From the perspective of national legislation, the way of monitoring compliance of regulated service providers under the higher obligation regime and under the lower obligation regime differs, although the supervisory and enforcement powers of the NUKIB are basically the same for both groups of regulated entities. For regulated service providers under the higher obligation regime, there is no fundamental change compared to the current regulation, and the audits will continue to be carried out by the NUKIB staff.

The originally presented proposal envisaged delegating the audit of providers in the regime of lower obligations to so-called inspectors, who would have to meet the statutory conditions, pass an exam and receive the appropriate authorization from the NUKIB. This option was abandoned following public consultation of the original proposal and after an assessment of all impacts and capacity needs. The specific form of the audits of providers under the lower obligations regime will be specified. One of the options under consideration is a periodic self assessment with a possibility of a standard follow-up inspection by the NUKIB. In any case, the inspections will be carried out in a form that will allow the effective functioning of the NUKIB and at the same time will not unduly burden the regulated organisations.

In reaction to any deficiencies identified during the audit, the NUKIB is entitled to impose corrective measures on the audited organisation to eliminate the identified deficiencies, similarly to § 24 of the current Act on Cyber Security. In specified cases, the NUKIB may proceed to issue an alert informing the public of breaches of certain statutory obligations or order the relevant entity to do so itself.

The new Act on Cyber Security also deals in more detail with mutual cooperation between Member States, e.g. in carrying out inspections of entities that provide their services in the Czech Republic or have the infrastructure to provide these services there, but fall under the jurisdiction of the competent authorities of another Member State where they have their main establishment.

In order to ensure that the requirements of the NIS2 Directive can be effectively enforced once its content has been transposed into Czech law, the Directive introduces a set of supervisory and enforcement measures. These can be used in the event of a breach of the statutory obligations or to prevent potential breaches. They are discussed in more detail in the following topic.

1. General information about the future national regulation
2. Who is affected by the new obligations
3. Differentiation of regulated entities
4. Obligation to implement security measures
5. Incidents and how to report them
6. Registration and communication with NUKIB
7. Methods of ensuring compliance
8. Sanctions and enforcement measures
9. National and international cooperation
10. Other national regulation specifics
11. How to prepare for the new legislation
12. Financial aspects of the new Act on Cyber Security