NIS2 Compliance Checklist: What Czech Companies Must Do in 2026

The NIS2 directive is now reality in the Czech Republic. On November 1, 2025, the new Cybersecurity Act No. 264/2025 came into effect, replacing the previous legislation and expanding the scope from ~400 entities to potentially over 6,000 companies.

If you're reading this thinking "does this apply to us?" — here's the quick test: 50+ employees OR €10M+ annual turnover in a covered sector. If that's you, keep reading.

Critical deadlines you need to know:

✅ January 2026: Self-identification deadline (that's 60 days after the law took effect — yes, it's tight)
⏰ November 2026: Full compliance implementation (you have 1 year from NÚKIB registration)

The penalties? They're designed to get your attention: up to CZK 250 million or 2% of global annual revenue (whichever hurts more).

This article provides a practical, step-by-step checklist based on verified information from official sources: EU NIS2 Directive 2022/2555, Czech Law 264/2025, and NÚKIB guidance.

Who Must Comply with NIS2?

Size Thresholds

According to EU Recommendation 2003/361/EC, you're subject to NIS2 if you're a medium or large enterprise:

✅ 50+ employees, OR
✅ €10M+ annual turnover, OR
✅ €10M+ balance sheet total

Important: You need to hit the employee threshold AND (turnover OR balance sheet). So if you have 60 employees but only €5M turnover and €4M balance sheet, you're still in scope. Yes, even if your revenue is below the threshold.

Covered Sectors (15 Total)

NIS2 applies to entities operating in these sectors:

Energy (electricity, oil, gas, hydrogen, district heating/cooling)
Transport (air, rail, water, road)
Banking & Financial Markets
Healthcare (providers, pharmacies, medical device manufacturers)
Drinking Water Supply & Distribution
Wastewater Management
Digital Infrastructure (IXPs, DNS, TLD registries, cloud, data centers)
Digital Services (online marketplaces, search engines, social networks)
Public Administration (central and regional government)
Aerospace (manufacturing, operations)
Manufacturing (critical products: electronics, machinery, vehicles, chemicals, pharmaceuticals, food)
Postal & Courier Services
Waste Management
Chemical Production & Distribution
Food Production & Distribution

Source: Zákon 264/2025 Sb., § 4

Two Obligation Regimes

Czech law distinguishes two levels:

Higher Obligations (Vyšší povinnosti):

Entities with "significant economic, social, or security importance"
Typically: critical infrastructure, public administration, essential services
14 organizational + 11 technical security measures required

Lower Obligations (Nižší povinnosti):

All other regulated entities in covered sectors
13 combined security measures (reduced scope)

Source: Zákon 264/2025 Sb., § 8

Technical Security Measures Required

What You MUST Implement

Based on Article 21 of NIS2 Directive and Czech law § 15-16, all entities must implement:

1. Risk Management

Identify and assess cybersecurity risks to your systems
Document risk treatment decisions
Review risks at least annually

2. Incident Response

Incident response plan with defined roles
Procedures to detect, respond to, and recover from incidents
Regular testing (at least annually)

3. Business Continuity & Disaster Recovery

Business continuity plan for critical services
Backup procedures with tested recovery
Alternative operating procedures during disruptions

4. Supply Chain Security

Security requirements for suppliers with access to your systems
Contractual obligations for cybersecurity
Assessment of supplier cyber risks

5. Network Security

Network segmentation where appropriate
Perimeter protection (firewalls, IDS/IPS)
Regular security monitoring

6. Access Control & Authentication

Multi-factor authentication (MFA) for privileged accounts
Role-based access control (RBAC)
Regular access rights review
Account management (creation, modification, deletion)

7. Cryptography

Encryption for data at rest (sensitive data)
Encryption for data in transit (TLS 1.2+)
Cryptographic key management

8. Human Resources Security

Security awareness training for all employees
Specific training for IT and security personnel
Background checks for privileged positions (where legally permitted)

9. Physical & Environmental Security

Access control to server rooms / data centers
Environmental controls (temperature, fire suppression)
Visitor management

10. Security Logging & Monitoring ⬅️ SNYFT COVERS THIS

Centralized log collection from critical systems
Log retention for at least 12 months
Real-time monitoring for security events
Automated alerting for suspicious activities

11. Vulnerability Management

Regular vulnerability scanning
Patch management process
Penetration testing (at least annually for higher obligations)

12. Configuration Management

Secure baseline configurations
Change management procedures
Configuration documentation

13. Asset Management

Inventory of hardware and software assets
Classification of assets by criticality
Lifecycle management

14. Information Security Management System (ISMS)

Security policies and procedures documented
Designated security officer/team
Regular management review

Source: Zákon 264/2025 Sb., § 15-16

Incident Reporting to NÚKIB

Reporting Timelines

When a significant incident occurs, you must report to NÚKIB:

1. Initial Notification: 24 Hours

Report within 24 hours of discovery
Include: incident description, affected systems, initial impact assessment
Submit via NÚKIB Portal

2. Detailed Report: 72 Hours

Within 72 hours: provide detailed analysis
Include: root cause assessment, scope of impact, mitigation measures taken

3. Final Report: 30 Days

Within 30 days: submit final incident report
Include: lessons learned, preventive measures implemented

Source: Zákon 264/2025 Sb., § 30

What Qualifies as "Significant Incident"?

An incident is significant if it:

Causes or could cause significant disruption to service delivery
Affects a large number of users
Involves data breach or potential data loss
Requires extraordinary measures to resolve

Note: If you're unsure, report it. NÚKIB prefers over-reporting to under-reporting.

Penalties for Non-Compliance

Higher Obligations Regime

For serious violations:

Up to CZK 250,000,000 OR
2% of total worldwide annual turnover
Whichever amount is HIGHER

Examples of serious violations:

Intentionally failing to register as regulated entity
Not implementing required security measures
Failing to report significant incidents

Lower Obligations Regime

For serious violations:

Up to CZK 175,000,000 OR
1.4% of total worldwide annual turnover
Whichever amount is HIGHER

Additional Sanctions:

Suspension of European cybersecurity certificate
Temporary ban on serving as statutory body member (for repeated violations)
Corrective orders with enforcement penalties

Source: Kybernetický zákon sankce - Zákony pro lidi, Nový zákon o kybernetické bezpečnosti - Právní prostor

Important: Penalties are not intended to be "liquidation fines." NÚKIB considers mitigating and aggravating circumstances in each case.

What SNYFT Covers (And What It Doesn't)

✅ SNYFT Covers:

Security Logging & Monitoring (Requirement #10):

✅ Centralized log collection from Windows, Linux, network devices, applications
✅ 365-day log retention (exceeds 12-month minimum requirement)
✅ Real-time security monitoring with pre-configured detection rules
✅ Automated alerting via email, Slack, Jira
✅ Incident detection within minutes (not days)
✅ Compliance reporting for NÚKIB (audit-ready logs)

Incident Response Support (Requirement #2):

✅ Automated incident detection triggers
✅ Evidence collection (logs preserved for investigation)
✅ Timeline reconstruction of security events

Risk Visibility (Requirement #1):

✅ Security dashboard showing threat landscape
✅ Behavioral anomaly detection (UEBA)
✅ Risk scoring of security events

⚠️ SNYFT Does NOT Cover:

You will need additional measures for:

❌ Business Continuity & Backup (Requirement #3)
❌ Employee Security Training (Requirement #8)
❌ Legal Compliance Consulting
❌ Vulnerability Scanning & Penetration Testing (Requirement #11) → We can recommend partners
❌ Gap Analysis & Security Audits → We can recommend partners
❌ Physical Security (Requirement #9)
❌ ISMS Documentation (Requirement #14)

Why We're Honest: NIS2 compliance is holistic. SIEM (security monitoring) is necessary but not sufficient. We'd rather be transparent about what you need than oversell.

90-Day Action Plan

Month 1: Assessment & Registration (Days 1-30)

Week 1-2: Determine if NIS2 applies to you

Check employee count (50+?)
Check annual turnover/balance sheet (€10M+?)
Verify if you operate in covered sector (see list above)
Determine obligation level (higher vs. lower)

Week 3-4: Register with NÚKIB

Prepare company documentation (sector, size, services)
Submit self-identification to NÚKIB via portal
Deadline: January 2026 (60 days after law took effect on Nov 1, 2025)

Week 4: Gap Analysis

Review current security measures against required list
Identify gaps (what's missing?)
Prioritize based on risk and cost

Deliverable: Written assessment of compliance gaps

Month 2: Quick Wins & Monitoring (Days 31-60)

Week 5: Deploy Security Monitoring (SNYFT!)

Sign up for SNYFT trial (14 days free)
Install agents on critical servers (Windows, Linux)
Configure log collection from network devices
Set up alerting to Slack/Jira
Why first: Monitoring gives visibility into other gaps

Week 6: Implement Access Controls

Enable MFA for all admin accounts
Review and document user access rights
Implement principle of least privilege
Set up regular access review process (quarterly)

Week 7: Incident Response Planning

Draft incident response plan (template available from NÚKIB)
Define incident severity levels
Assign roles (incident manager, technical responders, communications)
Create NÚKIB reporting checklist

Week 8: Security Awareness

Schedule phishing simulation
Create security awareness material (posters, email templates)
Plan quarterly security training sessions

Deliverable: SIEM deployed, MFA enabled, incident response plan drafted

Month 3: Documentation & Testing (Days 61-90)

Week 9-10: Complete ISMS Documentation

Document all security policies (access control, acceptable use, incident response, backup)
Create asset inventory (servers, applications, network devices)
Document risk assessment findings
Assign security officer role (person responsible for NIS2)

Week 11: Business Continuity

Document critical business processes
Identify recovery time objectives (RTO) and recovery point objectives (RPO)
Test backup restoration (pick one critical system, try recovering)
Create alternative operating procedures for outages

Week 12: Testing & Review

Run incident response tabletop exercise (simulate ransomware attack, walk through response)
Test NÚKIB reporting process (dry run, don't submit)
Review security monitoring alerts in SNYFT (tune rules, reduce false positives)
Management review meeting (present compliance status to leadership)

Deliverable: Full ISMS documentation, tested incident response, management sign-off

After 90 Days: Continuous Compliance

Ongoing Activities:

Monthly:

Review security monitoring alerts in SNYFT
Check for new vulnerabilities (CVE databases)
Review access rights for privileged accounts

Quarterly:

Security awareness training for employees
Review and update risk assessment
Incident response plan review

Annually:

Full security audit (internal or external)
Penetration testing (required for higher obligations)
Update ISMS documentation
Management review of cybersecurity posture

Common Questions

Q: "We're exactly 50 employees. Do we need to comply?"

A: Yes. The threshold is "50 or more employees" (EU Recommendation 2003/361/EC). If you're at 50, you're in scope (assuming you're in a covered sector).

Q: "Our annual turnover is €9.5M but we have 55 employees. Are we exempt?"

A: No. You meet the employee threshold (50+), which is sufficient. You don't need to meet BOTH criteria, just ONE (employees OR turnover OR balance sheet).

Q: "We're a software company. Does NIS2 apply to us?"

A: It depends. If you provide:

Digital services (online marketplaces, search engines, social networks with 45M+ monthly EU users)
Cloud computing services
Data center services
DNS services or TLD registries

Then yes. If you're a standard B2B SaaS company selling accounting software, likely no (unless you're also providing cloud infrastructure).

Q: "Can SNYFT alone make us NIS2 compliant?"

A: No, and honestly, anyone telling you that one tool solves NIS2 is selling snake oil.

SNYFT handles the security monitoring piece (Requirement #10) — and we do it well. But NIS2 is holistic. You also need:

Business continuity planning
Backup solutions
Employee training
Access controls
Incident response procedures
Physical security

Think of it this way: SNYFT is your security camera system. Essential for seeing threats in real-time. But you also need locks (access control), alarm response procedures (incident response), and fire extinguishers (business continuity).

We're one critical component, not the whole solution.

Q: "What happens if we don't comply by the deadline?"

A: The legal answer: NÚKIB can issue corrective orders with enforcement penalties. For serious violations (intentionally not registering, not implementing security measures), fines up to CZK 250M or 2% of global turnover.

The practical answer: NÚKIB's approach has been collaborative so far. If you're making good-faith efforts, documenting progress, and can show you're working toward compliance, they're more likely to work with you than fine you.

But if you completely ignore the requirements? That's when the big penalties come out. Don't be that company.

Q: "We're already ISO 27001 certified. Does that count?"

A: It helps significantly. ISO 27001 overlaps with NIS2 requirements (~70-80% alignment). However, NIS2 has specific requirements:

NÚKIB incident reporting (24h/72h/30d timeline)
Sector-specific measures
Supply chain security focus

You'll need to supplement your ISO 27001 ISMS with NIS2-specific elements, but you're ahead of companies starting from scratch.

Additional Resources

Official Sources

Need Help with Compliance?

If you need assistance with gap analysis, security audits, or penetration testing, contact us and we can recommend our trusted partners who specialize in NIS2 compliance.

Conclusion

Look, NIS2 isn't going away. You can either treat it as a painful compliance checkbox, or use it as an excuse to finally fix security issues you've been ignoring.

Three things to do this week:

Figure out if you're in scope. 50+ employees? €10M+ revenue? In one of those 15 sectors? Then yes, you need to register with NÚKIB by January 2026. Don't wait for them to find you.
Get visibility. You can't secure what you can't see. Deploy security monitoring (SNYFT handles this) so you actually know what's happening in your infrastructure. This is the foundation — everything else builds on it.
Make a plan. Use the 90-day roadmap above. Month 1: understand your gaps. Month 2: deploy monitoring and quick wins. Month 3: document everything and test it.

Is it work? Yes. Is it worth it? Also yes — both for avoiding fines and actually protecting your business.

Need help with security monitoring?

SNYFT provides the centralized logging, real-time monitoring, and automated alerting required by NIS2. We cover the security monitoring component (Requirement #10) so you can focus on other compliance areas.

Try SNYFT free for 14 days →

Disclaimer: This article provides practical guidance based on official sources but is not legal advice. For legal interpretation of NIS2 requirements specific to your situation, consult a cybersecurity law firm. All information verified from official sources as of January 2026.