Cybersecurity is no longer just an IT issue. The new Cybersecurity Act places responsibility directly on company leadership. If you have been counting on your IT department to handle the new obligations, it is time to reconsider, because that approach will no longer be enough.

Leadership holds the responsibility

The Cybersecurity Act (ZoKB) sets out specific obligations for companies providing so-called regulated services. What is crucial for management, however, is that this responsibility does not apply only to specific technical measures. The law requires a comprehensive approach to organizational and procedural changes across the entire company, and the statutory body is responsible for ensuring this happens.

This responsibility also has a criminal dimension. According to Section 8, Paragraph 1 of Act No. 418/2011 Coll., on the Criminal Liability of Legal Entities, a company may be prosecuted if its leadership fails to take sufficient action to meet its legal obligations.

In addition, the amendment to the Criminal Code (Act No. 270/2025 Coll.) allows for personal liability of management members who, through negligence or inaction, enable their organization to breach regulations designed to protect information and operational security.

Ignoring the new legislation or treating it as merely an IT department issue rather than a company-wide responsibility can now expose leadership to serious legal and financial risks.

What exactly must company leadership ensure?

From a legal standpoint, the statutory body of a company is obliged to:

• implement security measures that correspond to the scope of its activities and the level of risk,

• supervise the effectiveness of these measures, including planning, execution, monitoring, and corrective actions,

• designate responsible persons, such as a Chief Information Security Officer (CISO),

• and secure adequate financial, human, and technical resources.

How can this be implemented in practice?

The way an organization approaches these requirements depends on its size, internal structure, and available resources. In most cases, it will involve a combination of the following four approaches.

1. Hire a Cybersecurity Specialist

Larger organizations typically choose to employ an internal Chief Information Security Officer (CISO). This person has an overview of the company’s infrastructure, sets up security processes, ensures the implementation of protective measures, and manages communication with the National Cyber and Information Security Agency (NÚKIB).

The main advantage of this approach is direct control and continuous oversight. However, it also comes with high costs and a shortage of qualified professionals. According to experts, hundreds of cybersecurity specialists are currently missing in the Czech Republic.

2. Train Existing Employees

Smaller companies often rely on current employees who already understand the organization’s operations and internal processes. The role of a security manager can temporarily be assigned to an IT manager, compliance officer, or operations lead. The key, however, is to ensure that these employees receive adequate training and methodological guidance.

Whirr Crew offers training programs for company leadership and responsible personnel, focusing on the obligations under the Cybersecurity Act (ZoKB), principles of risk management, and proper preparation of documentation and audit evidence.

When assigning cybersecurity responsibilities to existing employees, it is important to carefully assess their capacity to ensure that cybersecurity management does not come at the expense of their core business duties.

3. Use Outsourcing

An external cybersecurity manager (CISO) is an ideal solution for organizations that do not have their own in-house specialist. This approach typically involves either long-term cooperation or a several-month engagement aimed at establishing new processes, control mechanisms, and reporting structures. It can also include training and mentoring of an internal team that will later take over the management of cybersecurity independently.

Outsourcing offers flexibility, expert guidance, and cost efficiency. It allows companies to meet regulatory requirements and maintain a high level of cybersecurity governance without the need to build a dedicated in-house department.

4. Cooperation with Large Consulting Firms

For larger organizations, collaboration with international consulting companies is often the preferred solution, as these firms can cover not only the technical but also the legal, procedural, and audit aspects of compliance.

The main advantage of this approach is a comprehensive and structured implementation that aligns legal, organizational, and technical requirements. However, the downside is a higher cost and slower execution, which can delay the company’s readiness for NIS2 compliance. Such projects typically make sense for enterprises with multiple branches, complex infrastructures, or those that already operate under international standards such as ISO 27001 or DORA.

NIS2 Is Not Just About Technology

Although the NIS2 requirements may appear primarily technical, their successful implementation depends on organization and governance. Management must ensure that cybersecurity becomes an integral part of the company’s long-term strategy, on the same level as finance or compliance.

If your implementation process lacks structure and you want to manage cybersecurity more efficiently, try AuditMaster.ai - an intelligent platform designed to simplify NIS2 compliance and documentation management. A free trial is available.

Summary

Company leadership holds the ultimate responsibility for ensuring that the organization meets all legal obligations related to cybersecurity. Neglecting these steps can lead to both legal and financial consequences, including the personal liability of management members.

Establishing clear processes, defining responsibilities, and leveraging expert tools and partnerships are essential steps toward achieving lasting compliance and operational resilience.