On 10 July 2025 the National Cyber and Information Security Agency (NÚKIB) issued a WARNING regarding a cybersecurity threat associated with the use of products, applications, solutions, websites, and web services, including application programming interfaces (so-called APIs), provided by the company DeepSeek or any of its predecessors, successors, parent, subsidiary, or affiliated companies (hereinafter collectively referred to as ‘affected products’) on devices that access the information and communication systems of critical information infrastructure, information systems of essential services and important information systems. The Warning takes effect for obligated entities under the Act on Cyber Security from the moment it is published on NÚKIB’s official notice board.
Based on the issued Warning, entities obligated under the Act on Cybersecurity must take the threat into account in their risk analyses and respond to the identified risks by implementing adequate security measures. The threat is rated as ‘High’, corresponding to a probability ranging from likely to very likely.
At the same time, we also recommend that the public carefully assess the use of the affected products, or alternatively, consider what kind of information they put into them. For so-called persons of interest, i.e. individuals in high political, public, or decision-making positions, we recommend refraining from using the affected products altogether. The issued Warning and the above-mentioned recommendations are in accordance with the Act on Cyber Security, which tasks NÚKIB, among other responsibilities, with ensuring cybersecurity prevention.
The primary security concerns stem from insufficient protection of data transmission and handling, from the collection of data types which, in greater volume, may lead to user de-anonymization, and lastly, from the legal and political environment of the People’s Republic of China to which the company DeepSeek is fully subject.
This Warning does not apply to security testing, research, or analysis of the affected products, nor to open-source large language models developed by the company DeepSeek, whose source code is publicly accessible and which are deployed locally, without any capability to communicate with servers used by the company DeepSeek or its related entities (i.e. predecessors, successors, parent, subsidiary, or affiliated companies).
‘In the analysis that led to this Warning, we relied on a combination of our own findings and information from our international partners. The affected products of the company X handle data in a way that may pose a security risk for entities falling under the Act on Cyber Security. In the context of the legal environment of the People’s Republic of China – which allows state authorities access to such data – these concerns are entirely justified. This is further confirmed by the recent public attribution of a cyberattack by the APT31 group, linked to China, against the Czech Ministry of Foreign Affairs. It shows that Beijing is prepared to act in direct contradiction to the interests of the Czech Republic,’ said NÚKIB Director Lukáš Kintr.
You can find the full text of the warning here.
Simultaneously with this Warning, the Government of the Czech Republic approved a resolution on 9 July 2025 concerning the affected products of the company DeepSeek, which will soon be available here. By this resolution, government members, ministries, and other central administrative authorities are instructed to ensure that their subordinate ministries and other administrative bodies do not use, in the execution of their duties, products, applications, solutions, websites, and web services (including APIs) provided by the company DeepSeek or any of its predecessors, successors, parent, subsidiary, or affiliated companies.
The ban applies to use of the aforementioned on any state-owned devices. According to Article IV, paragraph 4 of the Government’s Rules of Procedure, the obligation imposed by the resolution must be fulfilled within 30 days.
As with the NÚKIB Warning, this resolution does not apply to open-source large language models (LLMs) developed by the company DeepSeek, provided their full source code is publicly available for review and analysis and they are deployed locally without any capability to communicate with servers used by the company DeepSeek or its related entities.
Celá zpráva
2025-07-10