National Cyber and Information Security Agency - NÚKIB Warns Against the Transfer of the Data to and Remote Administration from People’s Republic of China

03 September 2025

The National Cyber and Information Security Agency (NÚKIB) issued a warning on September 3, 2025, regarding a cybersecurity threat consisting of the transfer of system and user data either to the People's Republic of China and its Special Administrative Regions or to entities based in these territories, and the remote administration of technical assets carried out either from the territory of the People's Republic of China and its Special Administrative Regions or by entities based in these territories (hereinafter the “PRC and its SARs”).

NÚKIB identified the security threat from the following:

The increasing share of complex technological solutions in critical sectors and services that transfer data to the PRC or are remotely managed from the PRC. The penetration of these technologies and devices into critical sectors (such as transportation, energy, healthcare, public administration etc.) is growing and will continue to grow in the future. Current critical infrastructure systems are increasingly dependent on data storage and processing in cloud storage and on network connections that enable remote operation and updates. In practice, this means that technology solution providers can significantly influence the operation of critical infrastructure and/or access important data, making trust in the reliability of the provider absolutely crucial.
The increasing number of devices connected to the internet, which also transfer data and are remotely controlled by their suppliers. Examples of risky products and services that may transfer data to the PRC or are managed from there include IP cameras, photovoltaic inverters, so-called "smart meters", medical technologies, cloud storages, highly complex personal devices (phones, watches), connected vehicles (electric cars), large language models etc.
Confirmed malicious activities by actors linked to the PRC directed against the Czech Republic, as well as the EU Member States and NATO Allies. Recent examples include a cyber campaign against the Ministry of Foreign Affairs of the Czech Republic, led by the APT31 group associated with the Chinese intelligence service Ministry of State Security since at least 2022. This campaign led the Czech government to conduct a public attribution.
The political and legal environment of the PRC, which, among other things, allows Chinese government authorities access to data stored on the territory of the PRC or significant interventions by Chinese government authorities in the operation of private companies, or provides these government authorities with tools to enforce the cooperation of private companies in the espionage activities of the PRC. The same problematic legal regulation is also applicable to the territories of PRC’s SARs, namely Hong Kong and Macau, due to their close legal and operational connection.

The warning does not represent a direct ban of use of technologies transferring data or enabling a remote administration from PRC and its SARs; entities obligated under Czech Act on Cybersecurity must take the threat into account in their risk analyses and respond to the identified risks by implementing adequate security measures.

At the same time, NÚKIB also recommends that the public carefully assess the use of the affected products and technologies, or alternatively, consider what kind of information they put into them or what activities they use them for.

The threat is rated as ‘High’, corresponding to a probability ranging from likely to very likely (3 out of 4).

You can find the full text of the warning here: https://nukib.gov.cz/download/publications_en/EN_2025-09-03_warning.pdf

News

Czech Delegation in Korea Takes Over the Baton for NATO Cyber Champions Summit 2026

The Czech Republic will host the next edition of the NATO Cyber Champions Summit in 2026. The symbolic baton was handed over this week to representatives of NÚKIB from South Korea. The Czech delegation, led by NÚKIB, actively participated in several conferences and international forums in Seoul over the past week, sharing the Czech experience in ensuring cybersecurity.

From 6–12 September 2025, South Korea became the center of international debate on cybersecurity. The Czech Republic was represented by a delegation led by the Director of the National Cyber and Information Security Agency (NÚKIB), Lukáš Kintr, who attended several prestigious events. Throughout the week, the international exercise APEX was also underway, with several specialists from the government CERT actively participating.

The first item on the program was the Cyber Summit Korea conference, where the Director of NÚKIB delivered a keynote speech titled From Legislation to Resilience: The Future of Cybersecurity in Czechia. In his address, he emphasized that the foundation of successful cybersecurity lies in trusted partnerships.

“Like most countries in the world, the Czech Republic cannot rely solely on its economic strength but must focus on the robustness of our alliances. Only through long-term, clear positions and integrity can we build the necessary trust with our partners. In today’s world, partnerships are defined not only by memoranda of cooperation or trade relations but above all by trust. And trust requires consistency and value-based anchoring,” he stated.

At the NATO Cyber Champions Summit, which serves as a bridge between the transatlantic and Asia-Pacific regions, the Czech delegation actively engaged in discussions on the most pressing cybersecurity threats. Cyber Attaché for the Indo-Pacific, Veronika Kolek Netolická, spoke on the panel Asia Pacific–Europe Cybersecurity Cooperation for National Networks and Critical Infrastructure Protection, highlighting the importance of utilizing existing international cooperation platforms. Director of NÚKIB, Lukáš Kintr, subsequently closed the event and officially invited participants to the next edition of this prestigious summit, which will be hosted by Prague in 2026. After Lithuania, Australia, and South Korea, this important platform for bringing together senior leaders in cybersecurity is returning to Europe.

The program also included the international exercise APEX (Allied Power Exercise) 2025, which involved over 200 participants from 25 countries. The Czech Republic was represented by experts from the government CERT, who formed a joint team with South Korea and Norway. Unlike traditional competitive models, APEX focused primarily on strengthening cooperation between states and sharing practical experience. The authenticity of the exercise was underscored by the inclusion of real attacks that took place in South Korea this year.

On the sidelines of the main events, the Czech delegation attended a closed roundtable for cybersecurity agencies, the Counter Ransomware Initiative, and also held several bilateral meetings. The main topics included sharing experience with legislative changes and analyzing the current cyber threat landscape.

“The active engagement of the Czech Republic in international forums is essential not only for sharing our experience but also for strengthening strategic partnerships. Cybersecurity knows no borders, and its effective assurance requires global coordination,” summarized Director of NÚKIB Lukáš Kintr, thanking his Korean counterparts and international partners for their warm welcome, open discussions, and constructive cooperation: “Such strong and trusted partnerships form the foundation of our collective resilience.”

Celá zpráva 2025-09-17