policy: Identification and management of risks, creation of internal security guidelines and rules.
  • Incident reporting: Setting up a process for the timely reporting of cyber incidents to NÚKIB and resolving such situations.
  • Employee and management training: Regular training of employees at all levels (including senior management) on cyber threats and security procedures.
  • Supply chain security: Checking and ensuring that suppliers and partners also meet the appropriate cyber security standards.
  • Data flow protection: Adopt measures to protect networks, systems, and sensitive data from unauthorized access.

All measures and procedures adopted must also be effectively documented so that, in the event of an audit, the company can demonstrate that it has not only implemented security rules on paper but also applies them in practice. Formal adoption of policies without actual implementation is no longer sufficient—authorities will require evidence of functional security and ongoing compliance with the rules. Managing directors will be required to undergo training on cybersecurity and actively participate in monitoring compliance with all these rules.

office@arws.cz 245 007 740

Risks and penalties for non-compliance

The new regulation gives cybersecurity a similar weight to financial accounting, for example, and the penalties are commensurate. Failure to comply with obligations can have very serious consequences for a company and its management. Regulated companies can be fined up to 2% of their total annual turnover (for the largest companies) or 1.4% for less critical entities. For large companies, this can mean penalties in the tens or hundreds of millions of dollars. In addition to these financial penalties, NIS2 also introduces non-financial penalties – for example, authorities may suspend a company's security certifications or temporarily prohibit it from providing certain services.

An even more significant change, however, is the direct personal liability of statutory bodies. If a company violates its cybersecurity obligations, its executives or board members may be held directly liable. They may be held personally liable for any damage caused (including non-pecuniary damage) – for example, if sensitive data of business partners is leaked due to underestimated security, the injured parties may seek compensation from them. Furthermore, liability to creditors for the company's debts may also arise if the company becomes insolvent due to a security incident. In addition, the regulator (NÚKIB) will have the power to initiate the removal of a member of the management from office for up to three years – i.e., a ban on performing the function of a statutory body – and impose a fine of up to CZK 20 million. Even criminal liability is not ruled out – in extreme situations, gross negligence can lead to criminal consequences.

These sanctions are not just theoretical threats. Personal sanctions against senior executives would have serious reputational consequences for both the managers concerned and the entire company – few companies can afford to have their CEO publicly fined or temporarily removed from management. The investigation or proceedings for sanctions alone can paralyze the internal operations of a company and damage customer confidence. This is another reason why the new legislation aims to motivate company management not to underestimate cybersecurity. This modern "accountability" approach on the part of the EU is intended to encourage companies to take an active role in protection: when management knows that it has something to lose, it will pay due attention to this area. The fact that this works is demonstrated by an example from Slovakia, where a similar law (also based on NIS2) is already in force and companies prefer not to leave anything to chance. In the so-called self-identification process in Slovakia, 60% more companies than expected (over 15,000 instead of the originally estimated 9,000) opted to register for regulation. This trend clearly shows that companies and their managers are aware of the risks of non-compliance – and Czech executives should do the same before the first inspections or incidents occur.

office@arws.cz 245 007 740

How to prepare and protect yourself (practical recommendations)

The good news is that you are not alone in meeting the new obligations, and many risks can be avoided with timely preparation. Below are some practical steps you can take as an executive or manager to prepare for the new regulation and protect yourself and your company:

  • Find out if the regulation applies to you: Go through the self-identification process – assess your sector of activity and the size of your company according to the criteria set out in the law. NÚKIB has published tools, such as an online calculator, to help you determine whether you are a regulated entity. If so, don't forget to register with NÚKIB in good time.
  • Don't underestimate planning and resources: Integrate cybersecurity into your company's strategies and allocate an appropriate budget and staff to it. Appoint or hire a qualified cybersecurity manager (CISO) or create a dedicated team to handle the agenda. Remember that it can take months or even years to implement a functional system – the sooner you start, the better.
  • Implement the necessary measures step by step: Develop a plan for implementing security measures in accordance with legal requirements. Map existing weaknesses and gradually implement the following elements: risk analysis and management, security policies, incident detection systems, data backup, access control (e.g., multi-factor authentication), etc. Document each step as you go.
  • Delegate, but maintain an overview: Divide the cybersecurity agenda among competent persons – IT managers, security specialists, external consultants. Delegating tasks is essential, but it does not relieve you of your responsibility. Therefore, set up mechanisms for reporting to management: regular reports on the security status, incidents, and implementation of measures. The CEO or a member of the board of directors should have a constantly updated overview of cyber risk in the company.
  • Educate yourself and others: Complete the mandatory training from NÚKIB and continue to actively educate yourself in cybersecurity – follow threat trends and learn from incidents at other companies. At the same time, introduce regular training for employees focused on security principles (e.g., working with passwords, recognizing phishing, responding to incidents). Promote a security culture in your company – when employees understand the risks, you significantly reduce the likelihood of human error.

office@arws.cz 245 007 740

  • Develop a crisis scenario: Despite all preventive measures, incidents cannot be avoided 100%. Therefore, prepare a cyber incident response plan – who will do what in the event of a system attack, who to contact (NÚKIB, police, lawyers, PR), how to restore operations. Test this plan regularly with simulations. This will demonstrate that you are fulfilling your obligations not only in prevention but also in responding to crisis situations.
  • Consult legal aspects: The new regulation is complex and is being continuously refined by implementing regulations. Work with lawyers who can help you correctly interpret specific obligations and set up internal processes in accordance with the law. A legal readiness audit can reveal gaps that the authorities would focus on during an inspection.
  • Insurance and other protective measures: Consider taking out cyber risk insurance, which can mitigate the financial impact of a potential attack or data breach. Although insurance does not replace the need to comply with the law, it can provide the means to quickly manage a crisis situation (e.g., payment for system recovery experts, PR communication, legal expenses).

It is important to properly record and archive all of the above steps, from risk analyses and training records to reports for management. This documentation will serve both for internal progress monitoring and as evidence in the event of an inspection that management acted proactively and with due care. An executive who can prove that they did not underestimate security and took reasonable measures faces a much lower risk of personal sanctions. On the contrary, ignoring obligations or relying on "it will surely pass us by" would be very dangerous in today's situation.

Conclusion: Don't delay action – the responsibility is yours

A new era of cyber responsibility is dawning for company management in the Czech Republic. Executives can no longer consider cybersecurity a marginal technical issue that can be left to specialists. The NIS2 regulation clearly states that if a company falls within its scope, senior management must take active measures – and personally vouch for the results. The penalties and risks outlined above are compelling reasons to take this issue very seriously. At the same time, however, those who prepare in advance can pass through this sieve unscathed and even gain a competitive advantage (companies with a reputation as secure partners will be more attractive to clients).

It does not pay to wait for the first inspections or incidents. On the contrary, starting your preparations now is a strategic step that will protect both your company and yourself. If you are unsure where to start or whether you are doing everything necessary, do not hesitate to seek professional help. Our law firm has extensive experience with cybersecurity regulations and will be happy to help you – from an initial analysis of the impact of NIS2 on your business, through setting up internal processes and documentation, to management training and security incident response. Cybersecurity is a new challenge for executives – face it head on and make sure your company meets all requirements. This will protect not only your company's data and reputation, but also yourself from personal legal liability.

office@arws.cz 245 007 740