Digitalisation has transformed the railway into an interconnected ecosystem where trains, signalling equipment, control centres and operational data communicate with each other. This connectivity improves operational efficiency and safety, but at the same time opens new pathways for cyberattacks. A single compromised access point can disrupt operations, cause data leaks, or even jeopardise passenger safety. To prevent such situations at a nationwide level, the new Cybersecurity Act No. 264/2025 Coll. (nZKB), effective from 1 November 2025, introduces into Czech legislation the requirements of the European NIS2 Directive. With nZKB, cybersecurity becomes an obligation rather than a recommendation.
Výzkumný Ústav Železniční, a.s. (VUZ) supports organisations in preparing for the new requirements as a specialist partner in cybersecurity for railway systems, industrial operations and urban infrastructure. VUZ combines expertise in railway technology, IT and testing, enabling it to understand the specific demands of critical infrastructure as well as the operational realities often overlooked by standard IT consulting firms. It performs system resilience testing under international standards ISO 27000, IEC 62443 and CENELEC 50701, carries out penetration tests, assesses security architectures and issues compliance certificates. The goal is not merely to meet legislative requirements, but above all to protect operations, data and the trust of passengers and customers.
nZKB, based on NIS2, responds to the rising number of cyberattacks and extends the obligation to ensure cybersecurity across more than twenty sectors, including transport, industry, energy, healthcare and digital services. The new law will affect around nine thousand organisations in the Czech Republic, primarily medium-sized and large enterprises with more than 50 employees or a turnover exceeding 10 million euros. It applies to railway undertakings, infrastructure managers, manufacturing companies, technology suppliers and service providers. Every entity will be required to demonstrate that it actively manages risks, assesses vulnerabilities, protects information and can respond effectively to incidents.
Companies falling under the so-called higher obligation regime will have to conduct penetration tests at least once every two years and perform vulnerability scanning of their systems at least annually. The aim is to uncover weaknesses before an attacker can exploit them. Registration of regulated entities began on 1 November 2025, and organisations must report their regulated services to the NÚKIB portal by the end of the year. From the moment the registration decision is delivered, a one-year period begins during which organisations must gradually start implementing the prescribed security measures.
However, the new cybersecurity act is not only a legal obligation—it is also a test of trustworthiness. Organisations that prepare in time will gain a strong competitive advantage. They will appear more professional, pass audits more smoothly, meet client requirements, attract investors, and avoid fines and crisis situations. Those that delay preparation risk not only sanctions but also reputational damage and lost business opportunities. Cybersecurity is therefore becoming part of business strategy and a necessary element of long-term stability with a clear return on investment.
Many organisations assume that ISO/IEC 27001 certification alone is sufficient to meet the requirements. This standard provides an important foundation for information security management, but on its own it is not enough. nZKB introduces specific and binding requirements—for example, the method of risk and asset management, rules for password, identity and access management, incident reporting procedures, and detailed requirements for documentation and oversight. Achieving compliance therefore requires expanding the existing security system with elements corresponding to Czech legislation and sector-specific standards. Only their integration will ensure real operational protection and readiness for both audits and practical risks.
