The European NIS2 Directive¹ has brought about fundamental changes in the field of cybersecurity. In the Czech Republic, these changes were transposed into national law through the Cybersecurity Act No. 264/2025 Coll., which came into effect on 1 November 2025. It has replaced the previous 2014 legislation and significantly expanded the range of organisations subject to mandatory security obligations – including stringent requirements for Identity and Access Management (IAM).

Why the Act is now a priority for your organisation

The updated rules now impact a much broader spectrum of organisations than before, including most medium and large enterprises.

Identity and Access Management is often misunderstood as a mere administrative process. In reality, user accounts and their permissions remain one of the most frequent targets for cyberattacks. Proper management is, therefore, a core pillar of cybersecurity. This is precisely why the current legislation places such a strong emphasis on this area.

Requirements of the Cybersecurity Act for IAM

The Act and its implementing decrees set out specific requirements for Identity and Access Management, dividing the obligations into two primary levels: organisational and technical.

Organisational Measures

Under the current legislation, every regulated organisation is required to establish and maintain an Identity and Access Management policy.² Key requirements include:

• Implementation of an IAM Policy: Clear, enforceable rules must be in place for granting, modifying, and revoking access rights.
• The Principle of “Least privilege”: Every user must only have the permissions strictly necessary to perform their job – nothing more.
• Regular access reviews: Organisations must actively and periodically verify that all permissions align with employees’ current roles.
• Rapid response to role changes: Any change in job position or an employee’s departure must lead to the immediate adjustment or revocation of access rights.
• Auditability of changes: Every instance of granting or revoking permissions must be meticulously documented for retrospective traceability.

Technical Measures

Organisational rules must be backed by robust technologies.³ Main technical requirements include:

• Centralised identity management tool: The use of specialised IDM/IGA systems that enable efficient access management from a single point of control.
• Strong password policies: A strict password policy with regular rotation and high complexity is essential (unless MFA is utilised).
• Logging of all identity and access activity: Organisations must maintain detailed records of all access attempts, including failed ones, for audit purposes and incident detection.
• Multi-factor authentication (MFA) or Zero Trust: Authentication using multiple factors or continuous verification of user identity is now standard for regulated entities.

How an IDM/IGA system helps meet legislative requirements

With the law now in force, complying with these rules manually is proving to be extremely complicated and costly for many. Modern IDM/IGA (Identity Governance and Administration) systems offer several critical advantages:

1. Process automation: Efficient onboarding, automated access reviews, and instant account deactivation.
2. Transparent audit trails: A complete, tamper-proof record of all identity-related activities.
3. Unified authentication: Improved account hygiene makes it easier to maintain MFA or Zero Trust architectures.
4. Centralised control: The ability to manage permissions for both internal and external users (contractors, partners) from a single interface.

Thanks to these features, an IDM/IGA system significantly simplifies the ongoing fulfilment of both technical and organisational legislative requirements.

Does the Act apply to you?

The current legislation covers a significantly wider range of entities. The main criteria remain:

• Operation in a Critical Sector: For example, public administration, energy, healthcare, ICT, finance, transport, food and chemical industries, manufacturing, water and waste management, and others.
• Organisation size: Primarily medium and large enterprises (50+ employees or an annual turnover/balance sheet total exceeding EUR 10 million).

A major shift under this Act is that organisations are now responsible for actively identifying their own regulated services and registering them with the National Cyber and Information Security Agency (NÚKIB).

Note: The Act also applies to smaller entities if they provide services vital to key social or economic activities or national security.

If you are still unsure whether your service is regulated, we recommend verifying your status immediately on the NÚKIB portal.

What are the risks of non-compliance?

Failure to meet legal obligations is a serious matter – fines can reach up to CZK 250 million or 2% of the organisation’s total global turnover. Furthermore, the Act has introduced the personal liability of members of statutory bodies for security incidents and failures to implement adequate measures.

Implementation: The clock is ticking

Although the Act became effective last November, organisations have a transition period to fully implement specific security measures (typically one year from their registration as a regulated service provider). However, given the complexity of the requirements and their impact on corporate processes, it is essential to have a clear roadmap for IAM implementation now.

Why prioritise IAM today?

The benefits of a high-quality IDM/IGA solution go far beyond mere legal compliance. By automating routine tasks, setting clear rules, and centralising identity management, you will significantly increase both the security and efficiency of your organisation. Instead of an administrative burden, your IT specialists can focus on strategic development, while employees benefit from faster, more reliable access to the tools they need.

We are ready to help

At Orchitech, we help companies implement IAM solutions that not only satisfy the current legislative requirements but also simplify identity management and strengthen overall cybersecurity.

Do you need to bring your IAM into full compliance with the new legislation or elevate identity management in your organisation?

Get in touch with us. Together, we will find a solution that increases security, simplifies your workflow, and ensures your organisation meets all the standards of the Cybersecurity Act.

Want to learn more about IAM? We recommend our article:

From Account Management to Identity Governance
Discover how IDM/IGA elevates user account management to a strategic level, effectively addressing both security and legislative requirements.

If you have any questions, we would be happy to discuss them with you in person. Contact us today.

Disclaimer: This article is for informational purposes only and does not constitute legal advice or a binding interpretation of current legislation. The Cybersecurity Act (ZoKB) is in effect as of 1 November 2025. Organisations are advised to monitor the final versions of all implementing decrees and consult with experts when assessing specific risks and compliance status.

Sources:

• Cybersecurity Act No. 264/2025 Coll.
• Decree on Regulated Services 408/2025 Coll.
• Decree on Security Measures for Regulated Service Providers Lower Obligation Regime 410/2025 Coll.
• Decree on Security Measures for Regulated Service Providers (Higher Obligation Regime) 409/2025 Coll.

¹ EU 2022/2555 ² Particularly Section 14 of the Decree on Security Measures. ³ Particularly Sections 20, 21, and 23 of the Decree on Security Measures.