Changes in EU cybersecurity law are transforming the Czech FDI landscape

The new Czech Cybersecurity Act opens the door to broader FDI screening

The NIS2 Directive and Czech implementing legislation set a higher bar for cybersecurity in the Czech Republic and across the EU

Cybersecurity – alongside critical infrastructure and the defence sector – is among the major areas triggering FDI screening obligations. The European Union’s NIS2 Directive aims to strengthen cybersecurity standards across Member States. The Czech Republic’s implementation of the NIS2 Directive through a large package of amendments will require compliance from a much broader range of companies, especially those involved in critical infrastructure, digital services and key supply chains sectors. Previously, only a few hundred entities were subject to cybersecurity regulation. The new cybersecurity rules are expected to increase this number to at least 6-15,000 companies in the Czech Republic alone.

What are the key changes to FDI screening obligation?

The cybersecurity implementation package introduces small, but significant changes to the FDI screening landscape.

Under the previous legal framework, entities potentially subject to FDI screening based on cybersecurity concerns numbered in the lower hundreds. These included administrators of information systems of essential services and operators of essential services.

The updated FDI screening framework will take effect on 1 November 2025. Screening obligations will now apply to all providers of regulated services that fall within the ”higher-tier regime” under the Czech Cybersecurity Act. However, assessing whether a provider falls within this higher-tier regime is not always straightforward.

This uncertainty – and the underlying exposure of FDI screening obligations to the number of regulated entities – stems from two fundamental changes to the criteria used to assess the applicable cybersecurity regime:

1. The previous cybersecurity regime focused mainly on traditional critical infrastructure such as energy and transport. The new rules extend regulatory coverage to more than 105 services across industries such as manufacturing, food production and digital services (18 to 22 sectors in total).
2. The EU concept of “undertaking” is now applied to assess whether a company meets the threshold to trigger cybersecurity obligations.¹ An undertaking is not limited to a single legal entity but applies to entire corporate groups, holding structures and all economically linked companies, regardless of their legal form. Accordingly, all size and other scope thresholds are measured on a consolidated rather than entity-by-entity. To determine whether the Czech part (regardless of its legal form) of an undertaking is subject to cybersecurity regulation, it will be necessary to apply the thresholds and criteria to the undertaking as a whole, including all of its individually connected components.

How many companies will be subject to FDI screening obligations?

The full impact of the updated FDI screening framework is yet to be tested in practice. However, due to the selected criteria and the expansion of cybersecurity to additional sectors, the affected pool of providers may be sizable, potentially amounting to thousands rather than hundreds of companies. In addition, uncertainty about the full scope of affected providers is mainly caused by the following :

1. The scope of “regulated services” has been extended beyond specific IT systems to cover entire services. 
2. A company’s size will now be calculated at group level, taking into account its foreign subsidiaries and affiliates (EU concept of “undertaking”), so even small entities may now be classified as medium or large.
3. Sector-specific thresholds and technical criteria will also be taken into account (e.g. energy producers assessed on their installed capacity – solar panels, intragroup electricity provision, etc.), adding a further layer of complexity as to which regime will apply.
4. if an undertaking provides even one service that meets the higher-tier regulatory requirements, all its regulated services will be subject to those stricter requirements (“highest regime wins” rule). 
5. The Czech cybersecurity agency (NÚKIB) can designate additional companies as regulated entities, including strategically important services and key suppliers, regardless of their size. 

Sanctions for non-compliance with FDI screening obligations include a bar on completing or continuing a transaction. An investor may also be required to cease exercising its voting rights or to divest relevant assets. Financial penalties may also be imposed, with fines of up to EUR 3.7 million or 2% of the offender’s total annual turnover for the preceding financial year.

If you are carrying out or contemplating an investment in the Czech Republic, we recommend assessing whether your transaction could be affected by this regulatory change and whether your target company would be subject to FDI screening after 1 November 2025.

1. Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (Text with EEA relevance) (notified under document number C(2003) 1422) ↩︎