National Cyber and Information Security Agency

Czech Government Approves New National Cyber Security Strategy

On Wednesday, 3 September 2025, the Czech Government approved the new National Cyber Security Strategy (NCSS), effective from 2026, which sets out the state’s long-term priorities and objectives in this area. The new strategy, replacing the previous document in force since 2021, responds to the deteriorating global security situation and the technological changes of recent years, while emphasising the need for more intensive cooperation at both the national and international levels.

The National Cyber and Information Security Agency (NÚKIB) is the lead authority responsible for the document. That said, the NCSS was developed with contributions from dozens of organisations from both the public and private sectors, including via public consultations. The strategy will be implemented through an action plan that is currently being prepared. This plan will assign specific tasks to the responsible institutions to be carried out in order to fulfil the individual strategic objectives. The implementation of these tasks will be evaluated annually and submitted to the Czech Government.

Drawing on an analysis of current threats and opportunities, the NCSS sets out three main strategic areas:

Secure strategic infrastructure – strengthening the resilience of strategic infrastructure and enhancing the state’s ability to detect and counter cyber threats. Whole-of-society preparedness and development – developing citizens’ digital competences, increasing the number and motivation of cyber security professionals, and supporting innovation. International cooperation and pursuit of interests – an active role for Czechia within the EU, NATO and other international organisations, both in its own defence and in protecting an open and free digital space.

According to the strategy, in the coming years, Czechia will need to make greater use of new technologies to secure organisations, prepare for potential transitions to crisis states, and improve the working conditions of cyber security experts in public administration. Czechia should also develop secure alternatives to risky technologies, build new platforms for information sharing, and pursue an internationally coordinated approach to deterring malicious state actors.

“The new strategy confirms that Czechia is among the states capable of responding to today’s challenging security environment while also seizing the opportunities brought by new technologies and widespread digitalisation. We cannot afford to wait passively for what may come. We must detect threats and vulnerabilities in advance and prevent them – this applies both to securing information systems and to confronting malicious state actors such as Russia and China,” said Lukáš Kintr, Director of NÚKIB.

“Together with the institutions responsible for cyber defence, diplomacy and the fight against cybercrime, all addressed together in the strategy, we have a shared perspective of today’s most significant threats. We also agree on where Czechia’s vulnerabilities lie and on what must be done to succeed in the coming years. Our common goal is to provide citizens with a secure cyberspace. The path to this goal leads through investment in the workforce, secure technologies, and mutual trust and cooperation across sectors. Cyber security is an investment in the future and in the competitiveness of our country. The new strategy sets out how to ensure a safer and more prosperous cyberspace for everyone,” added Director Kintr.

The translation of the document into English is in progress.

2025-09-08

NÚKIB, in cooperation with U.S. agencies CISA and NSA, joins the international document A Shared Vision of Software Bill of Materials for Cybersecurity

On September 3, 2025, the National Cyber and Information Security Agency of the Czech Republic (NÚKIB) joined the document ‘A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity’, issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) together with the National Security Agency (NSA) and additional international partners. The document was developed within the Global SBOM Forum, which aims to promote the broader use of this tool in practice, and of which NÚKIB has been an active member on behalf of the Czech Republic since early 2025.

An SBOM (Software Bill of Materials) can be understood as a ‘list of ingredients’ of software – a machine-readable record of all components and libraries used in its development. At a time when modern software increasingly relies on external and open-source components, SBOM represents a fundamental step toward greater supply chain transparency and, consequently, better protection against cyber threats. If a vulnerability is discovered in a particular component, SBOM makes it possible to quickly determine where exactly it is located and to take targeted measures. The result is faster updates, more stable digital services that citizens and institutions rely on daily, and more efficient spending on software maintenance and auditing. For the protection of critical infrastructure and services with a direct impact on public safety, this transparency is of crucial importance.

The published document emphasizes that the widespread adoption of SBOM is an essential step toward creating software in line with the secure-by-design principle – ensuring that security is integrated from the very beginning. It also calls for the alignment of technical standards across countries and sectors so that SBOM can function consistently and remain interoperable and be implemented on a large scale. A common framework will help reduce complexity, increase efficiency, and, above all, strengthen trust in the digital environment.

‘Today’s software is becoming increasingly complex and often consists of hundreds of components originating from various sources and libraries. SBOM brings essential transparency into this complex environment and clearly shows what the software is made of. I regard SBOM as a key step toward creating truly secure and resilient software – already from its design. At the same time, this approach contributes to building an environment in which citizens and institutions can rely with greater confidence on the technologies that power modern software,’ said Lukáš Kintr, Director of NÚKIB.

2025-09-03

NÚKIB Warns Against the Transfer of the Data to and Remote Administration from People’s Republic of China

The National Cyber and Information Security Agency (NÚKIB) issued a warning on September 3, 2025, regarding a cybersecurity threat consisting of the transfer of system and user data either to the People's Republic of China and its Special Administrative Regions or to entities based in these territories, and the remote administration of technical assets carried out either from the territory of the People's Republic of China and its Special Administrative Regions or by entities based in these territories (hereinafter the “PRC and its SARs”).

NÚKIB identified the security threat from the following:

The increasing share of complex technological solutions in critical sectors and services that transfer data to the PRC or are remotely managed from the PRC. The penetration of these technologies and devices into critical sectors (such as transportation, energy, healthcare, public administration etc.) is growing and will continue to grow in the future. Current critical infrastructure systems are increasingly dependent on data storage and processing in cloud storage and on network connections that enable remote operation and updates. In practice, this means that technology solution providers can significantly influence the operation of critical infrastructure and/or access important data, making trust in the reliability of the provider absolutely crucial. The increasing number of devices connected to the internet, which also transfer data and are remotely controlled by their suppliers. Examples of risky products and services that may transfer data to the PRC or are managed from there include IP cameras, photovoltaic inverters, so-called "smart meters", medical technologies, cloud storages, highly complex personal devices (phones, watches), connected vehicles (electric cars), large language models etc. Confirmed malicious activities by actors linked to the PRC directed against the Czech Republic, as well as the EU Member States and NATO Allies. Recent examples include a cyber campaign against the Ministry of Foreign Affairs of the Czech Republic, led by the APT31 group associated with the Chinese intelligence service Ministry of State Security since at least 2022. This campaign led the Czech government to conduct a public attribution. The political and legal environment of the PRC, which, among other things, allows Chinese government authorities access to data stored on the territory of the PRC or significant interventions by Chinese government authorities in the operation of private companies, or provides these government authorities with tools to enforce the cooperation of private companies in the espionage activities of the PRC. The same problematic legal regulation is also applicable to the territories of PRC’s SARs, namely Hong Kong and Macau, due to their close legal and operational connection.

The warning does not represent a direct ban of use of technologies transferring data or enabling a remote administration from PRC and its SARs; entities obligated under Czech Act on Cybersecurity must take the threat into account in their risk analyses and respond to the identified risks by implementing adequate security measures.

At the same time, NÚKIB also recommends that the public carefully assess the use of the affected products and technologies, or alternatively, consider what kind of information they put into them or what activities they use them for.

The threat is rated as ‘High’, corresponding to a probability ranging from likely to very likely (3 out of 4).

You can find the full text of the warning here: https://nukib.gov.cz/download/publications_en/EN_2025-09-03_warning.pdf

2025-09-03

NÚKIB, NSA, and Other U.S. Agencies Warn of Chinese Actor Salt Typhoon Compromising Networks Worldwide

The National Cyber and Information Security Agency (NÚKIB) has joined the Joint Cyber Security Advisory issued by U.S. government security agencies and other international partners. The advisory highlights cyber actors sponsored by the People’s Republic of China (PRC) who compromise networks across the globe to establish long-term access and conduct espionage operations.

These activities partially overlap with the threat group most commonly tracked as Salt Typhoon. Incidents have been observed in the United States, Australia, Canada, New Zealand, the United Kingdom, Finland, and Poland. The Advanced Persistent Threat (APT) actors have been conducting malicious operations on a global scale since at least 2021. These operations have been linked to several PRC-based entities providing cybersecurity products and services to Chinese intelligence services (see full advisory for details). Data stolen through these operations can assist PRC intelligence in identifying and monitoring the communications and movements of their targets worldwide.

According to the findings, primary targets include telecommunications networks, transportation infrastructure, hospitality providers, and military systems. The actors focus on large backbone routers of major telecommunications service providers as well as provider edge (PE) and customer edge (CE) routers, leveraging compromised devices or trusted connections to gain further access into targeted networks. Frequently, the attackers modify routers to ensure persistent access.

The authors of the advisory urge network operators and security teams to actively hunt for malicious activity as described in the document and to implement the recommended mitigations.

The full text of the advisory is available here.

2025-08-27