SOURCE: NÚKIB
The National Cyber and Information Security Agency (NÚKIB) issued on September 3, 9. 2025, a WARNING regarding a cybersecurity threat involving the transfer of system and user data to the People’s Republic of China and the remote management of technical assets performed from the territory of the People’s Republic of China. Regulated entities under the Cybersecurity Act must address this warning.
NÚKIB inferred the security threat from:
- the increasing share of complex technological solutions in critical sectors and services that transfer data to the PRC or are remotely managed from the PRC. The penetration of these technologies and devices into critical sectors (such as transport, energy, healthcare, public administration, and others) is growing and will continue to grow in the future. Current critical infrastructure systems are increasingly dependent on data storage and processing in cloud storage and on network connectivity that enables remote operation and updates. In practice, this means that technology providers have the ability to significantly influence the operation of critical infrastructure and/or access important data, making trust in the provider’s reliability absolutely crucial. Another risk factor is the rising number of internet-connected devices that also transfer data and are remotely controlled by their suppliers. Examples of high-risk products and services that may transfer data to the PRC or be managed from there include IP cameras, PV inverters, “smart meters,” medical technology, cloud storage, highly complex personal devices (phones, watches), connected vehicles (electric cars), large language models, and others;
- confirmed harmful activities by actors linked to the PRC directed against our country, as well as the EU and NATO – recent examples include a cyber campaign against the Ministry of Foreign Affairs of the Czech Republic, conducted by the APT31 group associated with the Chinese intelligence service, the Ministry of State Security, since at least 2022. This campaign led the Czech government to perform a public attribution;
- the political and legal environment of the People’s Republic of China (PRC), which, among other things, allows Chinese government authorities access to data stored in the PRC or significant interference by Chinese government authorities in the operations of private companies, or provides these government authorities with tools to compel the cooperation of private firms in the espionage activities of the People’s Republic of China.
Based on the issued warning, regulated entities under the Cybersecurity Act must take the threat into account in their risk analysis and respond to the identified risks by adopting appropriate security measures. The threat is rated as “High,” meaning it is likely to very likely. The warning does not imply an unconditional ban on the transfer of system and user data or the remote management of technical assets from the PRC, but it means that this threat must be considered and a decision must be made regarding the level of risk these activities pose to a specific organization.
For the average citizen, the warning is not binding; however, the Agency generally recommends that people pay attention to cybersecurity and responsibly evaluate which products they use and with whom and what data they share through them.
The text of the warning is available here: https://nukib.gov.cz/download/uredni_deska/2025-09-03_Varovani_predavani-dat-podepsano.pdf
The methodology for it is here: https://nukib.gov.cz/download/uredni_deska/2025-09-03_metodicky-material-k-varovani-ze-dne-3-9-2025_v1.0.pdf
Analyses related to the topic of the warning can be found here: https://nukib.gov.cz/cs/infoservis/dokumenty-a-publikace/analyzy/#analyzyOZ