NBÚ and security clearances in companies: what could be a problem
Obtaining a security clearance for a company, formally known as a business certificate, is key to entering lucrative state and international contracts. However, this process, managed by the National Security Authority (NSA) pursuant to Act No. 412/2005 Coll., is fraught with hidden risks. In this article, we will show you the specific issues that the NSA most frequently deals with—from ownership structure to personal debts of executives—and how ARROWS lawyers can ensure that the entire security clearance process runs smoothly.
Need advice on this topic? Contact the ARROWS law firm by email office@arws.cz or phone +420 245 007 740. Your question will be answered by "JUDr. Jakub Dohnal, Ph.D., LL.M.", an expert on the subject.
Why is security clearance a strategic business for your company?
For many companies in the IT, consulting, construction, or defense industries, obtaining clearance from the National Security Authority (NBÚ) is a strategic necessity. It is not just an administrative hurdle, but a ticket to contracts that require access to classified information.
According to Act No. 412/2005 Coll., classified information is anything whose disclosure or misuse could harm the interests of the Czech Republic. The key point is that these interests are not defined solely as national defense, but also include "protection of the economy." This means that companies involved in critical infrastructure, energy projects, or large state IT systems also need to be vetted today.
Successful acquisition of Czech certification is also a prerequisite for international operations. It opens the door to obtaining a "NATO certificate" or Facility Security Clearance (FSC), which are required for participation in NATO and EU tenders.
Every day, our lawyers at ARROWS assess clients' business models and help them identify whether and what type of authorization they need from the NBÚ for their contracts. For an immediate solution to your situation, write to us at office@arws.cz.
Two pillars of security: What is the difference between vetting a company and its people?
The Act on the Protection of Classified Information is based on two main pillars, which the NSA checks separately, but whose fate is inextricably linked.
The first is personnel security, which concerns natural persons – your employees and managers. They undergo a procedure at the end of which they obtain (or do not obtain) a "natural person certificate." The NSA examines their past, finances, connections, and overall security reliability.
The second pillar is industrial security, which concerns the company as such (legal entities or entrepreneurs). The result is an "entrepreneur certificate." Here, the NSA examines your economic stability, ownership structure, and ability to actually secure information.
A key problem that many companies underestimate is their interdependence. Your company may have perfect documentation and the most expensive safes, but it will not obtain an entrepreneur certificate if a key person fails.
The law sets a clear condition: a company will only obtain clearance "if the responsible person holds a valid certificate for a natural person" for at least the same level of confidentiality. This "responsible person" is typically the managing director, CEO, or chairman of the board.
That is why we at ARROWS take a two-pronged approach. Not only do we prepare your company for the industrial security process, but we also discreetly guide your key managers through the entire personnel security procedure. Do you need legal assistance? Contact us at office@arws.cz.
"Skeletons" in the closet: What could immediately sink your company?
When vetting a company (industrial security), the NSA is not only interested in your commercial register. It goes in-depth and looks for any risks that could lead to the compromise of classified information. From our experience, we know that three areas are the most risky for Czech companies.
Problem No. 1: Non-transparent ownership structure
The NSA must know exactly who owns your company and who actually controls it – who is the real "behind-the-scenes player." Any "non-transparent financial flows" or "ownership relationships that cannot be verified abroad" are a warning sign for the NSA.
The problem typically arises with complex holding structures, funds, or in cases where the ultimate owner is based in a jurisdiction with which the Czech Republic has no cooperation agreement (e.g., outside the EU/NATO). In such cases, the NSA cannot verify who actually controls the company and assesses this as a risk of "influenceability."
If your ownership structure is international, this is a warning sign for the NSA. Thanks to our ARROWS International network, which we have been building for ten years, we can obtain and verify the necessary documents on beneficial owners and financial flows virtually anywhere in the world. We will prepare your structure so that it is fully transparent to the NSA. Contact us at office@arws.cz.
Problem No. 2: Financial (in)stability of the company
A condition for issuing a certificate is that the company must be "economically stable." The NBÚ does not look at your turnover, but at your vulnerability.
A warning sign is, for example, "negative equity." Why? Because it means that the company's operations are fully financed from external sources. In such a situation, the NSA assesses the risk that the company may "find itself in the hands of creditors." The creditor could then blackmail the indebted company and force it to disclose classified information.
Our lawyers, in cooperation with ARROWS tax advisors, will conduct an in-depth analysis of your financing and capital structure. We will help you prepare documents that prove your economic stability and eliminate doubts about external influence. For a legal analysis of financing, write to us at office@arws.cz.
Problem No. 3: Personal failure of management (Statutory bodies)
As we mentioned, the fate of a company is tied to its "responsible person." Personal problems of statutory bodies thus become a direct risk to the business. These may include ongoing criminal proceedings, foreclosures, or non-transparent loans worth millions that they cannot explain.
Moreover, the risk is "hereditary." Court practice confirms that the NBÚ may reject a company's security clearance even if the problematic statutory body is no longer active in the company. If the NBÚ finds that the company benefited from its previous "activities against the interests of the state" and the new management still has "clear links" to it, the risk for the office remains.
ARROWS specializes in legal audits of key persons in a company. We will conduct a discreet management review (due diligence) and prepare documentation for their personal security clearance to protect the clearance of your entire company. Do you need legal assistance? Contact us at office@arws.cz.
The most common mistakes in company setup
|
Risks and sanctions |
How ARROWS helps |
|
Non-transparent ownership structure (e.g., fund, foreign owner outside the EU) leading to immediate rejection of the application and loss of the contract. |
Legal analysis and restructuring: We will design and legally implement an optimal holding structure that meets the strict transparency requirements of the National Security Authority. Would you like to have your structure reviewed? Write to office@arws.cz. |
|
Management ties to former "risky" statutory representatives, which the National Security Authority assesses as a continuing security threat. |
Legal audit and compliance programs: We will conduct an internal audit of relationships, prepare legal opinions, and implement compliance programs to prove the company's "clean slate." Contact us at office@arws.cz. |
|
Negative capital or unclear financing that the NBÚ assesses as a risk of "influence" by creditors. |
Legal and tax restructuring of financing: We will assess your financing and propose steps (e.g., capitalization of receivables) to demonstrate your economic stability. For immediate solutions, write to us at office@arws.cz. |
|
Risky business contacts of the company or its representatives that raise doubts about reliability. |
Due diligence of partners and contract settings: We will review your key suppliers and partners and prepare a contract review to reflect security requirements. Do you need to prepare a contract? Contact us at office@arws.cz. |
FAQ – Legal tips on ownership and international ties
1. We have owners in the US. Is this a problem?
It is not automatically a problem, as the US is a member of NATO. However, the NBÚ will require detailed verification. You must be able to document the entire ownership structure down to the ultimate natural persons. Our lawyers are ready to help you – write to office@arws.cz.
2. What if our actual owner is in a country that is not in the EU/NATO?
This is a serious obstacle. The NBÚ may halt the proceedings due to "unverifiability." It is necessary to consider legal restructuring before submitting an application. For a discreet consultation on your structure, please contact us at office@arws.cz.
3. How do we verify a foreign partner in a consortium?
You are responsible for vetting your partners. Thanks to the ARROWS International network, we are able to provide in-depth due diligence on business partners and their ownership structures virtually anywhere in the world. Please do not hesitate to contact our office at office@arws.cz.
People as the weakest link: Personnel security and risks
As we have shown, statutory bodies are key. However, the issues concern every employee who will need access to classified information. The process of obtaining a certificate for a natural person is essentially a test of loyalty and vulnerability.
There is "no legal entitlement" to the issuance of a security clearance, and the NSA has "considerable discretion" in its assessment. The applicant must complete a "very detailed" questionnaire, and any concealment of information is practically a sure path to rejection.
The NSA does not investigate whether you have "done" anything in the past. It examines whether you are susceptible to influence and blackmail. Court practice shows extreme cases: an individual lost their clearance simply because of "contact with a former colleague" who was assessed as a security risk. The court confirmed that it was irrelevant that the applicant knew nothing about their colleague's anti-state activities. The contact itself was a risk.
ARROWS lawyers provide essential legal support in completing security questionnaires. We will help you correctly identify and describe any potentially risky information, such as old debts or complicated personal ties, and prepare you for the security interview. Our lawyers are ready to help you – write to office@arws.cz.
Documentation and processes: When does administration become a security risk?
The company must prove to the NSA that it is "capable of ensuring the protection" of information. This is not done by a sworn statement, but by providing extensive and detailed documentation.
You must have Business Security Documentation prepared, which includes a risk analysis and a description of protective measures. You must also prepare a Physical Security Project, which describes in detail the security of offices, safes, regime measures, and even plans for emergency situations.
Nowadays, Information System Certification is also crucial. This is often a separate, technically and legally demanding process that may require approval from the National Cyber and Information Security Agency (NÚKIB). This also addresses details such as verification against "compromising electromagnetic emissions."
ARROWS lawyers specialize in the complete preparation of security documentation that will protect you from sanctions. We will prepare all internal guidelines, security projects, and legally required documentation for the certification of your IT systems. We will ensure that your administration is not a risk, but your protection. Do not hesitate to contact our office – office@arws.cz.
Employer obligations and the role of the "Responsible Person"
Along with obtaining certification, the company assumes a number of ongoing obligations. It must appoint a "responsible person" (or "security director") who reports directly to management and is responsible for protecting classified information.
This person has a number of tasks under the law. They must "provide legal training" to all employees who have access to information and "instruct" them. They also keep records and monitor compliance with the law.
At ARROWS, we understand the enormous pressure on "responsible persons." That is why we provide them with full legal support. We provide professional training for employees and management (including certification) that will demonstrably fulfill your legal obligations. In this way, we protect not only the company, but also you personally. Would you like to arrange training? Write to office@arws.cz.
Procedural errors and sanctions
|
Risks and sanctions |
How ARROWS helps |
|
Formally flawed or missing security documentation, leading to the suspension of proceedings and a fine. |
Preparation of complete turnkey documentation: We will prepare all internal guidelines and documents required by law that are necessary for successful management. Do you need to prepare documentation? Contact us at office@arws.cz. |
|
Employee ignorance leading to careless disclosure of information and criminal liability for endangering classified information (§ 317 of the Criminal Code). |
Certified professional training: We will train your employees and management in the protection of classified information in accordance with Act 412/2005 Coll.. Would you like to arrange training? Write to office@arws.cz. |
|
Fines from the National Security Authority (up to CZK 1,000,000) for administrative offenses, such as breach of duties in the protection or recording of classified information. |
Legal consultations and audits: We will audit your existing processes and protect you from inspections and sanctions. Are you facing an inspection? Write to office@arws.cz. |
|
Rejection of a certification application and the need to file an "appeal" in a complex procedure where you do not have access to all the information. |
Representation in appeal proceedings and in court: We will defend you. ARROWS has extensive experience in representing clients before administrative authorities and in administrative lawsuits. Have you been rejected? Write to office@arws.cz. |
When the NSA says "No": How to defend yourself against rejection?
What to do if your company or your managing director receives a rejection decision from the NSA? The first option is to file an "appeal" with the director of the NSA. If you are unsuccessful there, the next step is an administrative lawsuit in court.
However, you should be aware that this procedure is extremely complex. As real court cases show, the NSA often bases its decisions on classified reports from intelligence services. The courts have repeatedly confirmed that neither the applicant nor their lawyer may be allowed to inspect the key part of the file containing classified information.
In other words, you are fighting a legal battle without knowing the evidence of the other side.
Appeal proceedings are extremely complex from a legal point of view, as you are often fighting against evidence that you are not even allowed to see. That is why it is crucial to have a legal partner who specializes in preventing these problems. ARROWS lawyers have experience in representing clients before administrative authorities and will guide you through the entire process so that you do not end up in an "appeal" situation. If you are already facing a rejection, write to us at office@arws.cz for an immediate solution.
Conclusion: Strategic partnership with ARROWS
Obtaining NBÚ certification is not an administrative task, but a strategic process that examines the very core of your company—from finances to ownership to the reliability of your management. Every mistake in this process means months of delays and the loss of key contracts.
At ARROWS, we have long specialized in this area. Our experience in providing services to more than 150 joint-stock companies and 250 limited liability companies allows us to see risks that others overlook.
We pride ourselves on speed and high quality. We also understand that business is about relationships. We are happy to connect our clients when we see interesting business opportunities, and we are interested in hearing your business ideas.
Whether you are at the beginning of the process, need to prepare documentation, or are facing rejection, our industrial security specialists are ready to help you. Contact us at office@arws.cz for a customized legal solution.
FAQ – Frequently asked legal questions about company security clearances
1. How long does the entrepreneur certification process take?
Legal deadlines vary depending on the level of secrecy, but the process can take many months. However, the preparatory phase is key. An incomplete or incorrect application will return the entire process to the beginning and prolong it by several months. If you need to go through the process as quickly as possible, 100% preparation is essential. To assess your situation, contact us at office@arws.cz.
2. Do all our employees have to be vetted?
No. Only persons who need to be familiar with classified information must be vetted. The company must maintain and submit to the NSA a "list of positions or functions" of these people. We will help you prepare internal guidelines and this list. If you are dealing with access settings, write to us at office@arws.cz.
3. What is a "NATO certificate" (Facility Security Clearance)?
It is the international equivalent of the Czech entrepreneur's certificate. It is issued by the NSA on the basis of a successful national procedure and entitles you to access classified NATO information. We deal with international security standards on a daily basis. Contact us at office@arws.cz.
4. Is a "Restricted" clearance sufficient for us?
For the "Restricted" level, the process is significantly simpler for companies and only requires a so-called "business declaration." For the "Confidential," "Secret," and "Top Secret" levels, full business certification is required. The level of classification is always determined by the contracting authority. For a legal analysis of your needs, please contact our specialists at office@arws.cz.
5. What if we are a foreign company operating in the Czech Republic?
For the NSA, you are a Czech "entrepreneur" and must meet all the conditions. If you already have clearance from your home country (in the EU/NATO), you can go through the process of "recognition of foreign security clearance." It is a complex process. Thanks to the ARROWS International network, we have extensive experience with these cases. Write to us at office@arws.cz.
6. Our company has debts. Does that automatically mean rejection?
Not automatically, but it is a serious risk. The NSA assesses whether you are "economically stable" and whether the debts pose a risk of "influence." Transparency and the ability to prove that you have the situation under control are key. If you are dealing with a similar problem, contact us at office@arws.cz.
Don't want to deal with this problem yourself? More than 2,000 clients trust us, and we have been named Law Firm of the Year 2024. Take a look HERE at our references.