Czechia is decisively moving towards a national security architecture in which cyber resilience and data-driven operations are strategic assets.
Last month, the Czech Republic made a substantial change to its foreign direct investment (FDI) screening regime. What was once a relatively narrow system has become one of the most assertive in Central Europe, driven by the country’s new Cybersecurity Act. For foreign investors (i.e. investors from non-EU countries or controlled by non-EU persons) targeting Czech companies, this is now becoming an important consideration when preparing transactions.
The new Cybersecurity Act introduced a new trigger for mandatory foreign direct investment (FDI) filings. Any Czech company classified by the National Cyber and Information Security Agency (NÚKIB) as a “provider of a regulated service in the higher-obligation regime” is now automatically subject to the mandatory filing requirement of the FDI Act. This is not a trivial amendment, but rather a significant expansion of the regime.
The higher-obligation regime is sector-agnostic and broadly defined. NÚKIB’s classification methodology encompasses companies in the digital, operational and infrastructure sectors.
Examples of commonly classified entities include cloud service providers (IaaS, PaaS and SaaS), data centres, colocation operators and content delivery networks in the digital infrastructure sector. Telecommunications companies, such as internet service providers, backbone network operators and 5G network providers, are also included. The regime also extends to the energy and utilities sector, covering electricity distribution operators, gas transmission operators, and district heating providers. Transport sector operators are also included, particularly railway infrastructure operators, airport IT systems providers, and digital fleet management platforms. Healthcare entities with critical medical IT systems, pharmaceutical manufacturers handling controlled production data, and large-scale diagnostic laboratories also face classification. Financial services companies, including payment and e-money institutions, trading, clearing and settlement platforms, and qualified trust service providers, are also covered. Finally, the regime also covers industrial and operational technology companies, including manufacturers with integrated industrial control systems and operators of automated production lines with cyber-physical dependencies.
The key point to remember is simple: if your Czech target uses data-driven systems, networked infrastructure, or essential services, it is likely to be within the scope of the new FDI regime.
The Czech FDI Act triggers a mandatory filing at just 10% voting rights. This means that even many minority investments require clearance and non-controlling stakes are caught. Financial investors are not exempt and multi-step structures do not help.
Mandatory filings can take 90 days for a standard review, or up to 150 days (with extensions) for complex cases. Transactions with tight financing, regulatory or commercial deadlines must take this into account from day one.
FDI screening is a substantive phase of the transaction. Incorporate it into early-stage due diligence, especially for targets involving digital technology, data processing, networks or infrastructure.
The Cybersecurity Act requires NÚKIB to maintain a registry of entities in the higher-obligation regime. Confirming the target’s status early can prevent costly delays.
For borderline cases — partially regulated, newly regulated or undergoing classification — voluntary consultation with the Ministry of Industry and Trade is often the safest approach. It is also important to consider the Critical Infrastructure Act, the scope of which has also been expanded. More energy, utility, transport and industrial operators are now designated as critical infrastructure and are therefore subject to the mandatory filing requirements of the FDI Act.
