NÚKIB Portal: What to Fill In, Who Signs It, and Why You Should Stop Delaying

Why Now? The Deadline Has Passed – But Filing Late Is Still Better Than Not Filing At All

The new Cybersecurity Act has been in effect since November 1, 2025. For companies falling under the regulation, this meant one specific initial obligation: report a regulated service through the NÚKIB Portal. The deadline has already passed for many. Nevertheless – filing late is still better than not filing at all.

NÚKIB declares that its primary goal is not to punish, but to bring entities into compliance. At the same time, it openly states that the length of the delay directly affects the amount of any potential fine. The statutory ceiling is up to CZK 250 million or 2% of net global annual turnover.

If you are still figuring out how to complete the registration, what to add after registration, or what to do if you haven't managed it yet – here is a practical guide.

How to Complete Registration: 4 Steps from Login to Submission

The form itself is not complicated. The difficulties come earlier – in the internal preparation that must happen before you click anything on the Portal.

Before you start, verify three things: that you actually meet the criteria for a regulated service (NÚKIB offers its own calculator for this), which specific service you are reporting, and who will act on behalf of your organization externally.

Step 1 – Log in to the Portal. The NÚKIB Portal uses electronic identity – typically bank identity, the Mobile Key of eGovernment, or mojeID. An authorized representative, once logged in, can perform the same actions as a statutory body.

Step 2 – Verify who is acting on behalf of the organization. If the submission is not being made by the statutory officer in person, a properly authorized representative must be in place. Authorization is handled via a separate form – the output is a PDF sent via the regulated company's data mailbox to NÚKIB's data mailbox. If the statutory officer is based abroad, expect the authorization process to take some time.

Step 3 – Complete the Regulated Service Notification form. In the form, you identify the organization and the regulated service being reported. NÚKIB also allows you to submit contact and supplementary data under § 11 directly as part of this step – it is not necessary to do everything in two separate rounds if you have the data ready.

Step 4 – Submit and monitor follow-up obligations. After registration, a registration decision is issued, and from the moment of its delivery a 30-day window opens for reporting supplementary data under § 11 – unless you already filled it in at Step 3. Registration is just the beginning.

What Is Supplementary Data and Who Must Provide It?

The greatest confusion in practice comes not from the notification itself, but from filling in the supplementary data. Not because the rules are incomprehensible – but because the required data typically sits in different parts of the organization. Legal structure and the definition of regulated services is a matter for the legal department, IP addresses and domains are handled by IT, and responsible persons are somewhere between IT and management. Without internal coordination, it simply cannot be done.

NÚKIB explicitly states that the form requires contact details of specific individuals for each regulated service, along with the required technical data for those services. You do not need to report anything beyond the form.

For contact persons: the point is not a formal checkbox, but a functional contact in the event of an incident or urgent communication. Do not enter a generic mailbox such as security@..., but rather the name, role, phone number, and email of a specific individual. A reasonable minimum is two people – typically someone from security or IT and someone capable of making organizational decisions.

For technical data: report public IP addresses or ranges and domains used exclusively by the organization – regardless of who owns or pays for them. Do not report non-public local ranges (10.x.x.x, 172.16–31.x.x, 192.168.x.x). For domains, state the highest-level domain directly tied to the organization, for example nukib.gov.cz. NÚKIB's goal is not to obtain a description of your entire infrastructure – but to identify data specifically relating to the regulated service.

This is precisely where it becomes clear why having a pre-prepared impact and scope assessment is essential. Without it, determining the technical data for a regulated service is very difficult.

💡 Need an impact assessment prepared? We can do it for you – get in touch.

A Forgotten Trap: MSP/MSSP Within a Group Is Still a Regulated Service

In my experience, this is one of the most common mistakes in holding companies and international groups. A company carefully reviews its external customer-facing services, but completely overlooks the fact that a central IT or security team is providing managed services to other entities within the group.

NÚKIB is very straightforward in its supporting material for the Digital Infrastructure and Services sector. If a service is provided to another entity with its own legal personality, it constitutes the provision of a regulated service – even within a holding group. For MSSPs, it repeats this explicitly: an internal security team is not an MSSP in and of itself, but if it provides security services to other entities with separate legal personalities within the group, it does constitute a regulated service.

In plain business terms: if the parent company manages other companies in the group under different company registration numbers, that is not "just internal support." It may be a regulated MSP or MSSP model.

MSP or MSSP coverage can include, for example, central IT support, Microsoft 365 management, UEM/endpoint management, but also IAM, endpoint security, VPN/firewall management, or monitoring and incident handling. IAM in particular deserves attention – NÚKIB explicitly lists it among MSSP examples in its supporting material. If you centrally manage identities, MFA, roles, and permissions for other companies in the group, this is precisely the area I would not leave "aside for later review."

Registration Is Done – What Now? Ongoing Obligations on the Portal

The NÚKIB Portal is not a one-time entry point. It is an ongoing compliance obligation.

If you are registered but have not filled in or have incomplete supplementary data, correct this as soon as possible via the Regulated Service Data Reporting form. The submission can be made by the statutory body or an authorized representative.

And do not forget the rule for changes: any data that is not reference data from basic registers must be reported no later than 14 days after the change. Changed a responsible person? IP addresses updated? It belongs on the Portal within two weeks.

Summary: What to Do Right Now

If you have not yet completed registration, do two things in parallel. Prepare the regulated service notification – without further delay. And at the same time, internally open a short workshop reviewing what services you actually provide within the group and whether you might be an MSP/MSSP in areas you have not yet named as such.

🚨 The worst possible strategy is "let's wait another month, it'll sort itself out." It won't. A short delay will only turn into an unnecessarily complicated problem to explain.

NÚKIB is currently giving space for remediation. But it is also being completely open about the fact that the longer you wait, the bigger the problem becomes.