Cyber security is no longer just a technical issue for IT departments — with the arrival of the European NIS2 Directive and the new Czech Cyber Security Act, it is becoming a priority issue for senior management. A new law transposing NIS2 is set to come into force in the Czech Republic on July 1, 2025.

This legislation aims to significantly increase the cyber resilience of organizations and fundamentally expands the range of companies and institutions it will affect — estimates suggest several thousand entities in the Czech Republic. For executives and other members of statutory bodies, this means not only new obligations, but also personal responsibility for fulfilling them. Ignorance of the law is no excuse, and failure to comply can have serious consequences.

This article explains the main changes and obligations, highlights the risks of non-compliance, and offers practical recommendations on how to prepare — all in an understandable way, with practical examples and with regard to management responsibility.

New cybersecurity responsibilities for executives

The NIS2 Directive and the new law place much greater emphasis on the involvement of senior management in ensuring cybersecurity. Executives and board members will be directly responsible for ensuring that their companies comply with these regulations. In practical terms, this means that if your company is subject to regulation, you must ensure that all necessary measures are in place, monitor compliance, and allocate sufficient resources to cybersecurity.

This responsibility applies regardless of your technical expertise — it cannot be waived or transferred to anyone else. The new regulation explicitly requires members of the statutory body to act with due diligence, which now also includes cybersecurity.

Before a company begins to implement specific security measures, it must assess whether it is subject to the law. This is done through a process known as self-identification, in which the company assesses its size, field of activity, and other criteria specified by law. If it finds that it falls under the regulation, it is required to register with the National Cyber and Information Security Agency (NÚKIB).

It must then implement a comprehensive system of technical and organizational measures, which include, in particular:

• Cyber risk management and security policy: identification and management of risks, creation of internal security guidelines and rules.
• Incident reporting: setting up a process for timely reporting of cyber incidents to NÚKIB and resolving such situations.
• Employee and management training: regular training of employees at all levels (including senior management) on cyber threats and security procedures.
• Supply chain security: checking and ensuring that suppliers and partners also meet appropriate cyber security standards.
• Data flow protection: adopting measures to protect networks, systems, and sensitive data from unauthorized access.

All measures and procedures adopted must also be effectively documented so that, in the event of an audit, the company can demonstrate that it has not only implemented security rules on paper but also applies them in practice. Formal adoption of policies without actual implementation is no longer sufficient — authorities will require evidence of functional security and ongoing compliance with the rules.

Managing directors will be required to undergo training on cybersecurity and actively participate in monitoring compliance with all these rules.

Risks and penalties for non-compliance

The new regulation gives cybersecurity a similar weight to financial accounting, for example, and the penalties are commensurate. Failure to comply with obligations can have very serious consequences for a company and its management. Regulated companies can be fined up to 2% of their total annual turnover (for the largest companies) or 1.4% for less critical entities. For large companies, this can mean penalties in the tens or hundreds of millions.

In addition to financial penalties, NIS2 also introduces non-financial sanctions — for example, authorities may suspend a company's security certifications or temporarily prohibit it from providing certain services.

An even more significant change, however, is the direct personal liability of statutory bodies. If a company violates its cybersecurity obligations, its executives or board members may be held directly liable. They may be personally liable for damage caused (including non-pecuniary damage) — for example, if sensitive data of business partners is leaked due to underestimated security, the injured parties may seek compensation from them.

Furthermore, liability to creditors for the company's debts may also arise if the company becomes insolvent due to a security incident. In addition, the regulator (NÚKIB) will have the power to initiate the removal of a member of the management from office for up to three years (a ban on performing the function of a statutory body) and impose a fine of up to CZK 20 million. Even criminal liability is not ruled out — in extreme situations, gross negligence can lead to criminal consequences.

These sanctions are not merely theoretical. Personal sanctions against senior executives would have serious reputational consequences for both the managers concerned and the entire company — few organizations can afford to have their CEO publicly fined or temporarily removed from management. The investigation or proceedings for sanctions alone can paralyze internal operations and damage customer confidence.

This is another reason why the new legislation aims to motivate company management not to underestimate cybersecurity. This modern “accountability” approach is intended to encourage active protection: when management knows it has something to lose, it will pay due attention to the area.

The fact that this works is illustrated by an example from Slovakia, where a similar law (also based on NIS2) is already in force and companies prefer not to leave anything to chance. In Slovakia’s self-identification process, 60% more companies than expected (over 15,000 instead of the originally estimated 9,000) opted to register for regulation.

This trend clearly shows that companies and their managers are aware of the risks of non-compliance — and Czech executives should do the same before the first inspections or incidents occur.

How to prepare and protect yourself (practical recommendations)

The good news is that you are not alone in meeting the new obligations, and many risks can be avoided with timely preparation. Below are practical steps you can take as an executive or manager to prepare for the new regulation and protect yourself and your company.

• Confirm whether the regulation applies to you: go through the self-identification process — assess your sector of activity and company size according to legal criteria. NÚKIB has published tools (including an online calculator) to help you determine whether you are a regulated entity. If you fall under the regulation, register with NÚKIB in good time.
• Plan realistically and allocate resources: integrate cybersecurity into your strategy and provide an appropriate budget and staffing. Appoint or hire a cybersecurity manager (CISO) or create a dedicated team. Implementation can take months (sometimes longer) — starting earlier reduces risk.
• Implement measures step by step (and document everything): develop a practical plan aligned with legal requirements. Map current weaknesses and gradually implement risk analysis and management, policies, incident detection, backups, access control (including multi-factor authentication), and other required safeguards. Record progress continuously.
• Delegate execution, keep oversight: distribute tasks to competent people — IT leadership, security specialists, external consultants. Delegation is necessary, but it does not remove your responsibility. Establish management reporting: regular updates on security status, incidents, and the implementation roadmap.
• Educate yourself and your organization: complete required training and stay informed about threat trends. Introduce ongoing employee training (password hygiene, phishing, incident response). Build a security culture — it reduces the probability of human error dramatically.
• Prepare a crisis scenario: incidents cannot be avoided 100%. Create an incident response plan — who does what, which contacts are activated (NÚKIB, police, lawyers, PR), and how operations are restored. Regularly test the plan through simulations.
• Cover legal specifics: the regulation is complex and will be refined by implementing rules. Work with lawyers to interpret obligations correctly and set internal processes accordingly. A legal readiness audit often identifies gaps that authorities would focus on during inspections.
• Insurance and additional safeguards: consider cyber risk insurance to mitigate financial fallout (system restoration experts, PR, legal costs). Insurance is not a substitute for compliance, but it can help you manage a crisis quickly and effectively.

Properly record and archive all steps — risk analyses, training records, management reports, and implementation evidence. Documentation serves both internal control and as proof during inspections that management acted proactively and with due care. Executives who can demonstrate reasonable measures face materially lower personal exposure.

Conclusion: don’t delay action – the responsibility is yours

A new era of cyber responsibility is dawning for company management in the Czech Republic. Executives can no longer consider cybersecurity a marginal technical issue delegated entirely to specialists. NIS2 makes it clear: if a company falls within scope, senior management must take active measures — and personally vouch for the outcome.

At the same time, those who prepare early can manage the transition and even gain a competitive advantage. Companies with a reputation as secure partners tend to be more attractive to customers, vendors, and strategic counterparties.

It does not pay to wait for the first inspection or incident. Starting now is a strategic move that protects your business and reduces personal legal risk. If you are unsure where to begin or whether your setup is sufficient, professional support can save you significant time and exposure.

ARROWS Law Firm has extensive experience with cybersecurity regulations and can support you from initial NIS2 impact analysis through implementation of internal processes and documentation to management training and incident response planning. Cybersecurity is a new management discipline — treat it accordingly and ensure your organization meets its obligations.

Disclaimer

The information contained in this article is for general informational purposes only and serves as a basic guide to the issue. Although we strive for maximum accuracy in the content, legal regulations and their interpretation evolve over time. To verify the current wording of the regulations and their application to your specific situation, it is therefore necessary to contact ARROWS Law Firm directly (office@arws.cz). We accept no responsibility for any damage or complications arising from the independent use of the information in this article without our prior individual legal consultation and expert assessment. Each case requires a tailor-made solution, so please do not hesitate to contact us.