In brief
This alert outlines a selection of newly announced legislation and court decisions reinterpreting private law.
New legislation
Cybersecurity Act makes corporate executives responsible for managing security risks
On 4 August 2025, the Cybersecurity Act was promulgated in the Collection of Laws, transposing the EU directive on measures to ensure a high common level of cybersecurity (the NIS2 Directive). This law will enter into force on 1 November 2025.
Under this law, members of corporations’ statutory bodies will be required to actively oversee the implementation of and compliance with all necessary technical and organizational measures to secure the company’s information systems and data. They cannot formally delegate this responsibility to other persons and will instead be required to personally oversee these measures.
In particular, their duties will include the following:
- Assessing whether the law applies to the business corporation and whether the business corporation provides a regulated service, which it must then report to the National Cyber and Information Security Agency.
- Ensuring that technical measures are implemented, such as access control, password management, multifactor authentication, regular security monitoring, employee training, and the development of internal security policies and documentation.
- Dedicating sufficient human and financial resources to cybersecurity.
- Reporting a cyber incident to the competent authority within 24 hours after it has occurred.
The members of the business corporation’s statutory body are responsible for complying with the obligations under the Cybersecurity Act, particularly in situations where an incident occurs and the business corporation fails to act properly. The National Cyber and Information Security Agency may impose a fine of up to CZK 20 million (approximately EUR 830,000) on a member of a business corporation’s statutory body if they seriously or repeatedly fail to comply with their obligations. Furthermore, it may prohibit them from serving as a member of the statutory body for at least six months. The court may also oblige a member of the statutory body to compensate a creditor of the business corporation if the security incident has led to the insolvency of the business corporation and it is unable to meet its obligations. Thus, obligations under the Cybersecurity Act constitute another component of the due diligence that members of statutory bodies must observe in performing their duties.
The corporation itself (without regard to the penalties imposed on a member of the statutory body) would face heavy fines of up to CZK 250 million or 2% of its worldwide turnover if it breaches its obligations.
Recent court decisions
Admissibility of a "selective distribution system" for selecting sellers of luxury goods from the perspective of restricting competition
In a case involving the plaintiff Chanel and the defendant Notino (an online e-shop operating throughout Europe), the Supreme Court concluded that it is permissible to use what is known as the selective distribution system. Through the selective distribution system, a manufacturer of luxury goods selects specific sellers of those goods for a particular territory, which is admissible if the following requirements are met:
- The characteristics of the product in question require such a distribution system to ensure the protection of the quality of the product and its proper use.
- The sellers are selected based on objective, qualitative criteria that are established uniformly for all potential sellers, are not applied discriminatorily and do not go beyond what is necessary.
The Supreme Court referred to the case law of the Court of Justice of the EU, which states that the quality of products does not only depend on their material characteristics but also their prestigious nature and image, which give them an impression of luxury. Establishing a selective distribution system can be beneficial to the reputation of the products in question and thus to the preservation of the impression of luxury that they convey.
In the Supreme Court’s view, there is no unlawful restriction of competition where Chanel has established as criteria for selecting a seller of its goods that the seller has not infringed its trademark rights in the last three years and has operated at least three physical shops capable of selling those products for at least one year. A seller cannot sell Chanel products unless it is included in Chanel’s selective distribution system or has a license to market products bearing the Chanel trademark.
(Supreme Court judgment of 30 April 2025, Case No. 23 Cdo 1504/2024).
Injury sustained by an employee at a team-building event and the employer’s obligation to compensate the employee
The Supreme Court first referred to its previous case law, according to which an injury to health suffered by an employee during a team-building activity is considered an accident at work for which the employee is entitled to compensation from the employer. Team-building usually takes the form of an employee retreat and can be defined as the intensive and deliberate building and development of the working potential of teams, with an emphasis on deepening motivation and mutual trust, improving performance and communication between members of the team, and improving team creativity.
In an April decision, the Supreme Court then expanded the definition of team-building. Now, team-building does not need to consist solely of lectures or directed employee activities, but can be more loosely focused on strengthening team cohesion and creating a functional employee unit that, through strengthened interpersonal bonds, can better compete in a competitive market environment.
(Resolution of 11 April 2025, Case No. 21 Cdo 1771/2024).