Why did a technology company fall under NIS2 and what does it mean?
Act No. 264/2025 Coll. distinguishes two regimes for obligated entities: basic obligations for so-called basic entities and lower obligations for important entities. The New Telekom customer — a medium-sized technology company with approximately 80 employees and an annual turnover below the large enterprise threshold — was identified as a medium-sized enterprise under the lower obligations regime according to Decree No. 410/2025 Coll. The inclusion within the scope of NIS2 resulted from two concurrent facts: the company supplies software for controlling production lines to customers in sectors considered critical infrastructure, and simultaneously operates its own cloud environment (Microsoft Azure) and a data center (CIR — ICT Solutions Center), which the NÚKIB classification assessed as an element of digital infrastructure. For the company, this meant in practice fulfilling specific obligations arising from Decree No. 410/2025 Coll.: establishing an information security management system (ISMS), performing a risk analysis, implementing technical measures for detecting and managing cyber incidents, setting up processes for reporting incidents to NÚKIB, and maintaining up-to-date security architecture documentation. Deadline for fulfilling obligations: 18 months from notification by NÚKIB — and the customer approached New Telekom when 6 of those had already passed.How did New Telekom structure the NIS2 consulting project?
Phase 1 — Initial compliance assessment (gap analysis)
The first step was conducting a gap analysis — a systematic comparison of the customer's current state with the requirements of Act No. 264/2025 Coll. and Decree No. 410/2025 Coll. The New Telekom team examined four areas: Network architecture and segmentation: The customer operated a flat network topology without separation of the development environment, production environment, and customer access to the support portal. All environments shared a single VLAN and accessed the internet through a single point without NGFW inspection. Risk: compromise of one environment enables lateral movement by an attacker to all others. Identity and access rights: The company had not implemented multifactor authentication (MFA) for remote access by developers to the production environment. Access rights were not regularly reviewed — some employees who had left the company in the previous two years still had active accounts in internal systems. Detection and monitoring: There was no centralized log management nor SIEM system. Network devices generated logs locally without export or central analysis. Detection of anomalous behavior or intrusion depended solely on manual checks — performed irregularly. Documentation and processes: The company had not prepared a risk analysis, an incident response plan (IRP), nor security architecture documentation in the format required by NÚKIB. Internal security policies existed in the form of email correspondence and unshared Word documents. Gap analysis results: 23 identified gaps in compliance with NIS2 requirements — of which 4 were critical (requiring immediate resolution), 11 severe, and 8 less severe. The output was a formal document — the NIS2 Compliance Consulting Report issued by New Telekom s.r.o. in a format corresponding to documentation requirements according to Decree No. 410/2025 Coll.Phase 2 — Implementation of technical measures
Based on the gap analysis results, the New Telekom team implemented technical measures in priority order according to the severity of identified gaps. Network segmentation and NGFW: The flat topology was replaced by a three-zone architecture with separate environments for development, production, and customer access. A Fortinet FortiGate 200F was deployed at the network perimeter — an NGFW firewall with IPS (Intrusion Prevention System), SSL/TLS inspection, application control, and antivirus engine. Strict policies were set between zones — no implicit communication between development and production environments without an explicit rule. Multifactor authentication and identity management: Microsoft Entra ID (formerly Azure AD) was implemented with mandatory MFA for all remote access — developers, support, management. A complete review of access accounts was performed: 34 inactive accounts were disabled, and remaining employees' access rights were reviewed according to the least privilege principle. Centralized log management and SIEM: Microsoft Sentinel was deployed as a cloud SIEM with log export from all network elements (Fortinet FortiGate, Juniper switches), servers, and the Azure cloud environment. Basic detection rules were defined to identify anomalous behavior — repeated failed logins, access from unexpected geographic locations, unusual volumes of transferred data. Backup connectivity and resilience: As part of NIS2 requirements for operational continuity, a backup connection was implemented — an LTE-A Pro backup link via New Telekom eSIM with automatic failover in the event of primary fiber connection outage. The customer now meets the requirement for measures to ensure availability of key ICT services even during primary connection outages.Phase 3 — Documentation and preparation for NÚKIB inspection
Technical implementation without corresponding documentation does not meet NIS2 requirements — NÚKIB, upon inspection, requires demonstrating not only the existence of technical measures but also their intentionality, documentation, and regular review. New Telekom prepared a complete documentation package for the customer:- Risk analysis according to a methodology compliant with ČSN ISO/IEC 27005 — identification of assets, threats, vulnerabilities, and residual risks after measure implementation
- Security policy and a set of related directives (access rights, password management, remote work, incident management)
- Cyber Incident Response Plan (IRP) with defined roles, escalation procedures, and a contact matrix for reporting incidents to NÚKIB according to Section 16 of Act No. 264/2025 Coll.
- Network architecture documentation — topological diagrams in an audit-suitable format, including descriptions of security zones and firewall rules
- Records of access rights review and deactivation of inactive accounts
- NIS2 Compliance Consulting Report — a summary document presenting the assessment results, implemented measures, and remaining risks; issued by New Telekom s.r.o. on April 25, 2026
What was the result — what does the company comply with and what remains?
After completing the three phases of the consulting project, the customer is compliant with 22 of the 23 identified gaps. The only remaining item — implementing regular penetration testing of the production environment — is planned as a recurring activity with the first execution in June 2026. From the perspective of Decree No. 410/2025 Coll. and the requirements for entities under the lower obligations regime, the customer now meets:- An implemented and documented ISMS with a performed risk analysis
- Technical measures for incident detection (Microsoft Sentinel SIEM, Fortinet NGFW)
- A documented process for reporting incidents to NÚKIB
- MFA for all remote access
- Network segmentation separating critical environments
- Backup connectivity ensuring availability during primary connection outages
- Complete auditable security architecture documentation
Why cannot NIS2 compliance be solved with documentation alone without technical implementation?
A common mistake by companies dealing with NIS2 for the first time is to focus exclusively on documentation — preparing security policies and risk analyses without changing anything in the actual technical infrastructure. NÚKIB, upon inspection, verifies compliance not only formally but also factually — a firewall without configured rules, MFA implemented for only some users, or a SIEM without active detection rules are examples of situations where documentation exists but the technical reality does not correspond. New Telekom therefore always combines consulting with technical implementation: the team of security consultants prepares documentation and process settings, while the network and security team simultaneously implements technical measures on the physical infrastructure. The result is not a binder full of papers, but a functional and auditable security architecture.Frequently asked questions about NIS2 compliance consulting
How can I find out if my company falls under NIS2 and Act No. 264/2025 Coll.?
An obligated entity according to Act No. 264/2025 Coll. is defined by a combination of the industry in which the company operates and its size. NÚKIB has published a list of industries and entity types to which the law applies — including, among others, digital service providers, ICT product manufacturers, critical infrastructure operators, and their key suppliers. If you are unsure about your classification, New Telekom will perform an initial assessment as part of the first consultation meeting — free of charge and without obligation.How long does a complete NIS2 compliance project take?
It depends on the initial state and the scope of measures required. For a medium-sized technology company (50–150 employees) under the lower obligations regime, plan for 8–16 weeks from the start of gap analysis to completion of implementation and documentation handover. The project described in this article took 11 weeks — the customer came with urgency due to an approaching deadline, so the project was executed with a higher intensity of parallel phases.What exactly does New Telekom issue as the output of NIS2 consulting?
The output is the NIS2 Compliance Consulting Report — a formal document summarizing the results of the compliance assessment with Act No. 264/2025 Coll. and Decree No. 410/2025 Coll. , identified gaps, implemented measures, and remaining risks. Additionally, a documentation package: risk analysis, security policy, IRP, network architecture documentation, and records of access rights review. All documentation is prepared in a format suitable for a potential NÚKIB inspection.Does New Telekom also offer ongoing support after NIS2 project completion?
Yes. NIS2 compliance is not a one-time project — Act No. 264/2025 Coll. requires regular review of the risk analysis, updating documentation during infrastructure changes, and repeated testing of security measures. New Telekom offers an annual NIS2 retainer — ongoing support including quarterly reviews, documentation updates during changes, and assistance during potential NÚKIB inspections. This ensures the customer maintains compliance even after changes in legislation or their own infrastructure.Conclusion
NIS2 compliance for technology companies is not a bureaucratic formality — it is a real change in the way a company manages its network infrastructure, access rights, and its ability to detect and handle cyber incidents. The project carried out by New Telekom for a medium-sized software solutions provider shows that meeting the requirements of Act No. 264/2025 Coll. is manageable within a reasonable time with the right approach — without halting operations and without needing to build an internal security team from scratch. If your company is just determining whether it falls under NIS2, or you already know the deadline is running and you are looking for a partner for assessment and implementation, contact the New Telekom expert team via the IT Security page or directly via the contact form. The initial assessment of the scope of obligations is free of charge.This article was prepared by the expert team of New Telekom s.r.o. The customer's business name is not disclosed to protect sensitive security information. All legislation cited corresponds to the state as of April 2026.
Applicable legal regulations and standards
- Act No. 264/2025 Coll. on Cyber Security (Czech transposition of NIS2)
- Decree No. 410/2025 Coll. on Cyber Security — technical requirements for obligated entities
- EU Directive 2022/2555 (NIS2) — on measures for a high common level of cybersecurity
- ČSN ISO/IEC 27001 — Information security management system (ISMS)
- ČSN ISO/IEC 27005 — Information security risk management
- NÚKIB — National Office for Cyber and Information Security
- Fortinet FortiGate 200F — NGFW firewall with IPS, SSL/TLS inspection, and application control
- Microsoft Sentinel — cloud SIEM for centralized log management and threat detection
- Microsoft Entra ID — identity management and multifactor authentication (MFA)
- Juniper NFX250 — SD-WAN CPE with integrated firewall
- 3GPP LTE-A Pro — backup mobile connectivity (New Telekom eSIM)