NIS2 Authorized Person

Act No. 264/2025 Coll. on Cybersecurity (nZKB), effective from November 1, 2025, introduces obligations for thousands of Czech organizations. For those in the regime of lower obligations (typically companies with 50+ employees or turnover over EUR 10 million), Decree No. 410/2025 Coll. applies - and each such organization must demonstrably appoint a person responsible for cybersecurity.

This course will prepare the person responsible for all key obligations: from registration with the National Cybersecurity Agency through the implementation of security measures to incident reporting and documentation for a possible audit. The course combines an explanation of the legislative framework with practical examples and checklists directly applicable in your organization.

Basic orientation in the IT environment of your organization. Legal or technical specialization is not a requirement - the course is intended for managers and responsible persons, not IT specialists.

• For persons entrusted with cybersecurity (according to § 4 of Decree 410/2025 Coll.)
• For managers and executives of small and medium-sized enterprises in regulated sectors
• For directors and statutory representatives who want to understand their legal obligations
• For consultants and advisors accompanying clients in the implementation of NIS2

Legislative framework

• NIS2 Directive and its Czech transposition (Act No. 264/2025 Coll.)
• Two regimes of obligations: Decree 409 vs. 410 – what applies to you
• Who is a regulated entity and how to perform self-identification
• Roles and responsibilities: authorized person vs. KB manager vs. statutory body

Block 2 – Registration and appointment

• Obligation to register with NÚKIB (NÚKIB Portal, deadline 60 days)
• Appointment of an authorized person: formal requirements and documentation
• Contractual arrangements when outsourcing the function of an authorized person

Security measures 

• Overview of 13 security measures in the lower obligation regime
• Risk management: threat identification, probability × impact matrix
• Asset management and supply chain: records, evaluation, contractual clauses
• Technical measures: access, passwords, MFA, encryption, logging
• Security policies and documentation

Training and security awareness

• Legal requirements for employee training (Annex 3 and 6 of Decree 410)
• Content of training for different groups: management, users, administrators, authorized person
• How to document the training carried out

Incident reporting

• Deadlines: 24 hours / 72 hours / 30 days
• Reporting procedure via the NÚKIB Portal step by step
• Incident Response Plan: how to compile and maintain it

Audit and control of the NÚKIB

• What inspectors monitor and what documents you must have ready
• The most common findings from audits
• Action plan: how to prepare within 1 year of registration

Study materials are included in the course price. You will receive practical Pumpedu materials summarizing the key principles, tools, and methods covered during the training, so you can easily apply them in practice even after the course.

After completing the course, the participant will:

• Understand the legislative framework of NIS2 and the Czech transposition (Act 264/2025 Coll. and Decree 410/2025 Coll.)
• Know the scope of his/her duties as an authorized person in the organization
• Can set up and document basic security measures
• Know how to correctly report cyber incidents to the National Cyber ​​Security Agency within the legal deadlines
• Is prepared for an inspection by the National Cyber ​​Security Agency and can demonstrate compliance with the requirements of the law

Do I need to have a technical education?
No. The course is primarily intended for managers and authorized persons, not IT specialists. Technical terms are explained in a practical context.

What is the difference between "authorized person" and "KB manager"?
An authorized person is a role in the lower duties regime (Decree 410), KB manager is a formal qualification in the higher duties regime (Decree 409). For organizations in the lower regime, an authorized person is sufficient - this role does not have a legal requirement for certification, but completing the course is recommended practice and evidence for NÚKIB.

Will I receive a certificate recognized by NÚKIB after the course?
NÚKIB does not require certification of authorized persons. The course certificate serves as proof of training, which may be relevant during an inspection. For formally recognized certification in KB, see the Cybersecurity Manager course (NSK 18-015-T).

Can I outsource the function of an authorized person?
Yes, the law allows it. The course also covers the requirements for contractual arrangements when outsourcing.