CRA Compliance in Czech Republic
National competent authority, Article 14 CSIRT contacts, and enforcement guidance for Czech Republic manufacturers.
The Czech Republic's NUKIB (Národní úřad pro kybernetickou a informační bezpečnost) is one of Central Europe's most technically capable national cybersecurity agencies, serving as the designated CRA national competent authority. Czech manufacturers are heavily integrated into EU automotive and industrial supply chains — Škoda, Bosch, and numerous tier-2 suppliers have significant Czech manufacturing operations. NUKIB's CSIRT.CZ and GovCERT.CZ provide operational incident coordination for private and public sector entities respectively.
National Competent Authority (CRA)
NUKIB
Národní úřad pro kybernetickou a informační bezpečnost
NUKIB is the Czech national cybersecurity authority, established in 2017 and continuously expanded since. It is the designated CRA national competent authority and oversees both CSIRT.CZ (private sector coordination) and GovCERT.CZ (government). NUKIB actively participates in ENISA governance and EU cybersecurity policy.
https://www.nukib.cz →National CSIRT (Article 14 Reports)
CSIRT.CZ
CSIRT.CZ / GovCERT.CZ
https://www.nukib.cz/cs/csirt/kontakt/
https://www.nukib.cz/cs/csirt/ →CRA Enforcement in Czech Republic
NUKIB serves as the Czech Republic's national competent authority for the CRA, building on its established mandate under the Zákon o kybernetické bezpečnosti (Act No. 181/2014 Sb., Cybersecurity Act) as updated by NUKIB's NIS2 transposition. The Czech Trade Inspection Authority (ČOI) coordinates market surveillance for consumer products and CE marking enforcement, and will partner with NUKIB on CRA market surveillance activities. The Czech Republic has been a proactive voice in EU cybersecurity policy, and NUKIB's technical capacity — including its IACS security expertise — positions it as an engaged and technically credible CRA enforcement authority.
Article 14 Incident Reporting for Czech Manufacturers
Czech manufacturers submit Article 14 notifications to CSIRT.CZ (for private sector manufacturers) or GovCERT.CZ (for public sector supply chains) through NUKIB's incident reporting system. NUKIB maintains 24/7 incident response capability. The Article 14 obligation requires an early warning within 24 hours of detecting active exploitation and a full notification within 72 hours. Czech NIS2 transposition through the amended Zákon o kybernetické bezpečnosti created an incident reporting framework administered by NUKIB, and CRA notifications will integrate with this existing channel. CSIRT.CZ participates in the EU CSIRTs network and relays reports to ENISA.
Market Surveillance & Penalties
Market surveillance for CRA products in the Czech Republic is coordinated between NUKIB and the Czech Trade Inspection Authority (ČOI). The full CRA penalty regime applies: up to €15 million or 2.5% of global annual turnover for violations of essential cybersecurity requirements. ČOI has active market surveillance operations and has conducted product safety enforcement actions across multiple EU product safety regulations. Czech manufacturers should expect NUKIB to take a technical and evidence-based approach to enforcement, consistent with its reputation as a technically sophisticated authority.
Support for Czech Manufacturers
NUKIB publishes free cybersecurity guidance in Czech, including security recommendations and implementation guides aligned with international standards. NUKIB operates NÚKIB Academy, providing cybersecurity training and awareness programmes for businesses. The Czech Agency for Standardisation (ÚNMZ) publishes national adoptions of IEC and ETSI standards relevant to CRA compliance. CzechInvest and the Czech-Moravian Confederation of Trade Unions provide SME support including subsidised cybersecurity advisory services through European Structural Funds. The Association for Information Technology Security (AFCEA Czech) engages manufacturing industry on CRA implementation.
CVD Portal automates your Article 14 notification obligations.
Pre-built notification workflows for CSIRT.CZ, deadline tracking, CSAF advisory generation, and a public CVD submission portal. Free forever.
Start your free portalFrequently asked
How do I contact NUKIB as a manufacturer with a CRA compliance question?+
NUKIB can be contacted through nukib.cz, where separate channels exist for industry enquiries and incident reporting. CSIRT.CZ handles incident coordination at nukib.cz/cs/csirt/kontakt. NUKIB hosts annual cybersecurity conferences and conducts industry engagement through its Platforma pro koordinaci kybernetické bezpečnosti. For English-language queries, NUKIB staff provide support given their extensive international engagement.
Does the Czech Republic have national-level CRA implementing legislation?+
The Czech Republic transposed NIS2 through an amendment to the Zákon o kybernetické bezpečnosti (Cybersecurity Act) in 2024. CRA implementing measures are expected through further amendment of the Cybersecurity Act and amendments to the zákon o technických požadavcích na výrobky (Technical Requirements for Products Act). NUKIB and the Ministry of Industry and Trade are coordinating the implementation, with national measures expected ahead of December 2027.
How does the CRA interact with Czech cybersecurity law and automotive supply chain obligations?+
Czech manufacturers are heavily embedded in EU automotive supply chains subject to UNECE WP.29 cybersecurity regulations (R155) for vehicle manufacturers. NUKIB is developing guidance on how CRA Annex I requirements interact with UNECE R155 and ISO/SAE 21434 obligations for automotive component manufacturers. Manufacturers supplying both automotive OEMs and the general market should conduct a combined CRA and R155 gap analysis, as the automotive cybersecurity framework may provide a higher baseline than CRA in some areas.
CRA guides for neighbouring countries
Need a CRA compliance checklist for your product?
Browse free niche-specific checklists covering classification, Annex I obligations, and CVD requirements.