What to expect in 2026 in Czech cybersecurity and telecommunications law

The Czech Republic's cybersecurity and communications regulatory environment is undergoing gradual transformation following the adoption of new cybersecurity legislation in 2025. As the regulatory framework continues to take shape, companies operating in the Czech market should closely monitor developments in secondary legislation and the evolving supervisory activities of relevant authorities.

New Cybersecurity Act, but framework still incomplete

The Czech Cybersecurity Act (Law No. 264/2025 Coll.) entered into force on 1 November 2025, implementing the EU's NIS2 Directive and significantly expanded the scope of regulated entities. While this represents a major step forward, the legal framework remains incomplete as some pieces of secondary legislation are still pending - in particular, Government regulations on essential functions and strategically significant services. Once adopted, these regulations will introduce strengthened supply chain resilience requirements and will give competence to restrict insecure supply chain equipment and/or suppliers, primarily on geopolitical grounds.

In the meantime, the Czech National Cyber and Information Security Agency (NÚKIB) has published guidance and further guidance is expected combined with a dedicated portal to support impacted organisations. Stakeholders are now awaiting confirmation of NIS2 registrations, which were due by the end of December 2025.  Regulatory compliance deadlines for most of the underlying obligations will commence from the date of confirmation of each company's registration.  These decisions may take time as each confirmation of registration must be issued and signed individually.

The sector may also see adjustments to the NÚKIB portal, particularly regarding its use by foreign companies subject to the Act, such as providers of electronic communications services and providers of electronic communications networks. Additionally, it will be important to monitor how NÚKIB applies the concept of 'main establishment' as envisaged by the NIS2 Directive (which allows for a single registration across the EU for certain services).

CER Directive implementation pending

Implementation of the EU's Critical Entities Resilience (CER) Directive is also underway. The New Critical infrastructure Act (Law No. 266/2025 Coll.) also became effective on 1 November 2025. However, the framework will not become fully operational until the criteria for identifying critical entities are established and implementing regulations - including government regulation and Ministry of the Interior decrees - are finalised.

DORA supervision by CNB will progress

The Czech National Bank (CNB) is expected to intensify its supervision of compliance with the Digital Operational Resilience Act (DORA), which came into effect on 17 January 2025. While DORA applies directly to the financial sector, it also has significant implications for suppliers serving financial institutions, including telecommunications operators.

The CNB has indicated that regulatory questionnaires and inspections may be expected as part of its ongoing supervisory activities.

Central Registry of Blocked Websites

On 1 January 2026, the Czech Telecommunications Office launched the new Central Registry of Blocked Websites (Jednotný seznam blokovaných internetových stránek). This initiative consolidates previously separate registries of prohibited websites that were administered by various authorities. These included the Registry of Illegal Internet Games (Ministry of Finance) and the Registry of Websites Offering Illegal Drugs/Medicines (The State Institute for Drug Control).

The consolidation aims to reduce the administrative burden and simplify monitoring of blocked websites by providing a single, machine-readable registry under the Czech Telecommunications Office's administration.

Conclusion

2026 promises to be another interesting year for Czech cybersecurity and telecommunications regulation. Organisations subject to these regulations should prepare for a gradual increase of supervisory scrutiny. Staying informed of regulatory developments and maintaining open dialogue with relevant authorities will be very beneficial to navigate this evolving landscape.