The new Cybersecurity Act introduces obligations that affect processes across the entire organisation. Surprisingly, most companies do not struggle with the technical requirements. The real friction emerges in project management, understanding the implementation steps and connecting all areas into one functional security system. Whether an organisation is implementing measures under the Czech Cybersecurity Act or preparing for ISO 27001 certification, the challenges are often strikingly similar.

This article looks at the most common obstacles that slow progress and explains how to build an implementation plan that resolves them early so they do not delay later phases.

1. Projects stall when roles and scope are not clearly defined

Implementing measures under the Cybersecurity Act is a complex, organisation wide effort that touches IT, management, HR, operations and legal. This means that dozens of people must collaborate actively and consistently. Clear responsibility mapping and well defined collaboration rules across departments are essential foundations.

If the organisation does not begin with a precise definition of regulated services and the responsibilities of each role, confusion arises quickly. Teams do not know who owns which task or who is authorised to make decisions, leading to fragmented progress.

Without structure, tasks remain unassigned, dependent activities get blocked and the implementation team gradually shifts its attention to other priorities. This is why we always create a clear implementation plan for our clients before any work begins.

2. Companies know what needs to be implemented but not how to do it

Both the Cybersecurity Act and standards such as ISO 27001 define what organisations must achieve. What they rarely define is how to get there.

To avoid delays, every organisation needs to establish the methods it will use. Tasks should not be phrased in vague or generic terms but written in a way that specifies the method, expected output and where that output should be handed off — whether to another team, a GRC platform or a documentation repository.

This approach not only accelerates implementation but also simplifies the creation and maintenance of security documentation.

3. The biggest barriers arise when working with assets, risks and suppliers

The core of Cybersecurity Act compliance is built on three pillars: identifying and managing assets, assessing risks and overseeing critical suppliers. This is where projects most often stall, because these tasks require a deep understanding of the organisation combined with the ability to structure processes correctly.

A common issue in practice is that organisations start drafting documentation before they have clarified their processes, mapped all assets or evaluated the potential impact of disruptions. Constantly revising documents and adjusting processes can add months to the project timeline. The situation is often worsened by trying to manage implementation through static tools such as spreadsheets and long text documents, which are difficult to maintain and do not scale well.

Modern technology offers a more effective approach. A GRC platform provides a dynamic environment where multiple people can collaborate, keep information up to date and maintain everything in one place. A good example is AuditMaster.ai, built specifically to support the requirements of ISO 27001 and Czech legislation.

How to maintain security smoothly after the initial implementation

Implementing security measures under the Cybersecurity Act is not a one time task. While the initial rollout is more resource intensive, the work does not end after a few months.

To maintain long term compliance, organisations must continuously assess new risks, monitor their suppliers and strengthen the technical security of their internal systems. This requires clearly assigned owners for regular reviews and updates, along with ongoing training for the employees responsible for maintaining compliance.

Implementing Cybersecurity Act requirements demands a clear methodology, processes and structure

Cybersecurity projects are inherently complex. They tend to stall when methodological guidance is missing, when processes are not clearly defined or when no one is formally responsible for key steps. Organisations that invest time in proper preparation and planning avoid many of the issues that typically cause delays during the implementation of security measures.

Whirr Crew supports companies in meeting the requirements of the Czech Cybersecurity Act through expert consulting, practical training and the AuditMaster.ai platform. If you need to move your project forward or provide your team with methodological support, we are ready to guide you toward an approach that works.