The NIS2 directive and the corresponding new Cyber Security Act applicable in 2026 fundamentally change the technical and procedural requirements for corporate connectivity in the Czech Republic. The deployment of modern networking technologies, such as SD-WAN and CloudConnect, allows companies to comply with strict NÚKIB standards, ensure end-to-end encryption using AES-256, and implement a Zero Trust architecture for maximum supply chain protection.
Why is the NIS2 directive critically important for supply chains in 2026?
The European Union Directive 2022/2555 (known as NIS2) represents the most comprehensive legislative framework for cybersecurity in history. Its full enforceability through national authorities, represented in the Czech Republic by the
National Cyber and Information Security Agency (NÚKIB), means an obligation in 2026 to secure not only key systems but the entire supply chain infrastructure.
Impact on suppliers in regulated sectors
Companies integrated into the critical infrastructure supply chain must provably meet security standards.
- Affects approximately 6,000 to 10,000 companies within the Czech Republic
- Requires the application of ISO/IEC 27001 and ISO/IEC 27002 standards to network infrastructure
- Obligation to report cyber incidents to NÚKIB within 24 hours of detection
- Introduces the principle of proactive protection and continuous vulnerability auditing
A paradigm shift in network security
Traditional perimeter protection through a central firewall is no longer legislatively sufficient. Security must be distributed across the entire network topology.
- Necessity to implement micro-segmentation within local area networks (LAN)
- Transition to a Zero Trust Network Access (ZTNA) architecture
- Strict isolation of traffic for critical applications (e.g., SCADA / ICS systems)
- Encryption of all data transmissions across public (Internet) and private networks (MPLS)
What specific technical requirements does the new Cyber Security Act impose on corporate networks?
The new Cyber Security Act (ZoKB), reflecting the NIS2 directive, mandates the implementation of technical countermeasures to mitigate defined risks. Organizations under higher obligation regimes must deploy cryptographic means, intrusion detection systems, and ensure redundancy of network routes for business continuity.
Cryptographic protection requirements
Data encryption in transit is the cornerstone of protection against eavesdropping (man-in-the-middle attacks).
- Use of at least AES-256 encryption standard for all external data tunnels
- Configuration of IPsec (Internet Protocol Security) protocols with IKEv2 key exchange
- Elimination of obsolete hashing algorithms (MD5, SHA-1), transitioning exclusively to SHA-384 or SHA-512
- Securing routing protocols, such as neighbor authentication in BGP and OSPF
Monitoring and incident detection requirements
Without full visibility into network traffic, the legal obligation to detect and report incidents cannot be met.
- Deployment of IDS/IPS (Intrusion Detection/Prevention System) on all edge devices
- Continuous collection of network telemetry data (e.g., via NetFlow or IPFIX)
- Centralized logging and log correlation using SIEM (Security Information and Event Management) tools
- Automated anomaly analysis leveraging signatures provided by NÚKIB databases and CERT/CSIRT teams
How does SD-WAN technology address the security requirements of the NIS2 directive?
SD-WAN (Software-Defined Wide Area Network) technology is the most effective way in 2026 to globally implement security policies across distributed branches of an enterprise. At Newtel, we recommend this architecture as the fundamental building block for compliance with resilience and redundancy requirements.
Separation of the control and data planes
SD-WAN architecture centralizes management, effectively eliminating human error when configuring individual edge routers at branch locations.
- A central orchestrator defines security policies for the entire network from a single point
- Automatic rotation of IPsec encryption keys without the need for administrator intervention
- Instant distribution of updated security rules (firewall policies) to all endpoints within seconds
- Complete independence from the physical transport layer (fiber, 5G, CETIN infrastructure, satellite links)
SASE integration and application firewall
Combining SD-WAN with the SASE (Secure Access Service Edge) concept provides comprehensive network traffic inspection directly at the network edge.
- Deep Packet Inspection (DPI) identifying malicious content even in encrypted traffic
- Automatic blocking of access to botnet C&C (Command and Control) servers
- Application of QoS (Quality of Service) policies to prioritize critical application flows (e.g., VoIP, ERP systems)
- Traffic segmentation via VRF (Virtual Routing and Forwarding) at the individual department or subsidiary level
What is the difference between a traditional corporate network and an SD-WAN approach with SASE?
The traditional Hub-and-Spoke topology, where all branch traffic is backhauled to the headquarters via MPLS for security inspection, is inefficient in the cloud era. The SD-WAN approach brings security directly to the user.
| Evaluation Parameter | Traditional Network (MPLS + VPN) | SD-WAN + SASE |
|---|
| In-transit data encryption | Often dependent on internal network trust | Default end-to-end (AES-256) |
| Zero Trust application (ZTNA) | Difficult to implement, perimeter-based approach | Native support, validating every session |
| Link failure response | 30–120s outage (BGP convergence) | Sub-second switchover |
| Capacity cost | High prices for dedicated lease lines | Optimization (internet + 5G) |
| Application visibility | L3/L4 only (IP addresses, ports) | Full L7 visibility (SaaS) |
How to implement CloudConnect for secure connection to cloud services?
Since most corporate data today resides outside of local data centers, the NIS2 directive places heavy emphasis on securing access to cloud service providers (CSPs).
CloudConnect service allows the creation of a dedicated, private connection bypassing the public internet, completely eliminating the risks of DDoS attacks.
1. Topology design and selection of peering points
The first step is analyzing data flows to platforms like Microsoft Azure, Amazon Web Services (AWS), or Google Cloud Platform (GCP).
- Identification of critical cloud workloads covered by ZoKB
- Selection of the optimal peering center (e.g., NIX.CZ in Prague, DE-CIX in Frankfurt)
- Allocation of guaranteed bandwidth (typically ranging from 100 Mbit/s to 10 Gbit/s)
- Provision of physical geo-redundancy (routing fiber optic paths through separate geographical corridors)
2. Configuration of dedicated L2/L3 circuits
The interconnection is realized at the network layer with no public internet access.
- Creation of a VLAN (Virtual Local Area Network) dedicated purely for cloud traffic
- Configuration of a service such as Azure ExpressRoute or AWS Direct Connect
- Deployment of MACsec (Media Access Control Security) for L2 encryption of the optical route
- Integration into the existing enterprise BGP topology
3. Implementation of security policies and auditing
The interconnection must be continuously monitored to ensure NIS2 compliance.
- Application of firewall policies at the interface between the corporate network and the cloud environment
- Collection of telemetry from cloud interfaces into the enterprise SIEM system
- Prevention of asymmetrical routing and prevention of route leaks
- Regular penetration testing of the cloud perimeter according to NÚKIB methodology
How much does migrating a corporate network to an NIS2-compliant architecture cost?
The costs of network transformation depend on the number of branches, data flow volumes, and the degree of redundancy. The amounts provided represent estimates for the year 2026.
| Solution Component | CAPEX (One-time) | OPEX (Monthly) |
|---|
| Central SD-WAN Orchestrator | 45,000 – 120,000 CZK | 15,000 – 35,000 CZK |
| Edge Router (per branch) | 18,000 – 55,000 CZK | 3,000 – 8,000 CZK |
| CloudConnect (1 Gbit/s line) | 15,000 – 30,000 CZK | 8,000 – 25,000 CZK |
| SIEM / Log management | 80,000 – 250,000 CZK | 20,000 – 60,000 CZK |
| Auditing & reporting per ZoKB | 0 CZK (within project) | 12,000 – 30,000 CZK |
What are the real penalties for cyber security non-compliance under ZoKB?
The Cyber Security Act introduces draconian penalties capable of posing an existential threat to a company. The fines reflect GDPR principles and are applied based on the scope and impact of the security incident.
Financial and operational penalties
Heavy financial penalties are designed so that organizations cannot ignore security recommendations and simply consider the fine as an operating expense.
- The maximum fine can reach up to 10 million EUR or 2 % of the company's total worldwide annual turnover (whichever is higher)
- Possibility of suspending the performance of the statutory body (managing director) due to gross negligence
- For entities in the supply chain, there is an immediate risk of exclusion from tenders and contract cancellations by regulated partners
- NÚKIB has the authority to order the suspension of certifications necessary to conduct the organization's business
Frequently Asked Questions
Does the NIS2 directive also apply to smaller subcontractors that aren't part of the critical infrastructure?
Yes, the NIS2 directive explicitly regulates Supply Chain Security. If your company is a direct provider of IT services, components, or service support to an organization regulated by NÚKIB (e.g., energy, banking, healthcare), you must meet the corresponding security standards; otherwise, the regulated entity is not permitted to sign a contract with you.
Can an SD-WAN deployment completely replace our existing MPLS lines?
In most scenarios, yes. SD-WAN technology utilizes advanced Forward Error Correction algorithms and bandwidth aggregation, enabling it to transform standard broadband connections (VDSL, fiber, 5G) into highly stable links with parameters equal or superior to those of private MPLS circuits. At the same time, it natively delivers 256-bit encryption, which standard traditional MPLS does not inherently offer.
What is the difference between a standard IPSec tunnel and a connection via CloudConnect?
A standard IPsec tunnel is established over the public internet, meaning traffic is subject to latency fluctuations (jitter), throughput variations, and the threat of Denial of Service (DDoS) attacks. CloudConnect leverages physically dedicated lines within telecommunications carrier backbone networks to bridge an enterprise's data center directly with the cloud provider's port. The outcome is a guaranteed latency under 5 milliseconds, top-tier L2 security, and absolute isolation from the public internet.
What does the implementation of Zero Trust Architecture (ZTNA) mean in practice?
In practice, Zero Trust means removing the assumption of a trusted internal network. This means that even if an employee is physically plugged into the office LAN, they do not automatically get access to corporate servers. Every attempt to access any application (whether at a local server or in the cloud) demands immediate validation of user identity, a check on the device's security status (e.g., active antivirus), and contextual analysis.
How long does an audit and network migration to a "NIS2 Compliant" state take?
A comprehensive transformation of a network infrastructure to comply with the law typically takes
3 to 6 months. This workflow includes an initial Gap Analysis against ISO/IEC 27001 standards, Low Level Design (LLD) formulation, the actual deployment of hardware and software footprint (SD-WAN firewalls), and a subsequent penetration test and validation trial. We strongly advise against delaying migration to the last minute due to a pan-European shortage of certified network engineers.
Conclusion
Fulfilling the requisites of the NIS2 directive and the new Cyber Security Act demands that Czech suppliers abandon obsolete networking paradigms. Implementing a centrally managed infrastructure with micro-segmentation, sophisticated encryption, and analytical tools is an imperative for 2026. At New Telekom, we have been running audits, designing, and engineering highly secure enterprise networks for over 20 years.
Book a consultation for your corporate network design and secure your supply chain against severe NÚKIB penalties and the loss of key customers.
The article was authored by the expert team at New Telekom s.r.o. The information reflects the legislative landscape as of March 2026.
Sources and Legislation Used
- Directive (EU) 2022/2555 of the European Parliament and of the Council (NIS2) of 14 December 2022 on measures for a high common level of cybersecurity across the Union.
- National Cyber and Information Security Agency (NÚKIB) – Draft and text of the new Cyber Security Act.
- ČSN EN 50600 - Information technology - Data centre facilities and infrastructures.
- ISO/IEC 27001:2022 – Information security management systems (ISMS).
- ISO/IEC 27002:2022 – Information security controls.
- Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) – with regard to the protection of confidentiality and integrity during personal data transit.
